RE: Using Fedora as firewall.

From: Eric Diamond (eric_at_ediamond.net)
Date: 04/17/04

  • Next message: Alexander Dalloz: "Re: nvidia driver works w/ new kernel and inittab 3, but not 5" 
    To: "'For users of Fedora Core releases'" <fedora-list@redhat.com>
Date: Sat, 17 Apr 2004 11:18:27 -0600

    David,

    FC1 works great as a firewall. I run several for myself and my
    customers. But, there's a bit more that needs to be done besides
    configuring two network interfaces.

    But first, the problems you've described so far as they will get in the
    way of a proper config.

    Saturday, April 17, 2004 3:56 AM David Pettersson posted:

    > Now I have two networking cards, one buildin in the
    > motherboard (eth0) and one in a PCI slot (eth1). When I tried
    > to do the same to give my WinXP box access to the internet I
    > couldn't get it right. When I connect to internet using eth0
    > everything is fine. When I start eth1 to the WinXP box it
    > works, but then I have no contact with the internet thru
    > eth0. To get contact with the internet again I have to stop
    > eth1 and restart eth0. Does anyone have a clue?

    This sounds like you specified a default gateway on the eth1 interface.
    Since it is a gateway, it shouldn't have one. The default gateway
    setting is used to create default routes when the interface is brought
    up. If you configure a gateway address on a gateway interface then
    packets passed to it destined for other networks will not be routed
    through it but rather passed on to it's gateway.

    If that gateway exists, then things may still work, but it would be a
    case of the network being able to route around a misconfiguration and
    your actual traffic path would be drastically different than what you
    desired.

    If that gateway doesn't exist then all traffic goes into the bit bucket.
    Even worse, if the gateway is defined as itself then you might even
    create a routing loop.

    > The internet company used DNS to assign network adresses and
                                ^^^
                                DHCP - Dynamic Host Configuration Protocol

    DNS -Domain Name System (Service) - I've seen it written as both, and
    both names work. DNS resolves names to addresses. DHCP configures
    network interfaces (and other things).

    > eth0 Link encap:Ethernet HWaddr 00:0E:A6:38:BC:53
    > inet addr:213.114.28.238 Bcast:213.114.28.255
    > Mask:255.255.255.128 UP BROADCAST RUNNING MULTICAST MTU:1500
    > Metric:1 RX packets:3820 errors:0 dropped:0 overruns:0
    > frame:0 TX packets:6080 errors:0 dropped:0 overruns:0
    > carrier:0 collisions:0 txqueuelen:1000 RX bytes:1871476 (1.7
    > Mb) TX bytes:840285 (820.5Kb) Interrupt:10 Base address:0x7800
    >
    > eth1 Link encap:Ethernet HWaddr 00:30:4F:1E:0B:2A
    > inet addr:172.16.0.1 Bcast:172.16.0.255 Mask:255.255.255.0
    > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    > RX packets:10 errors:0 dropped:0 overruns:0 frame:0
    > TX packets:248 errors:0 dropped:0 overruns:0 carrier:0
    > collisions:0 txqueuelen:1000 RX bytes:759 (759.0 b) TX
    > bytes:30639 (29.9 Kb) Interrupt:11 Base address:0x1000

    This much looks good. Just make sure you edit the eth1 config and make
    sure there's no default gateway defined.

    In order for the kernel to route traffic between the interfaces, you
    must turn on packet forwarding. Edit /etc/sysctrl.conf and set the
    following:

    # Controls IP packet forwarding
    net.ipv4.ip_forward = 1

    # Controls source route verification
    net.ipv4.conf.default.rp_filter = 1

    The first enables forwarding on all interfaces. The second enables
    source rout verification. This makes it harder for someone to get past
    your firewall using address spoofing.

    You then need to set up iptables for stateful filtering and
    masquerading. That's a whole other dissertation, but one I've covered in
    the past. Complete with sample script. Check in the archives from late
    February or early March.

    For now I've got to go. The wife and kids are waiting for me. I'm
    holding the family up, again... ;)

    HTH

    Eric Diamond
    eDiamond Networking & Security
    303-246-9555
    eric@ediamond.net
      

    -- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
  • Next message: Alexander Dalloz: "Re: nvidia driver works w/ new kernel and inittab 3, but not 5"

    Relevant Pages

    • Re: Gateway reset on reboot (was: xnptd insane after reboot)
      ... network interface selection -> remove a network interface (done for all ... network interfaces; trying to blast out the old gateway value that just ... Here's the output that smitty is giving me: ... set the gateway, ...
      (AIX-L)
    • Re: Network questions
      ... iface eth0 inet static ... network 192.168.0.240 ... gateway 192.168.0.241 ... With the existing interfaces file, only one interface eth0 comes up. ...
      (Ubuntu)
    • Re: Interesting network problem
      ... access through an ethernet port. ... There was a network outage the other day, and when service was restored, ... gateway is on a different class A ip net than my public ip. ... but if you're not using it (and using static IP config instead), just use the GUI utility system-config-network - it ...
      (Fedora)
    • Re: Routing Problem
      ... If you have multiple interfaces and you configure a default gateway for each ... FreeBSD's routing table at any one time for default route traffic, ... In FreeBSD, you can manually configure the routing table for the individual ...
      (freebsd-questions)
    • IPSec (i.e. Freeswan 2.x), Linux kernel 2.6 no longer masquerading (NATing) connections
      ... kernel and thus the virutal ipsecN interfaces once used for IPSec ... Cisco IPSec clients for Linux have done this for a while now), ... makes NAT'ing VPN traffic on a gateway difficult - if not impossible. ... network across an IPSec tunnel? ...
      (comp.os.linux.networking)