Solved

SIMPLE firewall question

Posted on 2003-10-22
26
278 Views
Last Modified: 2010-04-22
Newbie Linux person so be gentle...:-)

RH9 Linux box in a lab that I would like to use as a firewall. Two NIC cards (one with IP 192.168.20.1 (for internal network) and the other with IP 207.192.10.1 (for external).  Couple of questions...

What do I need to do to get the two NICs in the box routing to/from each other (route add???)

How do I set iptables with a 'basic firewall setup'?

Thanks!





0
Comment
Question by:ConnieCA
  • 14
  • 11
26 Comments
 
LVL 12

Expert Comment

by:paullamhkg
ID: 9604107
Have a check here http://www.tldp.org/HOWTO/Security-HOWTO/index.html, which not only the firewall, iptable/ipchain, also include how to secure your linux box

For routing and load balancing check here http://lartc.org/howto/index.html

Hope those info can help :)
0
 
LVL 6

Expert Comment

by:mbarbos
ID: 9605673
First you should enable routing, as it is usually disabled by default
echo 1 > /proc/sys/net/ipv4/ip_forward

then setup your routes as you wish.
Have a look at http://www.tldp.org/HOWTO/Net-HOWTO/index.html and http://www.tldp.org/LDP/nag2/index.html

Then you can start playing with the firewall.
You can find documentation for iptables (current linux firewall) at http://www.iptables.org/documentation/index.html. Maybe the most usefull for your question is http://iptables-tutorial.frozentux.net/iptables-tutorial.html

Although your question sounds more like a school assignment, it's difficult to answer it shortly. I think you should try to read some of the manuals first.
0
 

Author Comment

by:ConnieCA
ID: 9607559
Thanks for the info. I've looked over those links but still have one main question...

One box acting as firewall...how can you get eth0 (the outside to the rest of the world NIC) IP 207.192.10.1 to send packets it receives for the internal network to the 2nd NIC in the box -- eth1 IP 192.168.10.2?

Specifically...what would the command be to get that to work?

Thanks for being patient with an admitted Linux newbie!

Constance
0
 

Author Comment

by:ConnieCA
ID: 9607854
Nevermind...I worded that wrong. Here's my problem

This is a test lab that is NOT connected to the outside world at all (the company won't allow us to). It is set up like this...

Server1 (Win box) -- IP address 192.168.10.2
(hub)
Firewall 1 (Linux box) -- 2 NICs -- eth0 192.168.10.1, eth1 207.192.10.1
(hub)
Firewall 2 (Linux box) -- 2 NICs -- eth1 207.192.50.1, eth0 192.168.50.1
(hub)
Server 2 (Win box) -- IP address 192.168.50.2

We are using this 'lab' to familiarize ourselves with things like file replication between our two sites, firewall exceptions needed, etc. without touching the production machines. If we could hook it up to the outside world we would, but politics here make it impossible.

Here's the right question...server1 can talk to Firewall 1 up to the outside NIC, but can't get beyond that to Firewall 2. What am I missing?

I've added points to this since it's so confusing...

Thanks,
C


0
 
LVL 6

Expert Comment

by:mbarbos
ID: 9607986
eth1 from firewal1 must be 207.192.10.1 anf from firewall 2 207.192.10.2

the problem is the routing tables of the machines. You can post them if you want, also the ones from the windows machines if you still have problems.

There is not a command to send the packets, it's the routing table. You can manipulate the routing table with "route bla bla bla..." See man route

0
 
LVL 6

Expert Comment

by:mbarbos
ID: 9608105
Or you could add routes between the two firewalls (which is what you want, I presume)

on firewall 1:
route add -net 207.192.50.0 netmask 255.255.255.0 dev eth1

on firewall 2:
route add -net 207.192.10.0 netmask 255.255.255.0 dev eth1

See that the machine with 207.192.10.1 gets a route to 207.192.50.0 and the one with 207.192.50.1 gets a route to 207.192.10.0
0
 

Author Comment

by:ConnieCA
ID: 9608580
Thanks...I'm going to post the routing tables in just a minute so I can find out if I've got it set wrong...one more quick question...

The 'gateway' for each NIC in the firewall should be set to the outside NIC's IP?
0
 
LVL 6

Expert Comment

by:mbarbos
ID: 9608653
Oh, sorry, you also need 2 more routes on each firewall

on firewall 1:
route add -net 192.168.50.0 netmask 255.255.255.0 gw 207.192.50.1

on firewall 2:
route add -net 192.168.10.0 netmask 255.255.255.0 gw 207.192.10.1
0
 

Author Comment

by:ConnieCA
ID: 9608682
IP's for each machine (and this includes all machines in our lab)...

hb (Windows box)  192.168.10.2
(hub)
trojan (Firewall)  eth1: 207.192.10.1, eth2: 192.168.10.1
(hub)
gc (Firewall) eth1: 207.192.75.1, eth2: 192.168.75.1
(hub)
server1 (Windows box) 192.168.75.2

Routing table from trojan...

207.192.10.0 * 255.255.255.0 U 0 0 0 eth1
192.168.75.0 trojan.thompson 255.255.255.0 U 0 0 0 eth1
192.168.10.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0 0 * 255.255.0.0 U 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default trojan.thompson 0.0.0.0 UG 0 0 0 eth1

Routing table from gc...

207.192.10.0 goldcoin 255.255.255.0 UG 0 0 0 eth1
207.192.75.0 * 255.255.255.0 U 0 0 0 eth1
192.168.75.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 192.168.75.1 0.0.0.0 UG 0 0 0 eth0

Right now, server1 (for instance) can ping as far as the outside NIC on gc (207.192.75.1) but can not get any further. Can you tell me what us newbies have set wrong?
0
 
LVL 6

Expert Comment

by:mbarbos
ID: 9608817
With the current setup server1 actually can fing as far as eth1 on trojan, but trojan doesn't know where to send back the ping....

Add the 2 routes I forgot to post.

What are those routes to 169.254.0.0 ?
0
 

Author Comment

by:ConnieCA
ID: 9608900
No clue about 169.254.0.0...we were wondering where those came from ourselves.

Sorry...about the two new routes (since we've changed IP's to try to make this a little less confusing) can you tell me what I need on trojan and what I need on gc?

trojan -- eth0: 192.168.10.1, eth1: 207.192.10.1

gc -- eth0: 192.168.75.1, eth1: 207.192.75.1
0
 
LVL 6

Expert Comment

by:mbarbos
ID: 9609002

Sure.

on trojan:
route add -net 192.168.75.0 netmask 255.255.255.0 gw 207.192.75.1

on gc:
route add -net 192.168.10.0 netmask 255.255.255.0 gw 207.192.10.1

Or (to make things a little bit more confusing :-)
on trojan:
route del -net 0.0.0.0 netmask 0.0.0.0
route add -net 0.0.0.0 netmask 0.0.0.0 gw 207.192.75.1

on gc:
route del -net 0.0.0.0 netmask 0.0.0.0
route add -net 0.0.0.0 netmask 0.0.0.0 gw 207.192.10.1

>  No clue about 169.254.0.0...we were wondering where those came from ourselves.
Delete them. They don't do any harm now, but they don't help either
0
 

Author Comment

by:ConnieCA
ID: 9609276
even more points cuz this is such an annoying little problem...

ok...we made those additions and are still unable to ping between the two firewalls...can you tell me what the 'gateway' should be set to for each NIC in each firewall?
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:ConnieCA
ID: 9609377
Correction...we can ping from one firewall to another. For instance...

from goldcoin, we can ping trojan's outside (207.192.10.1) and it's inside (192.168.10.1), but we are unable to ping hb (192.168.10.2)

from trojan, we can ping goldcoin in this same manner (both outside and in) but are unable to ping server1 (192.168.75.2)

We are SO close but obviously I'm missing something...
0
 
LVL 6

Expert Comment

by:mbarbos
ID: 9609416
Nice,

I just wrote half a page with the routing tables..... :)

Check the default routes for server and hb. The default gateway must be eth0 of the firewalls
0
 
LVL 6

Expert Comment

by:mbarbos
ID: 9609432
on hb the default route must have gateway 192.168.10.1 and on server 192.168.75.1
0
 

Author Comment

by:ConnieCA
ID: 9609485
Sorry about the half a page of routing tables (I should've typed faster)

The default gateway on both hb and server1 are set correctly and are pointing to the internal NIC on their respective firewalls.

>>on hb the default route must have gateway 192.168.10.1 and on server 192.168.75.1

I'm not sure I'm clear what you mean by this? I understand the 'on hb the default route must have gateway...' and have double checked that it is set correctly. What do you mean by 'and on server 192.......?

0
 
LVL 6

Expert Comment

by:mbarbos
ID: 9609540
you have 2 windows machines: hb and server1. Each should have as default gateway the IP address of the nearest firewall. The Ip address that is in the same network as the windows machine.
0
 
LVL 6

Expert Comment

by:mbarbos
ID: 9609601
hb 192.168.10.2
default gateway 192.168.10.1

trojan eth0 192.168.10.1, eth1 207.192.10.1
routes:
192.168.10.0 .... eth0 - added by default
207.192.10.0 ..... eth1 - added by default
** 207.192.75.0 ... eth1 - added by you, as upper ***
** 192.168.75.0 gw 207.192.75.1 - added by you ***

gc and server1 are similar:

server1 192.168.75.2
default gateway 192.168.75.1

gc eth0 192.168.75.1, eth1 207.192.75.1
routes:
192.168.75.0 .... eth0 - added by default
207.192.75.0 ..... eth1 - added by default
** 207.192.10.0 ... eth1 - added by you, as upper ***
** 192.168.10.0 gw 207.192.75.1 - added by you ***

Can you ping from hc
a. trojan 192...
b. trojan 207..
c. gc 207...
d gc 192 .. ?
0
 

Author Comment

by:ConnieCA
ID: 9609610
That is how they are set...default gateway on hb is 192.168.10.1 and on server1 it is 192.168.75.1

Here are the routing tables as they stand now...is there anything wrong that you can see (we tried to delete that strange 169.254... entry but it keeps coming back...

GOLDCOIN

207.192.10.0 * 255.255.255.0 U 0 0 0 eth1
207.192.75.0 * 255.255.255.0 U 0 0 0 eth1
192.168.10.0 trojan.thompson 255.255.255.0 UG 0 0 0 eth1
192.168.75.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0 0 * 255.255.0.0 U 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default goldcoin.thompson 0.0.0.0 UG 0.0.0 eth1

TROJAN

207.192.10.0 * 255.255.255.0 U 0 0 0 eth1
207.192.75.0 * 255.255.255.0 U 0 0 0 eth1
192.168.10.0 * 255.255.255.0 U 0 0 0 eth0
192.168.75.0 goldcoin.thompson 255.255.255.0 UG 0 0 0 eth1
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default Trojan.thompson 0.0.0.0 UG 0 0 0 eth1
0
 
LVL 6

Expert Comment

by:mbarbos
ID: 9609665
They look almost ok.

are you sure you enable routing ? (remember the "echo 1 > ..... in the begining)
You can check that with
cat /proc/sys/net/ipv4/ip_forward
0
 
LVL 6

Expert Comment

by:mbarbos
ID: 9609716
Pings ?
0
 

Author Comment

by:ConnieCA
ID: 9609721
Just entered that forwarding command again and VOILA!!! Thanks so much for the help!

Two questions and then I'll leave you alone :)

A. Now that the routing tables are set to a way that seems to be working, are these going to change at reboot or are they (pretty much) static?

B. How do we get the forwarding to automatically come on after a reboot?
0
 
LVL 6

Accepted Solution

by:
mbarbos earned 300 total points
ID: 9609950
Ooops, You got me here :) I'm nor a RH fan, I'm just a humble *nix man :-)

Basically all *nix systems are the same, they start with a boot script which calls other initscripts and you get a working system.

A. the routes will dissapear at  reboot. The system is configured by the scripts that run at boot. The routes are STATIC. DYNAMIC routes are configured by routing daemons through routing protocols.

B. see if you have a file called "/etc/sysconfig/network-scripts/route-eth1", if not create it ( touch /etc/sysconfig/network-scripts/route-eth1)
edit this file with your favorite editor (not MS Word:) and add routes, like

207.168.2.0/24
192.168.75.0/24 via 207.192.75.1

and the corspondent routes on the other machine

also in /etc/sysctl.conf change net.ipv4.ip_forward to 1

0
 

Author Comment

by:ConnieCA
ID: 9609977
Thanks much!!!
0
 
LVL 6

Expert Comment

by:mbarbos
ID: 9610092
You're welcome. Thank you too and have a nice routing.

BTW, reading that documentation won't hurt :-)

0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now