SV: [LARTC] Packet rewriting

SV: [LARTC] Packet rewriting

[Daniel]

<PRE>I'm not sure of what you want but here is an example:
(Assuming local net is 10.0.0.160/27)

# Accept icmp (for example ping)
ipchains -A output -p icmp -j ACCEPT

# Deny TCP sessions to local network (that is noone outside
# the firewall may access web, ftp,... at your local net)
# (Note the -y option)
ipchains -A output -p tcp -d 10.0.0.160/27 -y -j DENY

# Accept any TCP packets to local network
ipchains -A output -p tcp -d 10.0.0.160/27 -j ACCEPT

# Maybe you want some UDP ports open
# Accept port 4000/UDP to local network
ipchains -A output -p udp -d 10.0.0.160/27 4000 -j ACCEPT

# Deny anything else to local network
ipchains -A output -d 10.0.0.160/27 -j DENY

Regards,
Daniel

&gt;<i> -----Ursprungligt meddelande-----
</I>&gt;<i> Från: <A HREF="mailto:lartc-admin@mailman.ds9a.nl">lartc-admin@mailman.ds9a.nl</A>
</I>&gt;<i> [mailto:<A HREF="mailto:lartc-admin@mailman.ds9a.nl">lartc-admin@mailman.ds9a.nl</A>]För Fredrik Rambris
</I>&gt;<i> Skickat: Wednesday, October 25, 2000 3:31 PM
</I>&gt;<i> Till: Linux Advanced Routing and Trafic Control
</I>&gt;<i> Ämne: [LARTC] Packet rewriting
</I>&gt;<i>
</I>&gt;<i>
</I>&gt;<i> Hello
</I>&gt;<i>
</I>&gt;<i> Now here's a problem I've never thought of before.
</I>&gt;<i>
</I>&gt;<i> We have been given a net from UUNET. The first IP-address (.161) is used
</I>&gt;<i> by their router (which we have no access to fiddle with). I have
</I>&gt;<i> installed a firewall at .162 which will serve both as firewall and
</I>&gt;<i> trafic controller. My question is how to I make the public IP-addresses
</I>&gt;<i> accessible from the outside and still be located behind the firewall?
</I>&gt;<i> Like this
</I>&gt;<i>
</I>&gt;<i> [Internet]--[UU-Router.161]--[Firewall.162]
</I>&gt;<i> I want to be able to put a machine behind the firewall on a public
</I>&gt;<i> IP-adress (.163) but still protected by the firewall. I was told that
</I>&gt;<i> this could be done in other firewalls by aliasing the NIC on the outside
</I>&gt;<i> to all public ip-addresses and then have the firewall forward these
</I>&gt;<i> packets to a computer on the inside. Like portforwarding but a whole
</I>&gt;<i> machine (all ports) on all protocols (under IP ofcause) (not blocked by
</I>&gt;<i> the firewall).
</I>&gt;<i>
</I>&gt;<i> Is this possible with ipchains and some fancy packetrewriting?
</I>&gt;<i>
</I>&gt;<i> Anyone have any tips?
</I>&gt;<i> --
</I>&gt;<i> Admera Solution Provider AB
</I>&gt;<i> Tel: 0733-850 814
</I>&gt;<i> Position: 55°36´13N  13°03´36E
</I>


</PRE>

SV: [LARTC] Packet rewriting

[Daniel]

<PRE>Hi Bert!

It seems he has got a ?.?.?.160/27 net and there .161 is the gateway. He may
add a firewall with two ethernet interfaces (like .162 and .163) and there
all computers behind the firewall uses .163 as default gateway. There is no
reason for the computers behind the firewall to be able to talk to the ISP
gateway (.161) (except for testing the firewall).

To use this:

Tell the ISP gateway (.161) to route all packets to .162.
Tell all local computers to use .163 as default gateway.

On the firewall computer:

# Route to the ISP gateway
ip route add 10.1.1.161 src 10.1.1.162 dev eth0 proto kernel table main

# Route .160/27 to local network
ip route add 10.1.1.160/27 dev eth2 table main

# Default route
ip route add 0.0.0.0/0 dev eth1 table main

# Flush cache
ip route flush cache

Regards,
Daniel


&gt;<i> -----Ursprungligt meddelande-----
</I>&gt;<i> Från: <A HREF="mailto:lartc-admin@mailman.ds9a.nl">lartc-admin@mailman.ds9a.nl</A>
</I>&gt;<i> [mailto:<A HREF="mailto:lartc-admin@mailman.ds9a.nl">lartc-admin@mailman.ds9a.nl</A>]För bert hubert
</I>&gt;<i> Skickat: Wednesday, October 25, 2000 6:26 PM
</I>&gt;<i> Till: Linux Advanced Routing and Trafic Control
</I>&gt;<i> Ämne: Re: [LARTC] Packet rewriting
</I>&gt;<i>
</I>&gt;<i>
</I>&gt;<i> On Wed, Oct 25, 2000 at 03:31:00PM +0200, Fredrik Rambris wrote:
</I>&gt;<i>
</I>&gt;<i> &gt; [Internet]--[UU-Router.161]--[Firewall.162]
</I>&gt;<i> &gt; I want to be able to put a machine behind the firewall on a public
</I>&gt;<i> &gt; IP-adress (.163) but still protected by the firewall. I was told that
</I>&gt;<i> &gt; this could be done in other firewalls by aliasing the NIC on the outside
</I>&gt;<i>
</I>&gt;<i> Are you very sure that have not been given yet another net, and
</I>&gt;<i> that this is
</I>&gt;<i> only the uplink LAN? The regular arrangement is to have two nets, and your
</I>&gt;<i> .162 machine in both of 'em.
</I>&gt;<i>
</I>&gt;<i> If you really only have one net, you need to do proxy arp for a
</I>&gt;<i> subnet. This
</I>&gt;<i> means that 162 will pretend to be all computers. You also need an extra
</I>&gt;<i> ethernet card.
</I>&gt;<i>
</I>&gt;<i> &gt; Is this possible with ipchains and some fancy packetrewriting?
</I>&gt;<i>
</I>&gt;<i> You're note really rewriting packets, you're just passing them
</I>&gt;<i> around. I've
</I>&gt;<i> built a setup like this and it works.
</I>&gt;<i>
</I>&gt;<i> However, I'm not sure how you setup proxy arp in 2.2. There might be three
</I>&gt;<i> ways:
</I>&gt;<i>
</I>&gt;<i> 	1) 'arp'
</I>&gt;<i> 	2) 'ip neigh'
</I>&gt;<i> 	3) '/proc/something/proxy_arp'
</I>&gt;<i>
</I>&gt;<i> 1) Used to work but I seem to remember that it is now deprecated
</I>&gt;<i> 2) may work even if 1) doesn't
</I>&gt;<i> 3) may be the 'new wave', but I'm not sure how it works.
</I>&gt;<i>
</I>&gt;<i> Regards,
</I>&gt;<i>
</I>&gt;<i> bert hubert
</I>&gt;<i>
</I>&gt;<i> --
</I>&gt;<i> PowerDNS                     Versatile DNS Services
</I>&gt;<i> Trilab                       The Technology People
</I>&gt;<i> 'SYN! .. SYN|ACK! .. ACK!' - the mating call of the internet
</I>&gt;<i>
</I>&gt;<i> _______________________________________________
</I>&gt;<i> LARTC mailing list / <A HREF="mailto:LARTC@mailman.ds9a.nl">LARTC@mailman.ds9a.nl</A>
</I>&gt;<i> <A HREF="http://mailman.ds9a.nl/mailman/listinfo/lartc">http://mailman.ds9a.nl/mailman/listinfo/lartc</A> HOWTO:
</I><A HREF="http://ds9a.nl/2.4Routing/">http://ds9a.nl/2.4Routing/</A>



</PRE>