Re: [LARTC] Howto route through

[Rene Gallati <lartc@draxinusom.ch>]

Hello,

> What I do is have the linux box claim all of the public IPs as its own, 
> and then use IPTABLES to DNAT/SNAT to/from private IPs as needed.  You 
> can dedicate a public IP to a specific private IP, so the computer on 
> your network with that private IP appears to all of the world as if it 
> actually has the public IP.  This has the added advantage that if your 
> public IPs change for some reason, you just need to update IPTABLEs and 
> the computers on your network will only need slight (if any) tweaking.

That is basically what I am doing currently (with only one IP though 
obtained via cablemodem). However the person that makes all of this 
happen (SHDSL+ leased line) absolutely wants the public IP on his 
machine so I can't go that route.

The IPs however are unlikely to change in the foreseeable future, they 
are assigned and the person who makes this possible owns them as he is a 
(small) ISP. So changing should not occur.

> In this setup, all of your public IPs are on one ethernet port, and all 
> of your private IPs are on the other.  If you desire, you can give one 
> of the public IPs to the linux box itself (though for security reasons, 
> I personally do not do this... in fact, the only traffic I let the linux 
> box pass to the internet is forwarded packets... nothing originating 
> from itself).

Well at least SSH for management is usually what I do. However I do run 
other things on the fw box. Most of it is bound to the lan if only, so I 
don't see any problem with it security wise.

> This may be what you had in mind when you considered the option of a 
> transparent bridge...

No I really meant a transparent bridge as in

brctl addbr br0
brctl addif br0 lan
brctl addif br0 wan
ifconfig lan 0.0.0.0 promisc up
ifconfig wan 0.0.0.0 promisc up

And some netfilter lines to allow forwarding between the ifs on the 
allowed ports. This has the benefit that the filtering box is actually 
invisible (no route hop, no traceroute step) and can be taken down and 
the cables between lan and wan shortcutted without losing connectivity.

I still think that is the best thing for my case as I know the bridge 
stuff fairly well. The only issue holding me back is the fact that the 
(real) interfaces need to be in promiscous mode (not 100% sure, need to 
test) and the lan nic is a gigE card.

CU

René

> 
> ----- Original Message ----- From: "Rene Gallati" <lartc@draxinusom.ch>
> To: <LARTC@mailman.ds9a.nl>
> Sent: Sunday, October 31, 2004 9:55 AM
> Subject: [LARTC] Howto route through
> 
> 
>> Hello list,
>>
>> I'm having a little trouble imagining a setup I'll soon have.
>>
>> I am in the process of getting a routed /28 to my homeLAN. What I want 
>> to do is to put a linux box in front of the lan to filter some of the 
>> unneeded and potential dangerous ports. Now the box has 2 nics, one 
>> for the inside one for the outside.
>>
>> How should I go on to setup those NICs when
>> a) the PCs in the net should have their official IP address from the 
>> /28 net
>> and
>> b) the filtering linux box should at the same time have one IP address 
>> from the same range for some services it provides
>>
>> The dilemma I see (maybe it is none but I just don't know)
>> if I put it this way that I have the IP of the /28er range on one nic 
>> and nothing to put on the other ?
>>
>> Example: Range is 1.2.3.0/28 (1.2.3.0 - 1.2.3.15)
>>
>>           eth0:  1.2.3.1   eth1: ???
>> ---- Internet ------- FW Box ------ LAN (1.2.3.0/28)
>>
>> The FW box should be reachable by both the hosts in the LAN as well as 
>> from the internet using the assigned IP. Don't I run into troubles 
>> having an IP on one NIC which does belong to a net that is located on 
>> the side of another NIC ?
>>
>> I know that the most specific entry (full IP) overrides or wins over 
>> the less specific ones (the net) but does this setup work so that the 
>> LAN clients can access the FW box just like every other host on the 
>> internet? How do I configure eth1 ? Just bring it up without any IP at 
>> all?
>>
>> Or should I better make the FW box a transparent bridge for the 
>> filtering with one IP where it reacts itself ?
>>
>> Thanks for all hints
>>
>> CU
>>
>> René
>> _______________________________________________
>> LARTC mailing list / LARTC@mailman.ds9a.nl
>> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>>
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/