router/firewall

router/firewall

[Askar Ali Khan]

Im learning lot of new things here specially from Mr. Anthony Stone he
is master :)

Alright here with another very beginner question :)
my linux box is part of LAN where net is connected via windowz system.
my linux box uses windows box as gateway to Internet.
There is another windowz client (1) now I want to make my this linux
box "gateway/firewall" for that window client.

first thing I did to enbble forwarding on  my linux box with..
                net.ipv4.ip_forward = 1

my only  interface on this linux box is eth0 i also created another
vitual interface eth0:1, now i want to accept LAN tarffic from windows
client on eth0 and forward it "outbound" on eth0:1
howto? :)

I will appreciate if someone teach me for both cases
1) to use the interface etho0 to foward packets
2) also to use the other virtual interface eth0:1 for fowarding

It means I need to separate scripts one for eth0 and another for eth0:1

Thanks in adance

Askar

Re: router/firewall

[Antony Stone]

On Friday 02 July 2004 6:35 am, Askar Ali Khan wrote:

> Im learning lot of new things here specially from Mr. Antony Stone he
> is master :)

Please - I do not necessarily know more than other people who are here - I 
just happen to answer more of the questions, and possibly answer them a 
little sooner than others.

> Alright here with another very beginner question :)
> my linux box is part of LAN where net is connected via windowz system.
> my linux box uses windows box as gateway to Internet.

Sounds like the wrong way round to me - what protects (firewalls) your Windows 
machine from all the bad stuff out there on the Internet?

> There is another windowz client (1) now I want to make my this linux
> box "gateway/firewall" for that window client.
>
> first thing I did to enbble forwarding on  my linux box with..
>                 net.ipv4.ip_forward = 1
>
> my only  interface on this linux box is eth0 i also created another
> vitual interface eth0:1, now i want to accept LAN tarffic from windows
> client on eth0 and forward it "outbound" on eth0:1
> howto? :)

So, you have a Linux machine with only one interface, and you want to make it 
a router for a machine on your network, with its upstream gateway being 
another machine on the same network?

This sounds like a horribly complicated routing setup to me (this *is* a 
routing question, by the way - not a netfilter question), and I really 
wouldn't advise doing it.

From a security point of view, if you do not physically separate two networks 
by plugging them into different network cards on a router (firewall), then 
the security can be so easily bypassed that it is pointless.

From a network management point of view, trying to route packets between 
different machines, all on the same physical LAN (and, I suspect, also all on 
the same logical subnet), is a very difficult thing to make work (and in my 
opinion not something you should even try to make work).

However, to answer your netfilter-specific questions, and educate you about 
virtual interfaces:

> I will appreciate if someone teach me for both cases
> 1) to use the interface etho0 to foward packets
> 2) also to use the other virtual interface eth0:1 for fowarding
>
> It means I need to separate scripts one for eth0 and another for eth0:1

Routing is a separate matter from netfilter - you have to get the routing 
working first, and then you can use netfilter to block certain packets so 
that they don't get routed.

Secondly, netfilter doesn't allow things like eth0:1 (it won't accept the 
colon), so all you do is use the normal interface name (eth0).   It's the 
asme physical interface anyway, and this will do what you want - you can use 
-i eth0 and -o eth0 to match packets coming in or going out on eth0:1

If you *really* want some help getting that weird setup your described earlier 
working, you'll need to provide a network diagram with some IP addresses, and 
a clear description of what you want routed where and how you think replies 
should get routes back again.

I really do not advise it though :)

Regards,

Antony.

-- 
Having been asked for a reference for this man,
I can confirm that you will be very lucky indeed if you can get him to work 
for you.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: router/firewall

[Askar Ali Khan]

Lot of new things for me :)


On Fri, 2 Jul 2004 09:52:41 +0100, Antony Stone
<antony@soft-solutions.co.uk> wrote:
> 
> On Friday 02 July 2004 6:35 am, Askar Ali Khan wrote:
> 
> > Im learning lot of new things here specially from Mr. Antony Stone he
> > is master :)
> 
> Please - I do not necessarily know more than other people who are here - I
> just happen to answer more of the questions, and possibly answer them a
> little sooner than others.
> 
Ofcourse your contribution to this mailing list is greattt, no one but
your there with solution to lot of ours problem :)
heh i don't wana make your fly with all this sorta praises ;)
/anthony blueshes
;)

> > Alright here with another very beginner question :)
> > my linux box is part of LAN where net is connected via windowz system.
> > my linux box uses windows box as gateway to Internet.
> 
> Sounds like the wrong way round to me - what protects (firewalls) your Windows
> machine from all the bad stuff out there on the Internet?
security is not a concern here to me,  but windowz working fine with
my dialup modem.
> 
> > There is another windowz client (1) now I want to make my this linux
> > box "gateway/firewall" for that window client.
> >
> > first thing I did to enbble forwarding on  my linux box with..
> >                 net.ipv4.ip_forward = 1
> >
> > my only  interface on this linux box is eth0 i also created another
> > vitual interface eth0:1, now i want to accept LAN tarffic from windows
> > client on eth0 and forward it "outbound" on eth0:1
> > howto? :)
> 
> So, you have a Linux machine with only one interface, and you want to make it
> a router for a machine on your network, with its upstream gateway being
> another machine on the same network?
> 
> This sounds like a horribly complicated routing setup to me (this *is* a
> routing question, by the way - not a netfilter question), and I really
> wouldn't advise doing it.
> 
> From a security point of view, if you do not physically separate two networks
> by plugging them into different network cards on a router (firewall), then
> the security can be so easily bypassed that it is pointless.
> 
> From a network management point of view, trying to route packets between
> different machines, all on the same physical LAN (and, I suspect, also all on
> the same logical subnet), is a very difficult thing to make work (and in my
> opinion not something you should even try to make work).
> 
> However, to answer your netfilter-specific questions, and educate you about
> virtual interfaces:
> 
> > I will appreciate if someone teach me for both cases
> > 1) to use the interface etho0 to foward packets
> > 2) also to use the other virtual interface eth0:1 for fowarding
> >
> > It means I need to separate scripts one for eth0 and another for eth0:1
> 
> Routing is a separate matter from netfilter - you have to get the routing
> working first, and then you can use netfilter to block certain packets so
> that they don't get routed.
> 
> Secondly, netfilter doesn't allow things like eth0:1 (it won't accept the
> colon), so all you do is use the normal interface name (eth0).   It's the

heh yeah that why iptables aways complains whanever i include eth0:1
in a rule, okay i get rid of this virtual interface :)

> asme physical interface anyway, and this will do what you want - you can use
> -i eth0 and -o eth0 to match packets coming in or going out on eth0:1
> 
> If you *really* want some help getting that weird setup your described earlier
> working, you'll need to provide a network diagram with some IP addresses, and
> a clear description of what you want routed where and how you think replies
> should get routes back again.
>
 
> I really do not advise it though :)
hmm I dunoo how to create diagram, however im trying to give you and idea, 
1) windows machine IP 192168.0.1 (connected to Internet dialup modem) ------>A
2)linux machine IP 192.168.0.2---->B
3)Another windows machine 192.168.0.3----->C

its a very simple LAN :) what i want to do is instead of traffic for
Internet goes from C------->A,       A--------->C
its travel from C----->B------->A,                         A---->B----->C
that only C uses the linux box as router/firewall, all the traffic
from C first travel to B and then to A . :)

Regards

Askar
> 
> Regards,
> 
> Antony.
> 
> --
> Having been asked for a reference for this man,
> I can confirm that you will be very lucky indeed if you can get him to work
> for you.
> 
>                                                      Please reply to the list;
>                                                            please don't CC me.
> 
>

Re: router/firewall

[Patrick Leslie Polzer]

Hello Askar,

On Fri, 2 Jul 2004 15:26:56 +0500
Askar Ali Khan <askarali@gmail.com> wrote:

> Ofcourse your contribution to this mailing list is greattt, no one but
> your there with solution to lot of ours problem :)
> heh i don't wana make your fly with all this sorta praises ;)
> /anthony blueshes
> ;)
Well, so I'm going to help out a bit now, too ;)

> its a very simple LAN :) what i want to do is instead of traffic for
> Internet goes from C------->A,       A--------->C
> its travel from C----->B------->A,                         A---->B----->C
> that only C uses the linux box as router/firewall, all the traffic
> from C first travel to B and then to A . :)
1) On C, set your default gateway to B's IP.
2) Turn on IP forwarding on B (IIRC it's /proc/sys/net/ip_forwarding)
3) See that B is accepting FORWARDing from C to A and back.

Only 3) is Netfilter stuff.

A small note: please quote only relevant parts next time; thanks.


Kind regards,

Leslie