Re: Confusing gateway/FW project - need help bad!

From: David Efflandt (efflandt_at_xnet.com)
Date: 09/29/03 

Date: Mon, 29 Sep 2003 19:45:32 +0000 (UTC)

On Sun, 28 Sep 2003, Jay \"Boogieman\" Edwards <boogie350@NOSPAMyahoo.com>
wrote:
> I presently have my cable modem shared through an SMC Barricade 7004BR
> NAT router/firewall. I have the DHCP server in the router disabled as I
> like each machine to have a static IP.
>
> I have one machine on the LAN that is a dedicated Quake 3 server, and it
> is in the router's DMZ because some people had problems staying connected
> to it. All is well with this setup... sort of... the Q3 machine in the
> DMZ snagged a worm (w2kServ) which totalled out my w9x install on my main
> machine (left 2kPro intact though).
>
> What I want to do is take the machine that the Quake server runs on and
> set it up as a Linux gateway/firewall between the internet and my SMC
> router. I can then run the Q3 server on that machine too and have it
> completely out of the LAN. This is proving far more difficult than it
> sounds. I could have had it set up and running with Windoze, but I want
> Linux instead. It's been fighting me for 3 weeks now.
>
> Now, then... I assuming that the following is correct for what I'm trying
> to do here. Please let me know if something's amiss...
>
> - eth0 should be assigned 192.168.0.1 static
> - eth0 connects to the cable modem's 10BaseT port
> - eth0's "gateway" should point to my ISP's gateway IP addy
> - eth0's DNS server points to ISP's DNS server IP addy

Is your cable modem just a modem or modem/router? In other words, if you
do the above, can you get on the internet, or do you have to use dhcp?
The best answers depend upon that and whether more than 1 private IP can
connect through it.

> - eth1 can be assigned 192.168.0.2 static
> - eth1 connects to the SMC's 10BaseT WAN port

You need to masquerade any traffic going out eth0 as your eth0 IP and use
a different network for eth1. Proxy arp might might be an alternative
with IPs you have, but eth0 would need different netmask/broadcast and it
depends whether your modem/router accepts multiple private IPs on its LAN
side.

> - eth1 looks to 192.168.0.1 as it's gateway??
> - eth1 should point *where* for DNS server???

eth1 should have _NO_ gateway. It should automatically get a net
route for its network if eth1 is brought up by network scripts. But you
might need to change eth1 IP to different network like 192.168.1.x if
Linux is masquerading it.

> - SMC WAN port now looks at 192.168.0.2 as it's gateway IP/DNS??
> - SMC DHCP server is disabled (I want static IP's on the LAN)
> - SMC should point where for DNS server??

Gateway is correct (or whatever eth1 ends up as), but DNS would point to
your ISP's DNS.

> - PC's on the LAN still look at the SMC's IP (192.168.2.1) as their
> gateway and DNS servers?

Yes if the SMC does DNS caching, otherwise use DNS at your ISP.

> Now, onto the question of NAT routing. Currently, the SMC handles that
> fine. But, if there is now a gateway/FW between it and the internet, will
> this break the router's NAT? Will I have to set up IP forwarding/NAT for
> each internal IP on the LAN? I've done some studying on IPtables and Masq
> and it just seems totally Geek to me.

The Linux router will not see any IPs on the LAN side of SMC, so it just
needs to NAT its eth1 network (essentially SMC WAN IP). The SMC will
still NAT everything behind it.

> Am I perhaps better off not putting a gateway/FW before the router and
> just install Linux with a firewall on the Q3 server box? I'd *really*
> prefer it if I could get that server *outside* my LAN though. I don't
> want to run Windows on it regardless for evident security reasons.

That might be easiest. If you do point the DMZ at Linux, you should still
run a firewall on it to block anything except what you need (especially
low ports < 1024). 

-- 
David Efflandt - All spam ignored  http://www.de-srv.com/
http://www.autox.chicago.il.us/  http://www.berniesfloral.net/
http://cgi-help.virtualave.net/  http://hammer.prohosting.com/~cgi-wiz/

Relevant Pages

  • Re: IP Addressing
    ... Address of the ISA server? ... firewall and router). ... On the firewall create a static NAT entry as I wrote ...
    (comp.dcom.sys.cisco)
  • Re: WIndows server 2003 as router
    ... Since both subnets are private, I assume there is a router somewhere ... So you do not really need NAT on this server. ... address translation twice (once at your server and again at the NAT router). ...
    (microsoft.public.windows.server.networking)
  • Re: Fragmented Internet Connection
    ... my guess was wrong - you do have a double NAT issue. ... What you could do is eliminate the router - ie. enable NAT on the server ... With your current configuration, your router needs a static route to ... Double check the forwarders list on your DNS server. ...
    (microsoft.public.windows.server.networking)
  • Re: SBS2003R2 w/Term Server 2003
    ... Router is LinkSys RV042. ... One to One Nat is enabled. ... Are you saying that both the 246 public address and the 241 public address are assigned to the Linksys WAN port and then you're trying to somehow forward terminal services from 241 to the Term Server?? ...
    (microsoft.public.windows.server.sbs)
  • Re: Help for a secure Firewall
    ... > router with static NAT to a Linux Box Server. ... > Obviously with NAT I could build a web-server! ... > configure the router with NAT to my linux box (all ports,!? ... > Is Apache a danger used also as a Proxy server? ...
    (comp.security.firewalls)