[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: "transparent" firewall possible?



On Mon, 2002-02-04 at 20:17, Jason Lim wrote:
> Probably someone has done all this in the past, and in fact I have found a
> distro that *sounds* like it does this, but it is a weird heavily
> customized Redhat, and I would perfer to stick with the Debian that we all
> love.
> 
I'm doing something similar to this using proxy arp and a single IP
address on the network, with a Debian box running a 2.4 kernel.  The
steps I took are roughly as follows:

configure both NICs with the same IP address.  For convenience, use the
highest IP address in your netblock.  Assuming your netblock is
192.168.0.0/24, the firewall's IP is 192.168.0.254, and the default
gateway is 192.168.0.1, run the following:

echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
ip route del 192.168.0.0/24 dev eth0
ip route del 192.168.0.0/24 dev eth1
ip route add 192.168.0.1 dev eth0
ip route add 192.168.0.0/24 dev eth1
echo 1 > /proc/sys/net/ipv4/ip_forward

before you do that, you'll want to do some firewalling.  You'll need to
use the FORWARD table for your rules going to the hosts you're
protecting.  I personally find it easier to make a pile of rules in your
FORWARD table jumping to per-IP chains, e.g:

iptables -N fw_2
iptables -A fw_2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A fw_2 -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -A fw_2 -j LOG
iptables -A fw_2 -j DROP
iptables -A FORWARD -d 192.168.0.2 -j fw_2

and so on, for your firewall rules.  Don't forget the INPUT and OUTPUT
chains to catch things going directly to your firewall.

I got this information off a web site that's bookmarked on my work
computer, if you want I'll dig up the URL tomorrow.

Anyway, hope that helps!



Reply to: