Solved

Trouble with firewall

Posted on 2004-08-31
12
222 Views
Last Modified: 2010-03-18
Hello, I'm hoping I've got my question in the right spot here.  I'm trying to install a firewall that is to sit between our public Linux box with Open Excahnge server on it and our private network.  (192.168.1.x public and 192.168.0.x private)  It's a small network so we picked up a netgear ProSafe wireless firewall router printer server combo.  

I've set it up so that the internet port of the ProSafe connects to the Port on the linux box that is addressed for the 192.168.0.x private subnet.  The other two ports/NIC's face the internet router on 192.168.1.x.  The problem is that the connections on the lan of the ProSafe cannot get through the Internet port.  

I'm without a doubt new at this Prosafe firewall.  I've configured the firewall on the linux box for the 192.168.1.x subnet.  I just want to make sure if somebody gets into the linux box they go no further.

The 192.168.0.x nic in the linux box works fine when it plugged in around the router.

Any suggestions?

Thanks in Advance.
0
Comment
Question by:Guitarman316
12 Comments
 
LVL 17

Expert Comment

by:owensleftfoot
ID: 11947312
Its probably a routing problem. I have to admit Im slightly confused. Both 192.168.1 and 192.168.0 are both class C internal addresses according to the rfcs - they are reserved for use on internal networks and shouldnt work on the internet. If your linux box has masquerading  (sic) enabled, route add default gw 192.168.1.ExactIpAddress should work.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11947752
My guess, given the data presented, is that your border router is NAT'ing your outside IP onto 192.168.0.0/24. To be able to have another network (192.168.1.0/24) you have to tell the border router how to get to that network. This is something that most simple NAT'ing routers (in my experience) can't do. What are you using as your border router?
0
 
LVL 4

Expert Comment

by:jonnietexas
ID: 11948838
Check your default gateway on the Firewall box.  It needs to point to the 192.168.1.x side of the Firewall address if I got you correctly.  NAT'ing shouldn't matter because it's coming back on the port it went out on.  I think when he says Public he is referring to a DMZ type scenario (Sort of).

So...


INternet--(ext IP)Linux Firewall(192.168.1.1)--(192.168.1.2)Prosafe(192.168.0.1)--Internal Network

Make your resolution really big if that doesn't fit on one line.  ;)

Anyway, That Prosafe needs to point to 192.168.1.1 for default gateway.  Then Linux Firewall also needs to point to Internet bound Default Gateway.  That will get your stuff out of your Internal Network.  You might consider using addresses that are more different for clarity sake.  Easy to get confused.  I use 10.128.0.x as a matter of habit.
0
 

Author Comment

by:Guitarman316
ID: 11952716
Thanks for all the responses.  I will try some and let you all know how it works.

Maybe I should clarify some though.  Yep, I'm new to hardware firewalls.  Anyway we have a cisoc router that is the main feed to the internet.  eth0 feeds our 192.168.0.x subnet and eth1 feeds the 192.168.1.x subnet.  On the 192.168.1 subnet there is one linux box.  The linux box has two nics with these addresses 192.168.1 and 192.168.10 that tie to the cisco router.  Additionally the linux box has one additional nic (for a total of three) 192.168.0.193 that is used to provide internal access.

The linux box has a software firewall setup on the two nics that connect to the cisco router's eth1.  Currently there is no firewall connected to the nic that is 192.168.0.193.  So what I am trying to do is remove the cable from the .0.,193 nic in the linux box and plug it into the lan side of the prosafe. Then connect from the Prosafe's internet port into the .0.193 nic.  My thought was the firewall in the Prosafe would then protect the internal (.0.x) subnet from attacks from the linux box.

Inside the prosafe the lan side is setup as 192.168.0.1 the internal ip for the Internet port is 192.168.0.253 mask is 255.255.255.0.

In trying to make it work I think I simplified by just connecting one pc to the lan port of the prosafe and connected the prosafes internet port into one of our switches.  The thought was this should isolate it to be just a single pc getting thorugh the prosafe.  Addresses in the prosafe remained the same.  When I try to get to any resources on the .0.x subnet I get Destination host unreachable.

I hope this makes it a little clear what I'm trying to do and how we are setup.

Thanks so much for the help.



0
 

Author Comment

by:Guitarman316
ID: 11953065
Sorry got a mistake on the linux nic addresses.  they are 192.168.1.1 and 192.168.1.10 instead of 192.168.1 an 192.168.10.  I gotta slow down one of these days.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11954753
So you have:

                                 Cisco Router
                                     /             \
    (192.168.0.0/24) /                 \ (192.168.1.0/24)
                                  /                    \
                                /                        \------\   (192.168.1.1 & 192.168.1.10)
                              /                      Linux Box
                             |                               | (192.168.0.193)
                             |-----------------------|
                      Local LAN

Given the stated goal of protecting the local LAN from an attack on the Linux box the cleanest solution would look like:

                                Cisco Router
                                     /             \
(192.168.253.0/24) /                 \ (192.168.1.0/24)
                                  /                    \
                                /                        \------\   (192.168.1.1 & 192.168.1.10)
                              /                      Linux Box
                             |
                       Pro Safe
                             | (192.168.0.0/24)
                      Local LAN

To avoid having to renumber the machines in the local LAN you'd need a glue network to connect the Prosafe to the router and a static route to the 192.168.0.0/24 network via the outside IP of the Prosafe.                            
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:Guitarman316
ID: 11966351
jlevie, We don't really have control of the cisco router.  We'd like to send the client connections for HTTP only to the Linux box and nothing else while there should be a path for a number of other protocols out through the cisoc ie ftp email etc..  That's where the firewall came in with the third nic on the linux box.  Is there a way to get your first sketch to function correctly?

By the way, I've contacted nettgear and they can't seem fo get a basic connection to come through, even though I can ping directly from the firewall.  Setup as  Laptop ------ Firewall ------ gateway.


Thanks

0
 
LVL 40

Expert Comment

by:jlevie
ID: 11968194
If you can't get the Cisco config changed you could still use the second topology by re-numbering your local LAN to use, say 192.168.2.0/24 and having the ProSafe NAT all of those machines onto a single IP in 192.168.0.0. HTTP requests to 192.168.1.1 & 192.168.1.10 will still go only to your Linux box because that's where the Cisco will route them.
0
 

Author Comment

by:Guitarman316
ID: 11973821
jlevie, Is there no way you know of to allow traffic from .0.x into the linux box through the third card.  I'd like to have some ports open that I don't want to open up to through the .1.1 network.  Ports for PostgreSQL so we can administer our PostgreSQL server and not be in the server room as well as VNC.  Both of these I don't want to have open to the internet at all.

Maybe there's a way to install a second software firewall on the linux box's .0.193 nic.

Thanks in advance.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11975925
The basic problem here is that what you are proposing will have 192.168.0.0/24 on both sides of the ProSafe, which is an impossibility from a routing standpoint. And I don't see any secrurity advantage to what you propose as compared to routing the traffic through the 192.168.1.0 network. In either case the Cisco needs to have anti-spoofing ACL's and the firewall rules on the Linux box have to be set up to only allow connections from addresses in the 192.168.0.0 network to those services.
0
 

Author Comment

by:Guitarman316
ID: 11976398
jlevie, Last question. What if I change the address of the third nic in the Linux to 192.168.2.1?  I now understand the problem I'm having is that IP should be different on either side of the Firewall.  

I really do appreciate the help.  The points are yours.

Thanks Pat
0
 
LVL 40

Accepted Solution

by:
jlevie earned 250 total points
ID: 11977474
Well you could do that and the topology would then look like:

                                Cisco Router
                                     /             \
(192.168.253.0/24) /                 \ (192.168.1.0/24)
                                  /                    \
                                /                        \------\   (192.168.1.1 & 192.168.1.10)
                              /                      Linux Box
                                                             | (192.168.2.1)
                                                             |
                                                             | (192.168.2.2)
                                                       Pro Safe
                                                             | (192.168.0.0/24)
                                                   Local LAN
                                               192.168.0.0/24

Which means, of course that all Internet traffic will traverse the Linux box.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now