Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 291
  • Last Modified:

SIMPLE firewall question

Newbie Linux person so be gentle...:-)

RH9 Linux box in a lab that I would like to use as a firewall. Two NIC cards (one with IP 192.168.20.1 (for internal network) and the other with IP 207.192.10.1 (for external).  Couple of questions...

What do I need to do to get the two NICs in the box routing to/from each other (route add???)

How do I set iptables with a 'basic firewall setup'?

Thanks!





0
ConnieCA
Asked:
ConnieCA
  • 14
  • 11
1 Solution
 
paullamhkgCommented:
Have a check here http://www.tldp.org/HOWTO/Security-HOWTO/index.html, which not only the firewall, iptable/ipchain, also include how to secure your linux box

For routing and load balancing check here http://lartc.org/howto/index.html 

Hope those info can help :)
0
 
mbarbosCommented:
First you should enable routing, as it is usually disabled by default
echo 1 > /proc/sys/net/ipv4/ip_forward

then setup your routes as you wish.
Have a look at http://www.tldp.org/HOWTO/Net-HOWTO/index.html and http://www.tldp.org/LDP/nag2/index.html

Then you can start playing with the firewall.
You can find documentation for iptables (current linux firewall) at http://www.iptables.org/documentation/index.html. Maybe the most usefull for your question is http://iptables-tutorial.frozentux.net/iptables-tutorial.html

Although your question sounds more like a school assignment, it's difficult to answer it shortly. I think you should try to read some of the manuals first.
0
 
ConnieCAAuthor Commented:
Thanks for the info. I've looked over those links but still have one main question...

One box acting as firewall...how can you get eth0 (the outside to the rest of the world NIC) IP 207.192.10.1 to send packets it receives for the internal network to the 2nd NIC in the box -- eth1 IP 192.168.10.2?

Specifically...what would the command be to get that to work?

Thanks for being patient with an admitted Linux newbie!

Constance
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
ConnieCAAuthor Commented:
Nevermind...I worded that wrong. Here's my problem

This is a test lab that is NOT connected to the outside world at all (the company won't allow us to). It is set up like this...

Server1 (Win box) -- IP address 192.168.10.2
(hub)
Firewall 1 (Linux box) -- 2 NICs -- eth0 192.168.10.1, eth1 207.192.10.1
(hub)
Firewall 2 (Linux box) -- 2 NICs -- eth1 207.192.50.1, eth0 192.168.50.1
(hub)
Server 2 (Win box) -- IP address 192.168.50.2

We are using this 'lab' to familiarize ourselves with things like file replication between our two sites, firewall exceptions needed, etc. without touching the production machines. If we could hook it up to the outside world we would, but politics here make it impossible.

Here's the right question...server1 can talk to Firewall 1 up to the outside NIC, but can't get beyond that to Firewall 2. What am I missing?

I've added points to this since it's so confusing...

Thanks,
C


0
 
mbarbosCommented:
eth1 from firewal1 must be 207.192.10.1 anf from firewall 2 207.192.10.2

the problem is the routing tables of the machines. You can post them if you want, also the ones from the windows machines if you still have problems.

There is not a command to send the packets, it's the routing table. You can manipulate the routing table with "route bla bla bla..." See man route

0
 
mbarbosCommented:
Or you could add routes between the two firewalls (which is what you want, I presume)

on firewall 1:
route add -net 207.192.50.0 netmask 255.255.255.0 dev eth1

on firewall 2:
route add -net 207.192.10.0 netmask 255.255.255.0 dev eth1

See that the machine with 207.192.10.1 gets a route to 207.192.50.0 and the one with 207.192.50.1 gets a route to 207.192.10.0
0
 
ConnieCAAuthor Commented:
Thanks...I'm going to post the routing tables in just a minute so I can find out if I've got it set wrong...one more quick question...

The 'gateway' for each NIC in the firewall should be set to the outside NIC's IP?
0
 
mbarbosCommented:
Oh, sorry, you also need 2 more routes on each firewall

on firewall 1:
route add -net 192.168.50.0 netmask 255.255.255.0 gw 207.192.50.1

on firewall 2:
route add -net 192.168.10.0 netmask 255.255.255.0 gw 207.192.10.1
0
 
ConnieCAAuthor Commented:
IP's for each machine (and this includes all machines in our lab)...

hb (Windows box)  192.168.10.2
(hub)
trojan (Firewall)  eth1: 207.192.10.1, eth2: 192.168.10.1
(hub)
gc (Firewall) eth1: 207.192.75.1, eth2: 192.168.75.1
(hub)
server1 (Windows box) 192.168.75.2

Routing table from trojan...

207.192.10.0 * 255.255.255.0 U 0 0 0 eth1
192.168.75.0 trojan.thompson 255.255.255.0 U 0 0 0 eth1
192.168.10.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0 0 * 255.255.0.0 U 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default trojan.thompson 0.0.0.0 UG 0 0 0 eth1

Routing table from gc...

207.192.10.0 goldcoin 255.255.255.0 UG 0 0 0 eth1
207.192.75.0 * 255.255.255.0 U 0 0 0 eth1
192.168.75.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 192.168.75.1 0.0.0.0 UG 0 0 0 eth0

Right now, server1 (for instance) can ping as far as the outside NIC on gc (207.192.75.1) but can not get any further. Can you tell me what us newbies have set wrong?
0
 
mbarbosCommented:
With the current setup server1 actually can fing as far as eth1 on trojan, but trojan doesn't know where to send back the ping....

Add the 2 routes I forgot to post.

What are those routes to 169.254.0.0 ?
0
 
ConnieCAAuthor Commented:
No clue about 169.254.0.0...we were wondering where those came from ourselves.

Sorry...about the two new routes (since we've changed IP's to try to make this a little less confusing) can you tell me what I need on trojan and what I need on gc?

trojan -- eth0: 192.168.10.1, eth1: 207.192.10.1

gc -- eth0: 192.168.75.1, eth1: 207.192.75.1
0
 
mbarbosCommented:

Sure.

on trojan:
route add -net 192.168.75.0 netmask 255.255.255.0 gw 207.192.75.1

on gc:
route add -net 192.168.10.0 netmask 255.255.255.0 gw 207.192.10.1

Or (to make things a little bit more confusing :-)
on trojan:
route del -net 0.0.0.0 netmask 0.0.0.0
route add -net 0.0.0.0 netmask 0.0.0.0 gw 207.192.75.1

on gc:
route del -net 0.0.0.0 netmask 0.0.0.0
route add -net 0.0.0.0 netmask 0.0.0.0 gw 207.192.10.1

>  No clue about 169.254.0.0...we were wondering where those came from ourselves.
Delete them. They don't do any harm now, but they don't help either
0
 
ConnieCAAuthor Commented:
even more points cuz this is such an annoying little problem...

ok...we made those additions and are still unable to ping between the two firewalls...can you tell me what the 'gateway' should be set to for each NIC in each firewall?
0
 
ConnieCAAuthor Commented:
Correction...we can ping from one firewall to another. For instance...

from goldcoin, we can ping trojan's outside (207.192.10.1) and it's inside (192.168.10.1), but we are unable to ping hb (192.168.10.2)

from trojan, we can ping goldcoin in this same manner (both outside and in) but are unable to ping server1 (192.168.75.2)

We are SO close but obviously I'm missing something...
0
 
mbarbosCommented:
Nice,

I just wrote half a page with the routing tables..... :)

Check the default routes for server and hb. The default gateway must be eth0 of the firewalls
0
 
mbarbosCommented:
on hb the default route must have gateway 192.168.10.1 and on server 192.168.75.1
0
 
ConnieCAAuthor Commented:
Sorry about the half a page of routing tables (I should've typed faster)

The default gateway on both hb and server1 are set correctly and are pointing to the internal NIC on their respective firewalls.

>>on hb the default route must have gateway 192.168.10.1 and on server 192.168.75.1

I'm not sure I'm clear what you mean by this? I understand the 'on hb the default route must have gateway...' and have double checked that it is set correctly. What do you mean by 'and on server 192.......?

0
 
mbarbosCommented:
you have 2 windows machines: hb and server1. Each should have as default gateway the IP address of the nearest firewall. The Ip address that is in the same network as the windows machine.
0
 
mbarbosCommented:
hb 192.168.10.2
default gateway 192.168.10.1

trojan eth0 192.168.10.1, eth1 207.192.10.1
routes:
192.168.10.0 .... eth0 - added by default
207.192.10.0 ..... eth1 - added by default
** 207.192.75.0 ... eth1 - added by you, as upper ***
** 192.168.75.0 gw 207.192.75.1 - added by you ***

gc and server1 are similar:

server1 192.168.75.2
default gateway 192.168.75.1

gc eth0 192.168.75.1, eth1 207.192.75.1
routes:
192.168.75.0 .... eth0 - added by default
207.192.75.0 ..... eth1 - added by default
** 207.192.10.0 ... eth1 - added by you, as upper ***
** 192.168.10.0 gw 207.192.75.1 - added by you ***

Can you ping from hc
a. trojan 192...
b. trojan 207..
c. gc 207...
d gc 192 .. ?
0
 
ConnieCAAuthor Commented:
That is how they are set...default gateway on hb is 192.168.10.1 and on server1 it is 192.168.75.1

Here are the routing tables as they stand now...is there anything wrong that you can see (we tried to delete that strange 169.254... entry but it keeps coming back...

GOLDCOIN

207.192.10.0 * 255.255.255.0 U 0 0 0 eth1
207.192.75.0 * 255.255.255.0 U 0 0 0 eth1
192.168.10.0 trojan.thompson 255.255.255.0 UG 0 0 0 eth1
192.168.75.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0 0 * 255.255.0.0 U 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default goldcoin.thompson 0.0.0.0 UG 0.0.0 eth1

TROJAN

207.192.10.0 * 255.255.255.0 U 0 0 0 eth1
207.192.75.0 * 255.255.255.0 U 0 0 0 eth1
192.168.10.0 * 255.255.255.0 U 0 0 0 eth0
192.168.75.0 goldcoin.thompson 255.255.255.0 UG 0 0 0 eth1
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default Trojan.thompson 0.0.0.0 UG 0 0 0 eth1
0
 
mbarbosCommented:
They look almost ok.

are you sure you enable routing ? (remember the "echo 1 > ..... in the begining)
You can check that with
cat /proc/sys/net/ipv4/ip_forward
0
 
mbarbosCommented:
Pings ?
0
 
ConnieCAAuthor Commented:
Just entered that forwarding command again and VOILA!!! Thanks so much for the help!

Two questions and then I'll leave you alone :)

A. Now that the routing tables are set to a way that seems to be working, are these going to change at reboot or are they (pretty much) static?

B. How do we get the forwarding to automatically come on after a reboot?
0
 
mbarbosCommented:
Ooops, You got me here :) I'm nor a RH fan, I'm just a humble *nix man :-)

Basically all *nix systems are the same, they start with a boot script which calls other initscripts and you get a working system.

A. the routes will dissapear at  reboot. The system is configured by the scripts that run at boot. The routes are STATIC. DYNAMIC routes are configured by routing daemons through routing protocols.

B. see if you have a file called "/etc/sysconfig/network-scripts/route-eth1", if not create it ( touch /etc/sysconfig/network-scripts/route-eth1)
edit this file with your favorite editor (not MS Word:) and add routes, like

207.168.2.0/24
192.168.75.0/24 via 207.192.75.1

and the corspondent routes on the other machine

also in /etc/sysctl.conf change net.ipv4.ip_forward to 1

0
 
ConnieCAAuthor Commented:
Thanks much!!!
0
 
mbarbosCommented:
You're welcome. Thank you too and have a nice routing.

BTW, reading that documentation won't hurt :-)

0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

  • 14
  • 11
Tackle projects and never again get stuck behind a technical roadblock.
Join Now