Re: Firewall to two networks
Chris,
A few months ago, I started changing my home network from 10base-2 to
100base-T. I added a third NIC to my firewall box and set up a new
subnet for this. The setup I used was straightforward and worked
without any problems for both internal and external communications. (I
have since converted the 10base-2 machines to 100base-T NICs and am
back to a single subnet).
On the firewall box, I had the following in /etc/network/interfaces:
auto lo eth0 eth1 eth2
iface lo inet loopback
#external interface to ADSL modem
iface eth0 inet static
address xxx.xxx.xxx.xxx (static IP assigned to my by my ISP)
netmask 255.255.255.0
gateway yyy.yyy.yyy.yyy (IP of my ISP's router)
#interface to subnet 1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
#interface to subnet 2
iface eth2 inet static
address 192.168.2.1
netmask 255.255.255.0
On one of the subnets, the computers had the following:
auto lo eth0
iface lo inet loopback
iface eth0 inet static
address 192.168.1.xxx (where xxx is unique for each box)
netmask 255.255.255.0
gateway 192.168.1.1
On the other subnet, the following was used:
auto lo eth0
iface lo inet loopback
iface eth0 inet static
address 192.168.2.xxx (where xxx is unique for each box)
netmask 255.255.255.0
gateway 192.168.2.1
On the firewall/router box I am using kernel 2.2.21 with IP chains
(using Debian iptables and ipmasq packages without changes);. It worked
fairly well with 2.4.18 and IP tables (using the Debian iptables
package without changes), but I had some problems with masquerading and
haven't gotten up to speed on IP tables configuration yet, so I
reverted to something with which I am more familiar. Pinging was not
affected by this, however. I hope this helps.
Bob
On Fri, Aug 23, 2002 at 10:53:28AM +0100, Chris Evans wrote:
> On 22 Aug 2002 at 12:01, Vince Mulhollon wrote:
>
> > Here's the important part:
> > Post your /sbin/route -n from the firewall itself.
> > Also post your ifconfig from the firewall.
>
> Dear Vince and others: I've had no response to posting those on the
> list but have slept on the problem and maybe understand more now.
>
> If anyone can find time to comment on these thoughts and my posting
> of the route and ifconfig information on the list last night, I'd
> hugely appreciate it as I'm still unconfident that I understand and
> the linux firewall HOWTO seems to say I should be able to ping to and
>
> from those cards.
>
> Currently I can't ping out from the inward facing cards on the future
>
> firewall to a numeric address on the same hub. Sleeping on it makes
> me realise this may be because the address I'm pinging isn't on the
> same subnet and I now have no gateway for those cards or they'll pick
>
> the gateway facing the ADSL router (which fits with being able to
> ping successfully through that!).
>
> What about not being able to ping _to_ those cards' numeric addresses
>
> either? Again I guess that's because they'll be on a different
> subnet from the machine I'm trying to ping from so that machine will
> try to ping them through its own gateway which is the ADSL router?
>
> Aha.... but if I add itself as gateway to the internally facing
> card's interfaces entry no change ditto if I give its address as
> gateway to the machine I'm pinging from. Clearly I still don't
> understand the basics of subnets, broadcasts, networks and gateways
> and I want to understand this before I go the next step to an initial
>
> iptables set of rules from fwbuilder.
>
> Help please? TIA,
>
> Chris
> PSYCTC: Psychotherapy, Psychology, Psychiatry, Counselling
> and Therapeutic Communities; practice, research,
> teaching and consultancy.
> Chris Evans & Jo-anne Carlyle
> http://psyctc.org/ Email: chris@psyctc.org
>
>
Reply to: