From mboxrd@z Thu Jan 1 00:00:00 1970 From: Rene Gallati Date: Mon, 01 Nov 2004 15:11:21 +0000 Subject: Re: [LARTC] Howto route through Message-Id: <41865219.3030302@draxinusom.ch> List-Id: References: <41850B0D.9000409@draxinusom.ch> In-Reply-To: <41850B0D.9000409@draxinusom.ch> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org gypsy wrote: > Rene Gallati wrote: >=20 >>Hello list, >> >>I'm having a little trouble imagining a setup I'll soon have. >> >>I am in the process of getting a routed /28 to my homeLAN. What I want >>to do is to put a linux box in front of the lan to filter some of the >>unneeded and potential dangerous ports. Now the box has 2 nics, one for >>the inside one for the outside. >> >>How should I go on to setup those NICs when >>a) the PCs in the net should have their official IP address from the /28 = net >>and >>b) the filtering linux box should at the same time have one IP address >>from the same range for some services it provides >=20 > I just finished one of these. >=20 > I used proxyARP to make the external interface listen to my 5 (I have a This is one of the options I am considering at the moment though I lean=20 a bit more towards transparent bridge-filtering. > /29 not a /28) IPs. You will be led down the garden path if you try > just proxyARP; I had to use SNAT rules. You don't (normally) need DNAT, > but (for me at least) _NOTHING_ will forward without SNAT. My SNAT > rules start with my first external IP and work up: .154 --to .154 then > .155 to .155 then .156 to .156 then .157 to .157 and finally .152/29 to > .158. .153 is my default gateway. >=20 > I have asked all over the web for assistance in routing without needing > SNAT but have not been able to route such that proxyARP works without > SNAT. If you figure out how to do that, I'd really appreciate it. I believe I've done it once, in a test environment. Enabling only=20 proxyArp on the devices in sysctl should be sufficent iff the routing=20 table is correct for that environment. You also need the same IP address=20 assigned to both nics otherwise you do indeed need SNAT for the return=20 packets. But when you do that the routing table has the same net on both=20 interfaces and you need to delete it from the upstream nic and insert a=20 simple route that reaches the next hop device there so that it is more=20 specific that the network /29 route. At least that is about as much as I=20 remember, but it is some time ago and was on a kernel 2.4 (I'm using 2.6=20 for quite some time now) > I then built a rudimentary firewall for this computer. The only > services it runs are sshd and identd. The firewall's main purpose is to > protect a Win2K Server that sits on .157. All the other boxes have > their own firewalls. I need to protect several machines, some of it are windows boxes. Mostly=20 I want to block incoming windows sharing stuff and the well known RPC ports. > The beauty of this is that it lets me HTB shape both incoming and > outgoing packets without IMQ. The problem I have is that I made this > "front line" computer out of spare parts and the AMD 266 is not enough > CPU. When HTB starts to queue/delay, things like typing at the keyboard > becomes sluggish and packet handling slows. I have an Athlon 500 ready for this. Hopefully it manages the job even=20 when in promiscous mode on the lan nic which is a gigE card. > Read Martin Brown's HOWTO (sorry, I've forgotten the chapter #), the > LARTC HOWTO (chapter 16.2) and Dave Weiss (Weiss's setup script fails > but the write up is correct) proxyARP page. You can find these with > google or I'll post URLs on request. Thanks, this is certainly one of the things I'll be testing as soon as=20 the shiny new modems arrive here ! CU Ren=E9 _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/