Guitarman316
asked on
Trouble with firewall
Hello, I'm hoping I've got my question in the right spot here. I'm trying to install a firewall that is to sit between our public Linux box with Open Excahnge server on it and our private network. (192.168.1.x public and 192.168.0.x private) It's a small network so we picked up a netgear ProSafe wireless firewall router printer server combo.
I've set it up so that the internet port of the ProSafe connects to the Port on the linux box that is addressed for the 192.168.0.x private subnet. The other two ports/NIC's face the internet router on 192.168.1.x. The problem is that the connections on the lan of the ProSafe cannot get through the Internet port.
I'm without a doubt new at this Prosafe firewall. I've configured the firewall on the linux box for the 192.168.1.x subnet. I just want to make sure if somebody gets into the linux box they go no further.
The 192.168.0.x nic in the linux box works fine when it plugged in around the router.
Any suggestions?
Thanks in Advance.
I've set it up so that the internet port of the ProSafe connects to the Port on the linux box that is addressed for the 192.168.0.x private subnet. The other two ports/NIC's face the internet router on 192.168.1.x. The problem is that the connections on the lan of the ProSafe cannot get through the Internet port.
I'm without a doubt new at this Prosafe firewall. I've configured the firewall on the linux box for the 192.168.1.x subnet. I just want to make sure if somebody gets into the linux box they go no further.
The 192.168.0.x nic in the linux box works fine when it plugged in around the router.
Any suggestions?
Thanks in Advance.
Its probably a routing problem. I have to admit Im slightly confused. Both 192.168.1 and 192.168.0 are both class C internal addresses according to the rfcs - they are reserved for use on internal networks and shouldnt work on the internet. If your linux box has masquerading (sic) enabled, route add default gw 192.168.1.ExactIpAddress should work.
My guess, given the data presented, is that your border router is NAT'ing your outside IP onto 192.168.0.0/24. To be able to have another network (192.168.1.0/24) you have to tell the border router how to get to that network. This is something that most simple NAT'ing routers (in my experience) can't do. What are you using as your border router?
Check your default gateway on the Firewall box. It needs to point to the 192.168.1.x side of the Firewall address if I got you correctly. NAT'ing shouldn't matter because it's coming back on the port it went out on. I think when he says Public he is referring to a DMZ type scenario (Sort of).
So...
INternet--(ext IP)Linux Firewall(192.168.1.1)--(19
Make your resolution really big if that doesn't fit on one line. ;)
Anyway, That Prosafe needs to point to 192.168.1.1 for default gateway. Then Linux Firewall also needs to point to Internet bound Default Gateway. That will get your stuff out of your Internal Network. You might consider using addresses that are more different for clarity sake. Easy to get confused. I use 10.128.0.x as a matter of habit.
So...
INternet--(ext IP)Linux Firewall(192.168.1.1)--(19
Make your resolution really big if that doesn't fit on one line. ;)
Anyway, That Prosafe needs to point to 192.168.1.1 for default gateway. Then Linux Firewall also needs to point to Internet bound Default Gateway. That will get your stuff out of your Internal Network. You might consider using addresses that are more different for clarity sake. Easy to get confused. I use 10.128.0.x as a matter of habit.
ASKER
Thanks for all the responses. I will try some and let you all know how it works.
Maybe I should clarify some though. Yep, I'm new to hardware firewalls. Anyway we have a cisoc router that is the main feed to the internet. eth0 feeds our 192.168.0.x subnet and eth1 feeds the 192.168.1.x subnet. On the 192.168.1 subnet there is one linux box. The linux box has two nics with these addresses 192.168.1 and 192.168.10 that tie to the cisco router. Additionally the linux box has one additional nic (for a total of three) 192.168.0.193 that is used to provide internal access.
The linux box has a software firewall setup on the two nics that connect to the cisco router's eth1. Currently there is no firewall connected to the nic that is 192.168.0.193. So what I am trying to do is remove the cable from the .0.,193 nic in the linux box and plug it into the lan side of the prosafe. Then connect from the Prosafe's internet port into the .0.193 nic. My thought was the firewall in the Prosafe would then protect the internal (.0.x) subnet from attacks from the linux box.
Inside the prosafe the lan side is setup as 192.168.0.1 the internal ip for the Internet port is 192.168.0.253 mask is 255.255.255.0.
In trying to make it work I think I simplified by just connecting one pc to the lan port of the prosafe and connected the prosafes internet port into one of our switches. The thought was this should isolate it to be just a single pc getting thorugh the prosafe. Addresses in the prosafe remained the same. When I try to get to any resources on the .0.x subnet I get Destination host unreachable.
I hope this makes it a little clear what I'm trying to do and how we are setup.
Thanks so much for the help.
Maybe I should clarify some though. Yep, I'm new to hardware firewalls. Anyway we have a cisoc router that is the main feed to the internet. eth0 feeds our 192.168.0.x subnet and eth1 feeds the 192.168.1.x subnet. On the 192.168.1 subnet there is one linux box. The linux box has two nics with these addresses 192.168.1 and 192.168.10 that tie to the cisco router. Additionally the linux box has one additional nic (for a total of three) 192.168.0.193 that is used to provide internal access.
The linux box has a software firewall setup on the two nics that connect to the cisco router's eth1. Currently there is no firewall connected to the nic that is 192.168.0.193. So what I am trying to do is remove the cable from the .0.,193 nic in the linux box and plug it into the lan side of the prosafe. Then connect from the Prosafe's internet port into the .0.193 nic. My thought was the firewall in the Prosafe would then protect the internal (.0.x) subnet from attacks from the linux box.
Inside the prosafe the lan side is setup as 192.168.0.1 the internal ip for the Internet port is 192.168.0.253 mask is 255.255.255.0.
In trying to make it work I think I simplified by just connecting one pc to the lan port of the prosafe and connected the prosafes internet port into one of our switches. The thought was this should isolate it to be just a single pc getting thorugh the prosafe. Addresses in the prosafe remained the same. When I try to get to any resources on the .0.x subnet I get Destination host unreachable.
I hope this makes it a little clear what I'm trying to do and how we are setup.
Thanks so much for the help.
ASKER
Sorry got a mistake on the linux nic addresses. they are 192.168.1.1 and 192.168.1.10 instead of 192.168.1 an 192.168.10. I gotta slow down one of these days.
So you have:
Cisco Router
/ \
(192.168.0.0/24) / \ (192.168.1.0/24)
/ \
/ \------\ (192.168.1.1 & 192.168.1.10)
/ Linux Box
| | (192.168.0.193)
|-----------------------|
Local LAN
Given the stated goal of protecting the local LAN from an attack on the Linux box the cleanest solution would look like:
Cisco Router
/ \
(192.168.253.0/24) / \ (192.168.1.0/24)
/ \
/ \------\ (192.168.1.1 & 192.168.1.10)
/ Linux Box
|
Pro Safe
| (192.168.0.0/24)
Local LAN
To avoid having to renumber the machines in the local LAN you'd need a glue network to connect the Prosafe to the router and a static route to the 192.168.0.0/24 network via the outside IP of the Prosafe.
Cisco Router
/ \
(192.168.0.0/24) / \ (192.168.1.0/24)
/ \
/ \------\ (192.168.1.1 & 192.168.1.10)
/ Linux Box
| | (192.168.0.193)
|-----------------------|
Local LAN
Given the stated goal of protecting the local LAN from an attack on the Linux box the cleanest solution would look like:
Cisco Router
/ \
(192.168.253.0/24) / \ (192.168.1.0/24)
/ \
/ \------\ (192.168.1.1 & 192.168.1.10)
/ Linux Box
|
Pro Safe
| (192.168.0.0/24)
Local LAN
To avoid having to renumber the machines in the local LAN you'd need a glue network to connect the Prosafe to the router and a static route to the 192.168.0.0/24 network via the outside IP of the Prosafe.
ASKER
jlevie, We don't really have control of the cisco router. We'd like to send the client connections for HTTP only to the Linux box and nothing else while there should be a path for a number of other protocols out through the cisoc ie ftp email etc.. That's where the firewall came in with the third nic on the linux box. Is there a way to get your first sketch to function correctly?
By the way, I've contacted nettgear and they can't seem fo get a basic connection to come through, even though I can ping directly from the firewall. Setup as Laptop ------ Firewall ------ gateway.
Thanks
By the way, I've contacted nettgear and they can't seem fo get a basic connection to come through, even though I can ping directly from the firewall. Setup as Laptop ------ Firewall ------ gateway.
Thanks
If you can't get the Cisco config changed you could still use the second topology by re-numbering your local LAN to use, say 192.168.2.0/24 and having the ProSafe NAT all of those machines onto a single IP in 192.168.0.0. HTTP requests to 192.168.1.1 & 192.168.1.10 will still go only to your Linux box because that's where the Cisco will route them.
ASKER
jlevie, Is there no way you know of to allow traffic from .0.x into the linux box through the third card. I'd like to have some ports open that I don't want to open up to through the .1.1 network. Ports for PostgreSQL so we can administer our PostgreSQL server and not be in the server room as well as VNC. Both of these I don't want to have open to the internet at all.
Maybe there's a way to install a second software firewall on the linux box's .0.193 nic.
Thanks in advance.
Maybe there's a way to install a second software firewall on the linux box's .0.193 nic.
Thanks in advance.
The basic problem here is that what you are proposing will have 192.168.0.0/24 on both sides of the ProSafe, which is an impossibility from a routing standpoint. And I don't see any secrurity advantage to what you propose as compared to routing the traffic through the 192.168.1.0 network. In either case the Cisco needs to have anti-spoofing ACL's and the firewall rules on the Linux box have to be set up to only allow connections from addresses in the 192.168.0.0 network to those services.
ASKER
jlevie, Last question. What if I change the address of the third nic in the Linux to 192.168.2.1? I now understand the problem I'm having is that IP should be different on either side of the Firewall.
I really do appreciate the help. The points are yours.
Thanks Pat
I really do appreciate the help. The points are yours.
Thanks Pat
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.