[LARTC] Howto route through

[LARTC] Howto route through

[Rene Gallati]

Hello list,

I'm having a little trouble imagining a setup I'll soon have.

I am in the process of getting a routed /28 to my homeLAN. What I want 
to do is to put a linux box in front of the lan to filter some of the 
unneeded and potential dangerous ports. Now the box has 2 nics, one for 
the inside one for the outside.

How should I go on to setup those NICs when
a) the PCs in the net should have their official IP address from the /28 net
and
b) the filtering linux box should at the same time have one IP address 
from the same range for some services it provides

The dilemma I see (maybe it is none but I just don't know)
if I put it this way that I have the IP of the /28er range on one nic 
and nothing to put on the other ?

Example: Range is 1.2.3.0/28 (1.2.3.0 - 1.2.3.15)

           eth0:  1.2.3.1   eth1: ???
---- Internet ------- FW Box ------ LAN (1.2.3.0/28)

The FW box should be reachable by both the hosts in the LAN as well as 
from the internet using the assigned IP. Don't I run into troubles 
having an IP on one NIC which does belong to a net that is located on 
the side of another NIC ?

I know that the most specific entry (full IP) overrides or wins over the 
less specific ones (the net) but does this setup work so that the LAN 
clients can access the FW box just like every other host on the 
internet? How do I configure eth1 ? Just bring it up without any IP at all?

Or should I better make the FW box a transparent bridge for the 
filtering with one IP where it reacts itself ?

Thanks for all hints

CU

René
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Howto route through

[Stef Coene]

On Sunday 31 October 2004 16:55, Rene Gallati wrote:
> Hello list,
>
> I'm having a little trouble imagining a setup I'll soon have.
>
> I am in the process of getting a routed /28 to my homeLAN. What I want
> to do is to put a linux box in front of the lan to filter some of the
> unneeded and potential dangerous ports. Now the box has 2 nics, one for
> the inside one for the outside.
>
> How should I go on to setup those NICs when
> a) the PCs in the net should have their official IP address from the /28
> net and
> b) the filtering linux box should at the same time have one IP address
> from the same range for some services it provides
>
> The dilemma I see (maybe it is none but I just don't know)
> if I put it this way that I have the IP of the /28er range on one nic
> and nothing to put on the other ?
You can give the nics the same ip address.  Just be carefull with the routing, 
you need the specify the nic when you add a route so the packets are going 
out on the interface they have too.

Stef

-- 
stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Howto route through

[Chris Bennett]

What I do is have the linux box claim all of the public IPs as its own, and 
then use IPTABLES to DNAT/SNAT to/from private IPs as needed.  You can 
dedicate a public IP to a specific private IP, so the computer on your 
network with that private IP appears to all of the world as if it actually 
has the public IP.  This has the added advantage that if your public IPs 
change for some reason, you just need to update IPTABLEs and the computers 
on your network will only need slight (if any) tweaking.

In this setup, all of your public IPs are on one ethernet port, and all of 
your private IPs are on the other.  If you desire, you can give one of the 
public IPs to the linux box itself (though for security reasons, I 
personally do not do this... in fact, the only traffic I let the linux box 
pass to the internet is forwarded packets... nothing originating from 
itself).

This may be what you had in mind when you considered the option of a 
transparent bridge...

----- Original Message ----- 
From: "Rene Gallati" <lartc@draxinusom.ch>
To: <LARTC@mailman.ds9a.nl>
Sent: Sunday, October 31, 2004 9:55 AM
Subject: [LARTC] Howto route through


> Hello list,
>
> I'm having a little trouble imagining a setup I'll soon have.
>
> I am in the process of getting a routed /28 to my homeLAN. What I want to 
> do is to put a linux box in front of the lan to filter some of the 
> unneeded and potential dangerous ports. Now the box has 2 nics, one for 
> the inside one for the outside.
>
> How should I go on to setup those NICs when
> a) the PCs in the net should have their official IP address from the /28 
> net
> and
> b) the filtering linux box should at the same time have one IP address 
> from the same range for some services it provides
>
> The dilemma I see (maybe it is none but I just don't know)
> if I put it this way that I have the IP of the /28er range on one nic and 
> nothing to put on the other ?
>
> Example: Range is 1.2.3.0/28 (1.2.3.0 - 1.2.3.15)
>
>           eth0:  1.2.3.1   eth1: ???
> ---- Internet ------- FW Box ------ LAN (1.2.3.0/28)
>
> The FW box should be reachable by both the hosts in the LAN as well as 
> from the internet using the assigned IP. Don't I run into troubles having 
> an IP on one NIC which does belong to a net that is located on the side of 
> another NIC ?
>
> I know that the most specific entry (full IP) overrides or wins over the 
> less specific ones (the net) but does this setup work so that the LAN 
> clients can access the FW box just like every other host on the internet? 
> How do I configure eth1 ? Just bring it up without any IP at all?
>
> Or should I better make the FW box a transparent bridge for the filtering 
> with one IP where it reacts itself ?
>
> Thanks for all hints
>
> CU
>
> René
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Howto route through

[gypsy]

Rene Gallati wrote:
> 
> Hello list,
> 
> I'm having a little trouble imagining a setup I'll soon have.
> 
> I am in the process of getting a routed /28 to my homeLAN. What I want
> to do is to put a linux box in front of the lan to filter some of the
> unneeded and potential dangerous ports. Now the box has 2 nics, one for
> the inside one for the outside.
> 
> How should I go on to setup those NICs when
> a) the PCs in the net should have their official IP address from the /28 net
> and
> b) the filtering linux box should at the same time have one IP address
> from the same range for some services it provides


I just finished one of these.

I used proxyARP to make the external interface listen to my 5 (I have a
/29 not a /28) IPs.  You will be led down the garden path if you try
just proxyARP; I had to use SNAT rules.  You don't (normally) need DNAT,
but (for me at least) _NOTHING_ will forward without SNAT.  My SNAT
rules start with my first external IP and work up: .154 --to .154 then
.155 to .155 then .156 to .156 then .157 to .157 and finally .152/29 to
.158.  .153 is my default gateway.

I have asked all over the web for assistance in routing without needing
SNAT but have not been able to route such that proxyARP works without
SNAT.  If you figure out how to do that, I'd really appreciate it.

I then built a rudimentary firewall for this computer.  The only
services it runs are sshd and identd.  The firewall's main purpose is to
protect a Win2K Server that sits on .157.  All the other boxes have
their own firewalls.

The beauty of this is that it lets me HTB shape both incoming and
outgoing packets without IMQ.  The problem I have is that I made this
"front line" computer out of spare parts and the AMD 266 is not enough
CPU.  When HTB starts to queue/delay, things like typing at the keyboard
becomes sluggish and packet handling slows.

Read Martin Brown's HOWTO (sorry, I've forgotten the chapter #), the
LARTC HOWTO (chapter 16.2) and Dave Weiss (Weiss's setup script fails
but the write up is correct) proxyARP page.  You can find these with
google or I'll post URLs on request.

gypsy
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Howto route through

[Rene Gallati]

Stef Coene wrote:

> On Sunday 31 October 2004 16:55, Rene Gallati wrote:
> 
>>Hello list,
>>
>>I'm having a little trouble imagining a setup I'll soon have.
>>
>>I am in the process of getting a routed /28 to my homeLAN. What I want
>>to do is to put a linux box in front of the lan to filter some of the
>>unneeded and potential dangerous ports. Now the box has 2 nics, one for
>>the inside one for the outside.
>>
>>How should I go on to setup those NICs when
>>a) the PCs in the net should have their official IP address from the /28
>>net and
>>b) the filtering linux box should at the same time have one IP address
>>from the same range for some services it provides
>>
>>The dilemma I see (maybe it is none but I just don't know)
>>if I put it this way that I have the IP of the /28er range on one nic
>>and nothing to put on the other ?
> 
> You can give the nics the same ip address.  Just be carefull with the routing, 
> you need the specify the nic when you add a route so the packets are going 
> out on the interface they have too.

Hm that is a solution, however how do I "attract" the traffic for the
PCs in the LAN? I can either assign all IPs as aliases which looks a bit
crude or use proxyArp or bridging to convey the traffic over from one
side to the other.

At the moment, transparent bridge filter looks like the best idea to me,
however the lan nic is a gigE card so I don't know if running it in
promiscous all the time would be a good idea.

CU

René

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Howto route through

[Rene Gallati]

Hello,

> What I do is have the linux box claim all of the public IPs as its own, 
> and then use IPTABLES to DNAT/SNAT to/from private IPs as needed.  You 
> can dedicate a public IP to a specific private IP, so the computer on 
> your network with that private IP appears to all of the world as if it 
> actually has the public IP.  This has the added advantage that if your 
> public IPs change for some reason, you just need to update IPTABLEs and 
> the computers on your network will only need slight (if any) tweaking.

That is basically what I am doing currently (with only one IP though 
obtained via cablemodem). However the person that makes all of this 
happen (SHDSL+ leased line) absolutely wants the public IP on his 
machine so I can't go that route.

The IPs however are unlikely to change in the foreseeable future, they 
are assigned and the person who makes this possible owns them as he is a 
(small) ISP. So changing should not occur.

> In this setup, all of your public IPs are on one ethernet port, and all 
> of your private IPs are on the other.  If you desire, you can give one 
> of the public IPs to the linux box itself (though for security reasons, 
> I personally do not do this... in fact, the only traffic I let the linux 
> box pass to the internet is forwarded packets... nothing originating 
> from itself).

Well at least SSH for management is usually what I do. However I do run 
other things on the fw box. Most of it is bound to the lan if only, so I 
don't see any problem with it security wise.

> This may be what you had in mind when you considered the option of a 
> transparent bridge...

No I really meant a transparent bridge as in

brctl addbr br0
brctl addif br0 lan
brctl addif br0 wan
ifconfig lan 0.0.0.0 promisc up
ifconfig wan 0.0.0.0 promisc up

And some netfilter lines to allow forwarding between the ifs on the 
allowed ports. This has the benefit that the filtering box is actually 
invisible (no route hop, no traceroute step) and can be taken down and 
the cables between lan and wan shortcutted without losing connectivity.

I still think that is the best thing for my case as I know the bridge 
stuff fairly well. The only issue holding me back is the fact that the 
(real) interfaces need to be in promiscous mode (not 100% sure, need to 
test) and the lan nic is a gigE card.

CU

René

> 
> ----- Original Message ----- From: "Rene Gallati" <lartc@draxinusom.ch>
> To: <LARTC@mailman.ds9a.nl>
> Sent: Sunday, October 31, 2004 9:55 AM
> Subject: [LARTC] Howto route through
> 
> 
>> Hello list,
>>
>> I'm having a little trouble imagining a setup I'll soon have.
>>
>> I am in the process of getting a routed /28 to my homeLAN. What I want 
>> to do is to put a linux box in front of the lan to filter some of the 
>> unneeded and potential dangerous ports. Now the box has 2 nics, one 
>> for the inside one for the outside.
>>
>> How should I go on to setup those NICs when
>> a) the PCs in the net should have their official IP address from the 
>> /28 net
>> and
>> b) the filtering linux box should at the same time have one IP address 
>> from the same range for some services it provides
>>
>> The dilemma I see (maybe it is none but I just don't know)
>> if I put it this way that I have the IP of the /28er range on one nic 
>> and nothing to put on the other ?
>>
>> Example: Range is 1.2.3.0/28 (1.2.3.0 - 1.2.3.15)
>>
>>           eth0:  1.2.3.1   eth1: ???
>> ---- Internet ------- FW Box ------ LAN (1.2.3.0/28)
>>
>> The FW box should be reachable by both the hosts in the LAN as well as 
>> from the internet using the assigned IP. Don't I run into troubles 
>> having an IP on one NIC which does belong to a net that is located on 
>> the side of another NIC ?
>>
>> I know that the most specific entry (full IP) overrides or wins over 
>> the less specific ones (the net) but does this setup work so that the 
>> LAN clients can access the FW box just like every other host on the 
>> internet? How do I configure eth1 ? Just bring it up without any IP at 
>> all?
>>
>> Or should I better make the FW box a transparent bridge for the 
>> filtering with one IP where it reacts itself ?
>>
>> Thanks for all hints
>>
>> CU
>>
>> René
>> _______________________________________________
>> LARTC mailing list / LARTC@mailman.ds9a.nl
>> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>>
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Howto route through

[Rene Gallati]

gypsy wrote:

> Rene Gallati wrote:
> 
>>Hello list,
>>
>>I'm having a little trouble imagining a setup I'll soon have.
>>
>>I am in the process of getting a routed /28 to my homeLAN. What I want
>>to do is to put a linux box in front of the lan to filter some of the
>>unneeded and potential dangerous ports. Now the box has 2 nics, one for
>>the inside one for the outside.
>>
>>How should I go on to setup those NICs when
>>a) the PCs in the net should have their official IP address from the /28 net
>>and
>>b) the filtering linux box should at the same time have one IP address
>>from the same range for some services it provides
> 
> I just finished one of these.
> 
> I used proxyARP to make the external interface listen to my 5 (I have a

This is one of the options I am considering at the moment though I lean 
a bit more towards transparent bridge-filtering.

> /29 not a /28) IPs.  You will be led down the garden path if you try
> just proxyARP; I had to use SNAT rules.  You don't (normally) need DNAT,
> but (for me at least) _NOTHING_ will forward without SNAT.  My SNAT
> rules start with my first external IP and work up: .154 --to .154 then
> .155 to .155 then .156 to .156 then .157 to .157 and finally .152/29 to
> .158.  .153 is my default gateway.
> 
> I have asked all over the web for assistance in routing without needing
> SNAT but have not been able to route such that proxyARP works without
> SNAT.  If you figure out how to do that, I'd really appreciate it.

I believe I've done it once, in a test environment. Enabling only 
proxyArp on the devices in sysctl should be sufficent iff the routing 
table is correct for that environment. You also need the same IP address 
assigned to both nics otherwise you do indeed need SNAT for the return 
packets. But when you do that the routing table has the same net on both 
interfaces and you need to delete it from the upstream nic and insert a 
simple route that reaches the next hop device there so that it is more 
specific that the network /29 route. At least that is about as much as I 
remember, but it is some time ago and was on a kernel 2.4 (I'm using 2.6 
for quite some time now)

> I then built a rudimentary firewall for this computer.  The only
> services it runs are sshd and identd.  The firewall's main purpose is to
> protect a Win2K Server that sits on .157.  All the other boxes have
> their own firewalls.

I need to protect several machines, some of it are windows boxes. Mostly 
I want to block incoming windows sharing stuff and the well known RPC ports.

> The beauty of this is that it lets me HTB shape both incoming and
> outgoing packets without IMQ.  The problem I have is that I made this
> "front line" computer out of spare parts and the AMD 266 is not enough
> CPU.  When HTB starts to queue/delay, things like typing at the keyboard
> becomes sluggish and packet handling slows.

I have an Athlon 500 ready for this. Hopefully it manages the job even 
when in promiscous mode on the lan nic which is a gigE card.

> Read Martin Brown's HOWTO (sorry, I've forgotten the chapter #), the
> LARTC HOWTO (chapter 16.2) and Dave Weiss (Weiss's setup script fails
> but the write up is correct) proxyARP page.  You can find these with
> google or I'll post URLs on request.

Thanks, this is certainly one of the things I'll be testing as soon as 
the shiny new modems arrive here !

CU

René

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Howto route through

[Stef Coene]

On Monday 01 November 2004 15:44, Rene Gallati wrote:
> Hm that is a solution, however how do I "attract" the traffic for the
> PCs in the LAN? I can either assign all IPs as aliases which looks a bit
> crude or use proxyArp or bridging to convey the traffic over from one
> side to the other.
The isp should route all traffic for your 1.2.3.0/28 range to 1.2.3.1.

From your example: Range is 1.2.3.0/28 (1.2.3.0 - 1.2.3.15)

           eth0:  1.2.3.1   eth1: 1.2.3.1
---- Internet ------- FW Box ------ LAN (1.2.3.0/28)

default gw lan machines: 1.2.3.1
default gw firewall: assigned gw from your isp (in 1.2.3.0/28)
  ip route add default via 1.2.3.X dev eth0

routes on your firewall: for each lan, going out on eth1: 
   ip route add 1.2.3.1 dev eth0
       (don't know if this works, but it's to make sure packets for the lan 
host 1.2.3.1 are leaving out on eth1)

> At the moment, transparent bridge filter looks like the best idea to me,
> however the lan nic is a gigE card so I don't know if running it in
> promiscous all the time would be a good idea.

Stef

-- 
stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/