Firewall to two networks

To: Debian-firewall@lists.debian.org
Subject: Firewall to two networks
From: "Chris Evans" <chris1@psyctc.org>
Date: Thu, 22 Aug 2002 17:35:53 +0100
Message-id: <[🔎] 3D6520F9.25907.1427444@localhost>

I'm really struggling to understand IP networks, iptables and 
firewalling.  I want to put a firewall inside my ADSL server.  
Because of our house & my hubs, it needs to act as firewall to two 
internal networks, each separate (one for kids, one for parents and 
my www and mail server as it happens).

I have built a machine using old hardware etc with Woody, 2.4.16 
kernel and three working ethernet cards.  If I use two of the five IP 
addresses I have from my ADSL ISP (British Telecom and no choice in 
the matter for me sadly), one for the external card, one for one of 
the internal ones, then I did manage once to get ipforwarding working 
fine.  Now I can't even repeat that feat and I'm baffled.

I think I will need to use two different private address network 
spaces for the two internal cards, e.g. 192.168.2.1 and 192.168.1.1 
each using the supplied public IP address xxx.xxx.xxx.197 which 
points at xxx.xxx.xxx.198, the ADSL router as gateway, all with 
netmasks of 255.255.255.0 and with the two internal cards pointing to 
the external card (xxx.xxx.xxx.197) as gateway.  I thought I had to 
use the private addresses to ensure that there were three distinct 
subnets.

I thought I had that working fine a few days back but today whatever 
I do I get "network unreachable" and I can do everything fine through 
the card point at the ADSL router but nothing really, in or out, 
pinging either of the other cards.  It doesn't seem to matter whether 
I use private addresses or another of the supplied ones for the 
internally facing cards.

It's not something wrong with the cards, if I configure one of the 
internally facing ones to look at the router it works fine.

Clearly I've got something very wrong with my network set up and my 
brain's gone to porridge.  

Big request:
a) what am I doing wrong/misunderstanding (pointers to documentation 
gladly accepted!)?

Then if anyone's feeling generous and can take me further:
b) am I right that I have to use different subnet masks for the three 
cards?  If so, I have to use private addresses for two cards as my 
given IPs are contiguous (xxx.xxx.xxx.193-198 including the router)

c) if so, and given that ISP won't route packets from private 
addresses I'm sure, how do I get iptables to rewrite the passing on 
of the packages.

Here's my /etc/network/interfaces file with the offending configs of 
the internally facing cards commented out:

# /etc/network/interfaces -- configuration file for ifup(8), 
ifdown(8)

# The loopback interface
auto lo
iface lo inet loopback

# The first network card - this entry was created during the Debian 
installation
# (network, broadcast and gateway are optional)
auto eth0
iface eth0 inet static
	address 217.34.100.197
	netmask 255.255.255.0
	network 217.34.100.0
	broadcast 217.34.100.255
	gateway 217.34.100.198


#auto eth1
#iface eth1 inet static
#	address 192.168.1.1
#	netmask 255.255.255.0
#	network 192.168.1.0
#	broadcast 192.168.1.255
#	gateway 217.34.100.197


#auto eth2
#iface eth2 inet static
#	address 192.168.2.1
#	netmask 255.255.255.0
#	network 192.168.2.0
#	broadcast 192.168.2.255
#	gateway 217.34.100.197

TIA,

Chris

PSYCTC: Psychotherapy, Psychology, Psychiatry, Counselling
   and Therapeutic Communities; practice, research, 
   teaching and consultancy.
Chris Evans & Jo-anne Carlyle
http://psyctc.org/ Email: chris@psyctc.org

Reply to:

Prev by Date: Help understanding logs
Next by Date: Re: Firewall to two networks
Previous by thread: Re: Help understanding logs
Next by thread: Re: Firewall to two networks
Index(es):
- Date
- Thread