Re: Linux firewall behind Cisco DSL Router
From: Pete Houston (ph1_at_zapthisbit.openstrike.co.uk)
Date: Wed, 23 Jul 2003 13:44:13 GMT
In article <email@example.com>,
Eugene van Rooyen wrote:
> a) Can I plug the DSL router Internal interface into a hub, with the
> linux box's External interface into the same hub? (The reason for this
> is that I want to put a second fw with same config into that hub as a
> backup at some stage) Or is is better to plug the external-fw cable
> directly into the LAN port of the 677?
No reason not to use the hub. However if you want a hot-backup fw, you
should think about virtual IPs and linux-ha now rather than later - save
you some grief in the long run.
> b) Do I assign a Firewall-External-IP of 10.100.1.5, 255.0.0.0,gateway
> 10.100.1.1, and FW-Internal-IP of 192.168.x.y?
> c) Do I need to enable NAT on the firewall machine even if 677 is
> doing it already, is this "double-nat" healthy?
It's not unhealthy, it just adds an extra layer of possible confusion.
Once the debugging's out of the way it should be fine, and may be a real
boon if the ISP decides to change the internal ranges on you.
> d) I want to use IPTables, and make the fw-internal-IP the gateway
> address of the private network PC's. have tried Shorewall, but despite
> IP-forwarding showing enabled, I can get from the fw out, but not from
> inside the private network. (Even if rules permit it)
Assuming you're right that the rules don't prevent it (turn on logging
for anything which you drop) and that ip-forwarding is enabled, then it
sounds very much like a routing issue. Time to dig around with route and
tcpdump. Are the packets even reaching the internal interface? The
external interface? If stuck, post the output from route -n.
-- Openstrike - improving business through open source http://www.openstrike.co.uk/