Firewall to two networks
I'm really struggling to understand IP networks, iptables and
firewalling. I want to put a firewall inside my ADSL server.
Because of our house & my hubs, it needs to act as firewall to two
internal networks, each separate (one for kids, one for parents and
my www and mail server as it happens).
I have built a machine using old hardware etc with Woody, 2.4.16
kernel and three working ethernet cards. If I use two of the five IP
addresses I have from my ADSL ISP (British Telecom and no choice in
the matter for me sadly), one for the external card, one for one of
the internal ones, then I did manage once to get ipforwarding working
fine. Now I can't even repeat that feat and I'm baffled.
I think I will need to use two different private address network
spaces for the two internal cards, e.g. 192.168.2.1 and 192.168.1.1
each using the supplied public IP address xxx.xxx.xxx.197 which
points at xxx.xxx.xxx.198, the ADSL router as gateway, all with
netmasks of 255.255.255.0 and with the two internal cards pointing to
the external card (xxx.xxx.xxx.197) as gateway. I thought I had to
use the private addresses to ensure that there were three distinct
subnets.
I thought I had that working fine a few days back but today whatever
I do I get "network unreachable" and I can do everything fine through
the card point at the ADSL router but nothing really, in or out,
pinging either of the other cards. It doesn't seem to matter whether
I use private addresses or another of the supplied ones for the
internally facing cards.
It's not something wrong with the cards, if I configure one of the
internally facing ones to look at the router it works fine.
Clearly I've got something very wrong with my network set up and my
brain's gone to porridge.
Big request:
a) what am I doing wrong/misunderstanding (pointers to documentation
gladly accepted!)?
Then if anyone's feeling generous and can take me further:
b) am I right that I have to use different subnet masks for the three
cards? If so, I have to use private addresses for two cards as my
given IPs are contiguous (xxx.xxx.xxx.193-198 including the router)
c) if so, and given that ISP won't route packets from private
addresses I'm sure, how do I get iptables to rewrite the passing on
of the packages.
Here's my /etc/network/interfaces file with the offending configs of
the internally facing cards commented out:
# /etc/network/interfaces -- configuration file for ifup(8),
ifdown(8)
# The loopback interface
auto lo
iface lo inet loopback
# The first network card - this entry was created during the Debian
installation
# (network, broadcast and gateway are optional)
auto eth0
iface eth0 inet static
address 217.34.100.197
netmask 255.255.255.0
network 217.34.100.0
broadcast 217.34.100.255
gateway 217.34.100.198
#auto eth1
#iface eth1 inet static
# address 192.168.1.1
# netmask 255.255.255.0
# network 192.168.1.0
# broadcast 192.168.1.255
# gateway 217.34.100.197
#auto eth2
#iface eth2 inet static
# address 192.168.2.1
# netmask 255.255.255.0
# network 192.168.2.0
# broadcast 192.168.2.255
# gateway 217.34.100.197
TIA,
Chris
PSYCTC: Psychotherapy, Psychology, Psychiatry, Counselling
and Therapeutic Communities; practice, research,
teaching and consultancy.
Chris Evans & Jo-anne Carlyle
http://psyctc.org/ Email: chris@psyctc.org
Reply to: