Re: Setup of Internal Network with Many Real IPs

[Lucas J Barbuto <lucas@stabat.com>]

Hello Again All,

Thanks for your helpful replies, Blars' article in particular was
interesting.  However, I sat down and had a good think about it, and I
think I've come up with a simple solution that doesn't require any
messing with the 'ip' command.

My current firewall router NATs 202.45.126.237 into 10.0.0.0/24 and
back, I want to keep this, so no changes here are neccessary, however,
for passing traffic for 235 and 236 I figure I can simply install
another network card in the machine then go:

    INET_IFACE="eth0"           # internet
    VIT_IFACE="eth1"            # 235 and 236 traffic
    VIT_IP1="202.45.126.235"
    VIT_IP2="202.45.126.236"

    iptables -A FORWARD -p all -i $INET_IFACE -o $VIT_IFACE \
        -d $VIT_IP1,$VIT_IP2
    iptables -A FORWARD -p all -i $VIT_IFACE -o $INET_IFACE \
        -s $VIT_IP1,$VIT_IP2 -d 0/0

And if I configure eth1 without an IP address (or any IP on the same
subnet), then I can just configure each machine at the end of
202.45.126.235-236 to use my ISPs gateway as their gateway --- my
firewall will be (sort of) transparent.  Does this make sense?

I have setup a transparent ethernet bridge firewall before (on the same
network in fact), because I wanted an "invisible" firewall between our
ISPs router and our other machines.  However, I have noticed something
that I didn't notice before, my transparent ethernet bridge firewall
doesn't have more than one IP aliased to either of it's interfaces, even
though it's handling traffic for 12 IPs.  This indicates that Iptables
rules are are checked against any incoming packet regardless of what IP
is assigned to the interface.  This would suggest that assigning IPs to 
interfaces on routers / bridges / firewalls with Iptables is only
neccessary if you want to access the firewall machine itself.  Correct?
Aliasing more than one IP to the external interface is always
uneccessary, because you can just setup and Iptables rule for it,
whether in the INPUT or FORWARD chain.  This is why I believe that the
above description will work --- I haven't had time to test it yet, but
am I correct in theory?

Here's a picture:

                            +---------------+
                            |  ISPs router  |
                            +---------------+ 202.45.126.225
                                    |
                                    |
                                    * transparent bridge
                                    |
                                    |
                            +---------------+ [eth0] 202.45.126.237
                            |   my router   |
                     [eth1] +---------------+ [eth2] 10.0.0.2
                            |               |
                        +---'               `---+
                        |                       |
                        |                       |
                    +---+---+                   `--- 10.0.0.0/24 LAN
                    |       |
  202.45.126.235 ---'       `--- 202.45.126.236

  gw: 202.45.126.225
  sn: 202.45.126.240
  bc: 202.45.126.239
  nm: 255.255.255.240

If I'm not mistaken, eth1 doesn't need an IP address.  My only concern
now is, how will 235 and 236 be able to find 237 and vice-versa?  That
will require more Iptables rules to route that traffic, correct?

Sorry for the long rambling post, I don't know anyone personally who I
can ask.

Regards,

Lucas