Re: Linux firewall behind Cisco DSL Router

From: Pete Houston (ph1_at_zapthisbit.openstrike.co.uk)
Date: 07/23/03 

Date: Wed, 23 Jul 2003 13:44:13 GMT

In article <c0a9156d.0307040456.62745781@posting.google.com>,
Eugene van Rooyen wrote:
> a) Can I plug the DSL router Internal interface into a hub, with the
> linux box's External interface into the same hub? (The reason for this
> is that I want to put a second fw with same config into that hub as a
> backup at some stage) Or is is better to plug the external-fw cable
> directly into the LAN port of the 677?

No reason not to use the hub. However if you want a hot-backup fw, you
should think about virtual IPs and linux-ha now rather than later - save
you some grief in the long run.

> b) Do I assign a Firewall-External-IP of 10.100.1.5, 255.0.0.0,gateway
> 10.100.1.1, and FW-Internal-IP of 192.168.x.y?

Sounds fine.

> c) Do I need to enable NAT on the firewall machine even if 677 is
> doing it already, is this "double-nat" healthy?

It's not unhealthy, it just adds an extra layer of possible confusion.
Once the debugging's out of the way it should be fine, and may be a real
boon if the ISP decides to change the internal ranges on you.

> d) I want to use IPTables, and make the fw-internal-IP the gateway
> address of the private network PC's. have tried Shorewall, but despite
> IP-forwarding showing enabled, I can get from the fw out, but not from
> inside the private network. (Even if rules permit it)

Assuming you're right that the rules don't prevent it (turn on logging
for anything which you drop) and that ip-forwarding is enabled, then it
sounds very much like a routing issue. Time to dig around with route and
tcpdump. Are the packets even reaching the internal interface? The
external interface? If stuck, post the output from route -n.

Pete 

-- 
Openstrike - improving business through open source
http://www.openstrike.co.uk/

Relevant Pages

  • Re: Firewall2-Problem
    ... external interface: ippp0 (no internal interface) ... allow traceroute, secure running services, secure of internal network ... >> reach ssh on my computer. ...
    (alt.os.linux.suse)
  • Re: How does Linux NAT work ?
    ... > external interface, eth1 is your internal interface, the server in question ... If both his machines behind the nat box are engaged in a gaming session, ... The destination machines should just ignore them if they arent' ...
    (comp.os.linux.networking)
  • Freebsd 5.3-stable natd multiple external ipadress
    ... I have three external ipadress on fxp1 ...
    (freebsd-newbies)
  • Re: sql server install on the Internet
    ... Could you not disable 1433 on the external interface and ... Use the internal interface IP address from ... > Will changing default port settings: ... > Is it possible to enhance security settings if this sql server is going to ...
    (microsoft.public.sqlserver.security)
  • Re: Bridge Connections
    ... > external interface of the ISA Server. ... If i put a hub the problem is solved ... > (the cable from ISP is put in the hub and from the hub a cable to ISA and ...
    (microsoft.public.isa)