Solved

Linux Firewall with "REAL" IP Addresses - no NAT or Masq

Posted on 2001-07-13
13
437 Views
Last Modified: 2010-05-18
I have a linux box set up running Red Hat 7.1 and using the firestarter GUI to set up an iptables firewall.  Everything works fine on the external side of things - can get to the internet and the machine is stealthed according to an external port scan.  My difficulty lies in trying to use all real IP addresses on the internal side as well (mostly for games - working at a small startup ;-).  I need to know if my external and internal NICs on the linux box can be on the same subnet mask, and if so how do I make sure the packets get where they need to be - an example follows using made up ip addresses:

internal machine:     84.84.88.240
lan nic on linux box: 84.84.88.227
wan nic on linux box: 84.84.88.226
gateway on router:    84.84.88.225

subnet mask on all above: 255.255.255.224

*.240 needs to get to the outside world, while still being safe behind the filters.

I'm sure I'm leaving some info out, so let's start a discusion first.

Thanks,
themole
0
Comment
Question by:themole
  • 5
  • 5
  • 2
  • +1
13 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6281660
no, internal and external net cannot be the same IP-net.
Best is to use RFC addresses internal (for example 192.168.0.x), and using NAT with iptables, like:
   iptables -t nat -A POSTROUTING -o wan-nic -j MASQUERADE
0
 

Author Comment

by:themole
ID: 6281736
Thanks for the info on the IP-Net, but using the RFC addresses defeats the purpose of what I'm trying to do.  I want to keep the "Real" IP addresses on the inside.  Anyone with other ideas ?  Can I split my real IP addresses and make a subnet of a subnet ?

thanks
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6281742
splitting the net may also work, just set the corresponding netmask on each subnet
0
 
LVL 5

Expert Comment

by:vsamtani
ID: 6282061
In order to avoid the routing problem, you could use the linux box as a filtering bridge, instead of a router. You would therefore have two ethernet segments. The linux box would have a network interface on both segments, and would bridge (layer 2, therefore transparently to layer 3 protocols such as tcp/ip) the two segments. The bridging code integrates with the ipchains code so that you can filter tcp/ip packets according to the usual source and destination criteria.

http://www.linuxdoc.org/HOWTO/BRIDGE-STP-HOWTO/index.html

is the howto on setting up a filtering bridge.

Vijay
0
 
LVL 40

Expert Comment

by:jlevie
ID: 6282078
ahoffman is completely correct w/respect to the subnets.

As far as I know the only options available for a Linux firewall are to either split your outside netblock, which may require routing changes upstream of the Linux box, or to use an private address space on the inside and set up static NAT translations in iptables rather than using IPMasq. Using static NAT translations will allow almost all of the games to work provided that the hostnames of all nodes on the network are set to what a reverse lookup of a nodes outside IP is. If you run your own DNS server that will require setting up inside and outside views. There are some games that actually look at the local machine's IP and they'd still be a problem.

To really do what you want you need a bridging firewall. And as far as I know OpenBSD is the only environment that can provide that.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6283153
this bridging works with ipchains on a 2.3.47 (or higher) kernel only (as stated in the document).
Also if you use NAT, your "internel" IPs must not be private (RFC) IP-adresses, it simply doesnt matter what your're NATting.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:themole
ID: 6286742
Has anyone heard of a way to do static NAT with a linux box, so that the internal machines can have private addresses, but when they go the internet they are given a real IP address from a pool on a one to one basis.  It seems like that might allow me to accomplish what I need.

thanks,

M
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 100 total points
ID: 6287112
static nat is possible with the  -j SNAT  option in iptables, see man-page and NAT-HOWTO.txt

0
 

Author Comment

by:themole
ID: 6295381
Sorry to keep shifting gears on you guys, but I'm fairly new at the linux thing.  I try to read as many how-to's and man-pages as I can before posting anything.  I am now using an iptables firewall tool called Shoreline (Shorewall) which seems to make configuring the firewall much easier, but right now it is not starting.  I'm on a RedHat 7.1 box and keep getting "module in use" or "i/o irq conflicts" errors when I try to start the firewall.  I'm going to read a bit more, and see if it is just a general linux setup mistake on my part, or if it is related to iptables.  Thanks for all the help, and I will probably end up splitting the points to those who have helped me hash this out.

Thanks - m
0
 
LVL 40

Expert Comment

by:jlevie
ID: 6295928
If you are getting those messages when trying to start iptables on a default RH 7.1 system, then the cause is likely to be that you haven't disabled ipchains. The default configuration for 7.1 runs ipchains and either it or iptables can be used, but not both. You can swap which firewall method is to be used with linuxconf, or do:

# /etc/init.d/ipchains stop
# chkconfig ipchains off
# chkconfig iptables on
# /etc/init.d/ipchains start
0
 

Author Comment

by:themole
ID: 6309635
Thanks !!! that helped a ton.  I have resolve all the configuration issues now, but that should not be too much trouble.  How do I give you points without closing the question ?

M
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6309721
>  How do I give you points without closing the question ?
post dummy questions
0
 

Author Comment

by:themole
ID: 6338650
Just in case anyone is interested, I was able to use ProxyARP with the Shorewall iptables tool.  It allows you to use real IP addresses on the inside, while still gaining the benefits of the firewall.  The internal NIC of the firewall box still uses the 192.168.*.* or whatever, but thinks it is on the same subnet as the other Public IPs.  I will be making some dummy questions to spread the points to all of you who led me down the right path.


Thanks again,

M  
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now