Re: Firewall to two networks
On Fri, Aug 23, 2002 at 10:53:28AM +0100, Chris Evans wrote:
> On 22 Aug 2002 at 12:01, Vince Mulhollon wrote:
> If anyone can find time to comment on these thoughts and my posting
> of the route and ifconfig information on the list last night, I'd
> hugely appreciate it as I'm still unconfident that I understand and
> the linux firewall HOWTO seems to say I should be able to ping to and
>
> from those cards.
I haven't followed your configuration in detail. However if you are
up to a little reading, I've attached the relevant files from a
system here that may help you by serving as an example. The files are:
output of "/sbin/ifconfig"
/etc/networks
/etc/network/interfaces
my firewall script
The big picture is: it's a firewall machine, Debian 2.2r6.
I'm still using a 2.2 kernel, so ipchains is doing the firewalling.
There are four (4) internal networks. However there is a neat feature
that allows all four to use the same ethernet interface card.
Look in the interfaces file for more details.
So the machine has two ethernet cards (one for the outside world,
and one for the inside world), yet handles four separate inernal
networks.
If I've forgotten any details that will help explain the setup,
just shout.
HTH,
Doug.
--
------------------------------------------------------------------
Douglas Guptill dguptill@thinweb.com
Quality Assurance Specialist 902-425-2802 x 222
ThinWEB Technologies http://www.thinWEB.com
eth0 Link encap:Ethernet HWaddr 00:60:67:48:66:1E
inet addr:142.176.176.36 Bcast:142.176.176.39 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:28665306 errors:0 dropped:0 overruns:0 frame:0
TX packets:23414855 errors:2 dropped:0 overruns:0 carrier:2
collisions:35565 txqueuelen:100
Interrupt:11 Base address:0x9400
eth1 Link encap:Ethernet HWaddr 00:60:67:2D:F9:9A
inet addr:142.176.134.185 Bcast:142.176.134.191 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:26658767 errors:0 dropped:0 overruns:0 frame:532
TX packets:31361284 errors:769 dropped:0 overruns:0 carrier:769
collisions:645946 txqueuelen:100
Interrupt:10 Base address:0x9800
eth1:0 Link encap:Ethernet HWaddr 00:60:67:2D:F9:9A
inet addr:142.176.134.173 Bcast:142.176.134.175 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:10 Base address:0x9800
eth1:1 Link encap:Ethernet HWaddr 00:60:67:2D:F9:9A
inet addr:192.168.0.1 Bcast:192.168.0.63 Mask:255.255.255.192
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:10 Base address:0x9800
eth1:2 Link encap:Ethernet HWaddr 00:60:67:2D:F9:9A
inet addr:192.168.1.1 Bcast:192.168.1.63 Mask:255.255.255.192
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:10 Base address:0x9800
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:1804022 errors:0 dropped:0 overruns:0 frame:0
TX packets:1804022 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)
# The loopback interface
iface lo inet loopback
# The first network card - this entry was created during the Debian installation
# (network, broadcast and gateway are optional)
# modified by Doug Guptill
# This gives it 8 addresses
# iface eth0 inet static
# address 142.176.134.163
# gateway 142.176.134.161
# network 142.176.134.160
# netmask 255.255.255.248
# broadcast 142.176.134.167
iface eth0 inet static
address 142.176.176.36
gateway 142.176.176.33
network 142.176.176.32
netmask 255.255.255.248
broadcast 142.176.176.39
# This gives it 8 addresses
# netmask 255.255.255.248
# broadcast 142.176.134.167
# This gives it 32 addresses
# netmask 255.255.255.224
# broadcast 142.176.134.191
# The second network card - this entry was created by Douglas Guptill
# This gives it 16 addresses
iface eth1 inet static
address 142.176.134.185
network 142.176.134.176
netmask 255.255.255.240
broadcast 142.176.134.191
iface eth1:0 inet static
address 142.176.134.173
network 142.176.134.168
netmask 255.255.255.248
broadcast 142.176.134.175
iface eth1:1 inet static
address 192.168.0.1
network 192.168.0.0
netmask 255.255.255.192
broadcast 192.168.0.63
iface eth1:2 inet static
address 192.168.1.1
network 192.168.1.0
netmask 255.255.255.192
broadcast 192.168.1.63
# firewalling for ThinWEB
# chain input....................
# get rid of all the old rules
/sbin/ipchains -F input
# default policy is ACCEPT
/sbin/ipchains -P input ACCEPT
# chain forward....................
# get rid of all the old rules
/sbin/ipchains -F forward
# default policy is DENY
/sbin/ipchains -P forward DENY
# forwarding between internal subnets................
# forward the 2nd quarter to the upper half.
# /sbin/ipchains -A forward -p all -s 142.176.134.168/255.255.255.248 -d 142.176.134.176/255.255.255.240 -j ACCEPT
/sbin/ipchains -A forward -s 142.176.134.168/255.255.255.248 -d 142.176.134.176/255.255.255.240 -j ACCEPT
# forward the 2nd quarter to internal.
/sbin/ipchains -A forward -s 142.176.134.168/255.255.255.248 -d 192.168.0.0/255.255.255.192 -j ACCEPT
# forward the 2nd quarter to internal-dhcp.
/sbin/ipchains -A forward -s 142.176.134.168/255.255.255.248 -d 192.168.1.0/255.255.255.192 -j ACCEPT
# forward the upper half to the 2nd quarter.
# /sbin/ipchains -A forward -p all -s 142.176.134.176/255.255.255.240 -d 142.176.134.168/255.255.255.248 -j ACCEPT
/sbin/ipchains -A forward -s 142.176.134.176/255.255.255.240 -d 142.176.134.168/255.255.255.248 -j ACCEPT
# forward the upper half to internal.
/sbin/ipchains -A forward -s 142.176.134.176/255.255.255.240 -d 192.168.0.0/255.255.255.192 -j ACCEPT
# forward the upper half to internal-dhcp.
/sbin/ipchains -A forward -s 142.176.134.176/255.255.255.240 -d 192.168.1.0/255.255.255.192 -j ACCEPT
# forward internal to the 2nd quarter.
/sbin/ipchains -A forward -s 192.168.0.0/255.255.255.192 -d 142.176.134.168/255.255.255.248 -j ACCEPT
# forward internal to the upper half.
/sbin/ipchains -A forward -s 192.168.0.0/255.255.255.192 -d 142.176.134.176/255.255.255.240 -j ACCEPT
# forward internal to internal-dhcp.
/sbin/ipchains -A forward -s 192.168.0.0/255.255.255.192 -d 192.168.1.0/255.255.255.192 -j ACCEPT
# forward internal-dhcp to the 2nd quarter.
/sbin/ipchains -A forward -s 192.168.1.0/255.255.255.192 -d 142.176.134.168/255.255.255.248 -j ACCEPT
# forward internal-dhcp to the upper half.
/sbin/ipchains -A forward -s 192.168.1.0/255.255.255.192 -d 142.176.134.176/255.255.255.240 -j ACCEPT
# forward internal-dhcp to internal.
/sbin/ipchains -A forward -s 192.168.1.0/255.255.255.192 -d 192.168.0.0/255.255.255.192 -j ACCEPT
# forward between blackpearl.thinweb.com and admin.thinweb.com .........................
# /sbin/ipchains -A forward -s 192.168.0.2/255.255.255.255 -d 142.176.134.162/255.255.255.255 -j ACCEPT
# /sbin/ipchains -A forward -s 142.176.134.162/255.255.255.255 -d 192.168.0.2/255.255.255.255 -j ACCEPT
# /sbin/ipchains -A forward -s 192.168.0.2 -d 142.176.134.162 -j ACCEPT
# /sbin/ipchains -A forward -s 142.176.134.162 -d 192.168.0.2 -j ACCEPT
# forward for WallaceIntelBox
/sbin/ipchains -A forward -s 24.222.181.87 -j ACCEPT
# masquerading subnets to the outside world........................
# masquerade for the upper half
/sbin/ipchains -A forward -p all -s 142.176.134.176/255.255.255.240 -j MASQ
# masquerade for the 2nd quarter
/sbin/ipchains -A forward -p all -s 142.176.134.168/255.255.255.248 -j MASQ
# masquerade for internal
/sbin/ipchains -A forward -p all -s 192.168.0.0/255.255.255.192 -j MASQ
# masquerade for internal-dhcp
/sbin/ipchains -A forward -p all -s 192.168.1.0/255.255.255.192 -j MASQ
# log anything that doesn't match any rule
/sbin/ipchains -A forward -l -j DENY
# chain output....................
# get rid of all the old rules
/sbin/ipchains -F output
# default policy is ACCEPT
/sbin/ipchains -P output ACCEPT
# 1stquarter 142.176.134.160
1stquarter 142.176.176.32
2ndquarter 142.176.134.168
upperhalf 142.176.134.176
internal 192.168.0.0
internal-dhcp 192.168.1.0
Reply to: