Re: "transparent" firewall possible?
On Mon, 2002-02-04 at 20:17, Jason Lim wrote:
> Probably someone has done all this in the past, and in fact I have found a
> distro that *sounds* like it does this, but it is a weird heavily
> customized Redhat, and I would perfer to stick with the Debian that we all
> love.
>
I'm doing something similar to this using proxy arp and a single IP
address on the network, with a Debian box running a 2.4 kernel. The
steps I took are roughly as follows:
configure both NICs with the same IP address. For convenience, use the
highest IP address in your netblock. Assuming your netblock is
192.168.0.0/24, the firewall's IP is 192.168.0.254, and the default
gateway is 192.168.0.1, run the following:
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
ip route del 192.168.0.0/24 dev eth0
ip route del 192.168.0.0/24 dev eth1
ip route add 192.168.0.1 dev eth0
ip route add 192.168.0.0/24 dev eth1
echo 1 > /proc/sys/net/ipv4/ip_forward
before you do that, you'll want to do some firewalling. You'll need to
use the FORWARD table for your rules going to the hosts you're
protecting. I personally find it easier to make a pile of rules in your
FORWARD table jumping to per-IP chains, e.g:
iptables -N fw_2
iptables -A fw_2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A fw_2 -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -A fw_2 -j LOG
iptables -A fw_2 -j DROP
iptables -A FORWARD -d 192.168.0.2 -j fw_2
and so on, for your firewall rules. Don't forget the INPUT and OUTPUT
chains to catch things going directly to your firewall.
I got this information off a web site that's bookmarked on my work
computer, if you want I'll dig up the URL tomorrow.
Anyway, hope that helps!
Reply to: