• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 447
  • Last Modified:

Linux Firewall with "REAL" IP Addresses - no NAT or Masq

I have a linux box set up running Red Hat 7.1 and using the firestarter GUI to set up an iptables firewall.  Everything works fine on the external side of things - can get to the internet and the machine is stealthed according to an external port scan.  My difficulty lies in trying to use all real IP addresses on the internal side as well (mostly for games - working at a small startup ;-).  I need to know if my external and internal NICs on the linux box can be on the same subnet mask, and if so how do I make sure the packets get where they need to be - an example follows using made up ip addresses:

internal machine:     84.84.88.240
lan nic on linux box: 84.84.88.227
wan nic on linux box: 84.84.88.226
gateway on router:    84.84.88.225

subnet mask on all above: 255.255.255.224

*.240 needs to get to the outside world, while still being safe behind the filters.

I'm sure I'm leaving some info out, so let's start a discusion first.

Thanks,
themole
0
themole
Asked:
themole
  • 5
  • 5
  • 2
  • +1
1 Solution
 
ahoffmannCommented:
no, internal and external net cannot be the same IP-net.
Best is to use RFC addresses internal (for example 192.168.0.x), and using NAT with iptables, like:
   iptables -t nat -A POSTROUTING -o wan-nic -j MASQUERADE
0
 
themoleAuthor Commented:
Thanks for the info on the IP-Net, but using the RFC addresses defeats the purpose of what I'm trying to do.  I want to keep the "Real" IP addresses on the inside.  Anyone with other ideas ?  Can I split my real IP addresses and make a subnet of a subnet ?

thanks
0
 
ahoffmannCommented:
splitting the net may also work, just set the corresponding netmask on each subnet
0
Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

 
vsamtaniCommented:
In order to avoid the routing problem, you could use the linux box as a filtering bridge, instead of a router. You would therefore have two ethernet segments. The linux box would have a network interface on both segments, and would bridge (layer 2, therefore transparently to layer 3 protocols such as tcp/ip) the two segments. The bridging code integrates with the ipchains code so that you can filter tcp/ip packets according to the usual source and destination criteria.

http://www.linuxdoc.org/HOWTO/BRIDGE-STP-HOWTO/index.html

is the howto on setting up a filtering bridge.

Vijay
0
 
jlevieCommented:
ahoffman is completely correct w/respect to the subnets.

As far as I know the only options available for a Linux firewall are to either split your outside netblock, which may require routing changes upstream of the Linux box, or to use an private address space on the inside and set up static NAT translations in iptables rather than using IPMasq. Using static NAT translations will allow almost all of the games to work provided that the hostnames of all nodes on the network are set to what a reverse lookup of a nodes outside IP is. If you run your own DNS server that will require setting up inside and outside views. There are some games that actually look at the local machine's IP and they'd still be a problem.

To really do what you want you need a bridging firewall. And as far as I know OpenBSD is the only environment that can provide that.
0
 
ahoffmannCommented:
this bridging works with ipchains on a 2.3.47 (or higher) kernel only (as stated in the document).
Also if you use NAT, your "internel" IPs must not be private (RFC) IP-adresses, it simply doesnt matter what your're NATting.
0
 
themoleAuthor Commented:
Has anyone heard of a way to do static NAT with a linux box, so that the internal machines can have private addresses, but when they go the internet they are given a real IP address from a pool on a one to one basis.  It seems like that might allow me to accomplish what I need.

thanks,

M
0
 
ahoffmannCommented:
static nat is possible with the  -j SNAT  option in iptables, see man-page and NAT-HOWTO.txt

0
 
themoleAuthor Commented:
Sorry to keep shifting gears on you guys, but I'm fairly new at the linux thing.  I try to read as many how-to's and man-pages as I can before posting anything.  I am now using an iptables firewall tool called Shoreline (Shorewall) which seems to make configuring the firewall much easier, but right now it is not starting.  I'm on a RedHat 7.1 box and keep getting "module in use" or "i/o irq conflicts" errors when I try to start the firewall.  I'm going to read a bit more, and see if it is just a general linux setup mistake on my part, or if it is related to iptables.  Thanks for all the help, and I will probably end up splitting the points to those who have helped me hash this out.

Thanks - m
0
 
jlevieCommented:
If you are getting those messages when trying to start iptables on a default RH 7.1 system, then the cause is likely to be that you haven't disabled ipchains. The default configuration for 7.1 runs ipchains and either it or iptables can be used, but not both. You can swap which firewall method is to be used with linuxconf, or do:

# /etc/init.d/ipchains stop
# chkconfig ipchains off
# chkconfig iptables on
# /etc/init.d/ipchains start
0
 
themoleAuthor Commented:
Thanks !!! that helped a ton.  I have resolve all the configuration issues now, but that should not be too much trouble.  How do I give you points without closing the question ?

M
0
 
ahoffmannCommented:
>  How do I give you points without closing the question ?
post dummy questions
0
 
themoleAuthor Commented:
Just in case anyone is interested, I was able to use ProxyARP with the Shorewall iptables tool.  It allows you to use real IP addresses on the inside, while still gaining the benefits of the firewall.  The internal NIC of the firewall box still uses the 192.168.*.* or whatever, but thinks it is on the same subnet as the other Public IPs.  I will be making some dummy questions to spread the points to all of you who led me down the right path.


Thanks again,

M  
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 5
  • 5
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now