networking newbie needs help

networking newbie needs help

[Kev askme]

Hi everyone! :)

I have a couple of questions regarding netfilter on
linux and general networking that I'm unsure about.
Let me describe my current setup and where I'm trying
to go with it.
        First and foremost, I have a current netfilter
firewall set up using the firewall script from
frozentux.org with a DMZ. Everything works fine. I can
DNAT public IP's to private addresses inside my DMZ,
and hosts on my internal LAN can all browse the net
just fine and do all that other fun stuff. This setup
currently has one NIC card for each zone off of my
firewall with eth0 connected directly to the cable
modem, eth1 is to my internal LAN on one switch and
eth2 is connected to a different switch in which I put
hosts on the DMZ. My question is this: currently I
just have the one public IP address and that seems
simple enough, but I have a need for expansion and I
require more addresses from my ISP. Do I need to
install more NIC cards on my firewall box, one for
each new IP address and plug the cable modem into the
switch, along with all the newly installed NIC cards
instead of directly into my firewall box? Is there a
way around doing that if possible? What is the best
way to set it up properly so that I can have multiple
IP addresses on my DMZ and account traffic for each IP
and service? Also what is the best way to do this with
minimal overhead (getting new hardware is not a big
deal for me as long as it's not too expensive). Any
help or suggestions please?

Thanks for any and all help.
     -Kevin


	
		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - You care about security. So do we. 
http://promotions.yahoo.com/new_mail

Re: networking newbie needs help

[John A. Sullivan III]

On Sat, 2005-01-22 at 19:58 -0800, Kev askme wrote:
> Hi everyone! :)
> 
> I have a couple of questions regarding netfilter on
> linux and general networking that I'm unsure about.
> Let me describe my current setup and where I'm trying
> to go with it.
>         First and foremost, I have a current netfilter
> firewall set up using the firewall script from
> frozentux.org with a DMZ. Everything works fine. I can
> DNAT public IP's to private addresses inside my DMZ,
> and hosts on my internal LAN can all browse the net
> just fine and do all that other fun stuff. This setup
> currently has one NIC card for each zone off of my
> firewall with eth0 connected directly to the cable
> modem, eth1 is to my internal LAN on one switch and
> eth2 is connected to a different switch in which I put
> hosts on the DMZ. My question is this: currently I
> just have the one public IP address and that seems
> simple enough, but I have a need for expansion and I
> require more addresses from my ISP. Do I need to
> install more NIC cards on my firewall box, one for
> each new IP address and plug the cable modem into the
> switch, along with all the newly installed NIC cards
> instead of directly into my firewall box? Is there a
> way around doing that if possible? What is the best
> way to set it up properly so that I can have multiple
> IP addresses on my DMZ and account traffic for each IP
> and service? Also what is the best way to do this with
> minimal overhead (getting new hardware is not a big
> deal for me as long as it's not too expensive). Any
> help or suggestions please?
> 
<snip>
Welcome to netfilter, Kevin.  It's a great tool.  Another great tool is
iproute2 and that will be your key to what you want to do.  It will
allow you to bind multiple IP addresses to the same NIC.  The rest is
handled by DNAT.  No need to add a physical interface for each NAT
address.

In the ISCS network security management interface, we do this
automatically for you when you specify that a device is to be exposed
publicly.  You can find some training slides regarding iproute2 in the
training section of the ISCS web site (http://iscs.sourceforge.net).
You can find the full explanation in a file named ip-cref.ps somewhere
in your distribution.

Good luck - John
> 
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

Re: networking newbie needs help

[Kev askme]

--- "John A. Sullivan III"
<jsullivan@opensourcedevelopmentcorp.com> wrote:

> <snip>
> Welcome to netfilter, Kevin.  It's a great tool. 

Thank you very much John. :) Yes it appears to be very
useful and robust!

> Another great tool is
> iproute2 and that will be your key to what you want
> to do.  It will
> allow you to bind multiple IP addresses to the same
> NIC.  The rest is
> handled by DNAT.  No need to add a physical
> interface for each NAT
> address.

So how do I tell my ISP that the extra IP's they are
going to allocate to me all need to point to the same
NIC? Will they be able to do that? I mean, isn't there
only one unique MAC address for every NIC card? Do
they just route all frames destined for any one of the
IP addresses they assign me to the same MAC or
something?
Thanks for your help and for the great welcome!

> In the ISCS network security management interface,
> we do this
> automatically for you when you specify that a device
> is to be exposed
> publicly.  You can find some training slides
> regarding iproute2 in the
> training section of the ISCS web site
> (http://iscs.sourceforge.net).
> You can find the full explanation in a file named
> ip-cref.ps somewhere
> in your distribution.

I'll have to check out ISCS and see what it's all
about. Thanks for your help, John.

Sincerely,
Kevin



		
__________________________________ 
Do you Yahoo!? 
Read only the mail you want - Yahoo! Mail SpamGuard. 
http://promotions.yahoo.com/new_mail 

Re: networking newbie needs help

[John A. Sullivan III]

On Sat, 2005-01-22 at 20:50 -0800, Kev askme wrote:
> --- "John A. Sullivan III"
> <jsullivan@opensourcedevelopmentcorp.com> wrote:
> 
<snip>
> So how do I tell my ISP that the extra IP's they are
> going to allocate to me all need to point to the same
> NIC? Will they be able to do that? I mean, isn't there
> only one unique MAC address for every NIC card? Do
> they just route all frames destined for any one of the
> IP addresses they assign me to the same MAC or
> something?
It's all about ARP.  You may want to find a good web site on network
basics so that you can better understand the context within which
iptables works.  If you can afford them, I have always found Pine
Mountains classes to be absolutely outstanding (http://www.pmg.com).

Let's say that your public network is 1.1.1.0/24, your ISP router is
1.1.1.1 and your firewall is 1.1.1.2 and it is doing NAT for 1.1.1.3 and
1.1.1.4.  When the ISP's router wants to send a packet to 1.1.1.3, it
sends an ARP broadcast on the local segment to ask who has 1.1.1.3.
Your firewall will respond with an ARP reply that says its MAC address
handles packets for 1.1.1.3.  The router will make that entry in its ARP
cache and will now address all packets for 1.1.1.3 to your firewall
NIC's MAC address.
> Thanks for your help and for the great welcome!
> 
> > In the ISCS network security management interface,
> > we do this
> > automatically for you when you specify that a device
> > is to be exposed
> > publicly.  You can find some training slides
> > regarding iproute2 in the
> > training section of the ISCS web site
> > (http://iscs.sourceforge.net).
> > You can find the full explanation in a file named
> > ip-cref.ps somewhere
> > in your distribution.
> 
> I'll have to check out ISCS and see what it's all
> about. Thanks for your help, John.
> 
> Sincerely,
> Kevin
> 
> 
> 
> 		
> __________________________________ 
> Do you Yahoo!? 
> Read only the mail you want - Yahoo! Mail SpamGuard. 
> http://promotions.yahoo.com/new_mail 
> 
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

Re: networking newbie needs help

[Kev askme]

--- "John A. Sullivan III"
<jsullivan@opensourcedevelopmentcorp.com> wrote:

> <snip>

> It's all about ARP.  You may want to find a good web
> site on network
> basics so that you can better understand the context
> within which
> iptables works.  If you can afford them, I have
> always found Pine
> Mountains classes to be absolutely outstanding
> (http://www.pmg.com).

Perhaps I will look into that for the future. I'll
pick up a good O'Reilley book on networking for the
time being.

> Let's say that your public network is 1.1.1.0/24,
> your ISP router is
> 1.1.1.1 and your firewall is 1.1.1.2 and it is doing
> NAT for 1.1.1.3 and
> 1.1.1.4.  When the ISP's router wants to send a
> packet to 1.1.1.3, it
> sends an ARP broadcast on the local segment to ask
> who has 1.1.1.3.
> Your firewall will respond with an ARP reply that
> says its MAC address
> handles packets for 1.1.1.3.  The router will make
> that entry in its ARP
> cache and will now address all packets for 1.1.1.3
> to your firewall
> NIC's MAC address.

Thanks for the "dummified" explanation. That is very
clear and concise. :) So I just need my ISP to
statically assign the public IP addresses to me and
then add the addresses to my external interface using
the ip command and then the external interface will
answer for all ip addresses on the external interface?
Or do I need to add aliases for each address, or is
that essentially what the ip command is actually
doing?



		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - now with 250MB free storage. Learn more.
http://info.mail.yahoo.com/mail_250

Re: networking newbie needs help

[John A. Sullivan III]

On Sat, 2005-01-22 at 22:05 -0800, Kev askme wrote:
> --- "John A. Sullivan III"
> <jsullivan@opensourcedevelopmentcorp.com> wrote:
> 
> > <snip>
> Thanks for the "dummified" explanation. That is very
> clear and concise. :) So I just need my ISP to
> statically assign the public IP addresses to me and
> then add the addresses to my external interface using
> the ip command and then the external interface will
> answer for all ip addresses on the external interface?
> Or do I need to add aliases for each address, or is
> that essentially what the ip command is actually
> doing?
You've got it! Yes, adding addresses to the interface with ip is the
successor to aliasing - John
<snip>
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

Re: networking newbie needs help

[Kev askme]

--- "John A. Sullivan III"
<jsullivan@opensourcedevelopmentcorp.com> wrote:

> <snip>
> You've got it! Yes, adding addresses to the
> interface with ip is the
> successor to aliasing - John
> <snip>

Thank you very much for all of your help again!



	
		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - You care about security. So do we. 
http://promotions.yahoo.com/new_mail

Re: networking newbie needs help

[Bob Tellefson]

On Sunday 23 January 2005 06:05, Kev askme wrote:

>
> Thanks for the "dummified" explanation. That is very
> clear and concise. :) So I just need my ISP to
> statically assign the public IP addresses to me and
> then add the addresses to my external interface using
> the ip command and then the external interface will
> answer for all ip addresses on the external interface?
> Or do I need to add aliases for each address, or is
> that essentially what the ip command is actually
> doing?
>
>

It is generally more useful to have a subnet assigned and routed to you by 
your isp.  The advantage here is that you may use these ip's on your dmz 
without the need for DNAT.  In this case, your firewall/router isp interface 
acts as a gateway that you isp routes your subnet ip's through.  ARP is not 
involved other than to discover this gateway interface.  You can route/filter 
the subnet ip's as you see fit.

DNAT comes with side effects that you should consider before proceding.  Have 
a look at DNAT in in iptables faq 
( http://www.faqs.org/docs/iptables/targets.html ) for an example of what 
happens when you DNAT clients from the outside world versus how machines 
within the DMZ (including the firewall) access the same services.  This can 
be a serious issue depending on what services reside on your DMZ and how they 
interact.

If you don't get a routed subnet from you isp, consider using proxy arp rather 
than DNAT.  This effectively gives you the benefits of a routed subnet.  See 
http://www.tldp.org/HOWTO/Proxy-ARP-Subnet/

DNAT has it's place, but it is a kludge (IMHO).  I avoid it where possible.



-- 

Bob Tellefson
Java network application development & hosting