[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: "transparent" firewall possible?

On Mon, 2002-02-04 at 20:17, Jason Lim wrote:
> Probably someone has done all this in the past, and in fact I have found a
> distro that *sounds* like it does this, but it is a weird heavily
> customized Redhat, and I would perfer to stick with the Debian that we all
> love.
I'm doing something similar to this using proxy arp and a single IP
address on the network, with a Debian box running a 2.4 kernel.  The
steps I took are roughly as follows:

configure both NICs with the same IP address.  For convenience, use the
highest IP address in your netblock.  Assuming your netblock is, the firewall's IP is, and the default
gateway is, run the following:

echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
ip route del dev eth0
ip route del dev eth1
ip route add dev eth0
ip route add dev eth1
echo 1 > /proc/sys/net/ipv4/ip_forward

before you do that, you'll want to do some firewalling.  You'll need to
use the FORWARD table for your rules going to the hosts you're
protecting.  I personally find it easier to make a pile of rules in your
FORWARD table jumping to per-IP chains, e.g:

iptables -N fw_2
iptables -A fw_2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A fw_2 -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -A fw_2 -j LOG
iptables -A fw_2 -j DROP
iptables -A FORWARD -d -j fw_2

and so on, for your firewall rules.  Don't forget the INPUT and OUTPUT
chains to catch things going directly to your firewall.

I got this information off a web site that's bookmarked on my work
computer, if you want I'll dig up the URL tomorrow.

Anyway, hope that helps!

Reply to: