Hi,

I'm trying to set up my Debian distro box as a perimeter firewall for my network, which has a real IP range (/29) provided by my dsl provider. I have a Zyxel router which currently has one of the real IP's as its LAN IP address, and the other pc's on my network have an address each, including my linux box. What I want to do is to add another netcard to the linux box and use it to firewall the range. Now I know I can't split the real subnet, so I was trying to find a way to do the following:

ISP -> ADSL Router -> Debain box -> Network

Where the real ip's are only used on the internal debian nic "eth0" and the network. This being the case, would i have to set up another "temporary" range for use on the internal side of the adsl router, and the external side "eth1" of the debian box, then use something like Bridging to forward the whole range to the debian box to route and firewall to the network?

I'm not sure if this is the intended use for bridging, but wondered if it would work. Do I mean routing? I have both a static route option and bridge option on the router.

For example would I set the adsl internal ip to 10.0.0.1 and the debian box eth1 to 10.0.0.2, then set up a static route in the router for xxx.xxx.xxx.160/29 to go to 10.0.0.2? Would this route the whole range and allow me to use one address on eth0 of the debian box and the rest of the address (forwarded by iptables) to the rest of the network?

I know how to configure iptables, and I'm pretty sure if I do "echo 1 > /proc/sys/net/ipv4/ip_forward" that I can successfully sort out the routing and forwarding from the debian box, but wondered if anyone knew if the routing (or bridging) from the adsl router would give me the desired results?

Russell Preece

you shouldn't have any problems just placing the dsl router into bridging mode and putting the public subnet on your eth1 interface (xxx.xxx.xxx.160/29) and your private 10.0.0.0/24 on eth0 . I'd assume the gateway would be .161, so just put .162 on eth1 and add the default gateway route for .161 ...

After that, just setup your forwarding and state matching rules and NAT against eth1 outbound (POSTROUTING rule) and you should be sweet.

btw, for nat, it'll be something like :

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to xxx.xxx.xxx.162

hope that helps.

Sorry, think you misunderstood what I was trying to achieve. I was trying to reserve the public range for the internal network (internal side of debian box and rest of network devices) so therefore avoiding NAT. I just wondered if the best practice was to setup an interim network (the 10. suggestion) to fill the gap between the internal of the router and the external of the debian, and static route or bridge over it...

aah. oops

So, your DSL has it's own public IP (on a different subnet), and then the /29 is routed across that link? If this is the case, then no problems with having a little private subnet between your debian box an the DSL router. Just setup the route on the DSL to point through to 10.0.0.2 like you said. The only problem may be when your debian machine needs to see the interweb - so NAT will need to be setup for the 10.0.0.0/24 range on the dsl router.

If this is not the case, and you just have the /29 to work with, then it may be a little tricky.

ie, for x.x.x.160/29 :

.161 -> .162
ISP -> ADSL Router

You could split the /29 into a /30 but you'd loose too many IP's to network/broadcast/gateway IP's for this to be useful.

Alternately you could bridge the ADSL against eth1, and then alias eth1:0, eth1:1 etc. for all the other IP's in the range. From there, setup INPUT/PREROUTING/FORWARD/POSTROUTING iptables rules to forward through everything on each aliased interface to whichever LAN host needs to be accessible from the internet. Some overhead in the translation, but gets you out of trouble (and you can tweak the firewall in one place).

You could maybe, *maybe*, put everything which should have a public IP onto the same switch, bridge the DSL as before and setup the IP's on whatever equipment needs them. You may need to setup some wacky routes and proxy arping for this to happen though.

hope that makes a little more sense.

Yup that's correct - router gets a "framed" ip address on the wan side and then range is routed over it. So you're saying the following config would be ok?

ADSL Router External: (81.xxx.xxx.203)
ADSL Router Internal: 10.0.0.1
ADSL Router Static Route 213.xxx.xxx.160/29 -> 10.0.0.2

Debian External: 10.0.0.2 - crossover to ADSL Router
Debian Internal: 213.xxx.xxx.163 - connected to switch

Rest of network using 213.xxx.xxx.161,2,4,5,6

What would happen when the Debian box goes out to the net. Would it be from the 10 address or the 213 address? If default from the 10 address, how do i get it to use the 213 as it's "from" ip address?

Thanks for your help - i'm changing it this weekend and was just gonna do it and play but would rather check that it's gonna work first )

You can make a Debian box with two (or more) NICs into a "transparent bridging firewall" - pretty much you configure bridging between the NICs, and the Linux box is pretty much a two port switch that's smart enough to do firewalling, and a switch doesn't even need an ip address (althoug its easier to manage if it does). A little easier to setup if you use a 2.6 series kernel as the 2.4 series requires patching to get netfilter to see the bridged traffic. You can then use ebtables to filter Ethernet traffic and iptables to filter IP traffic.

http://bridge.sourceforge.net/
http://ebtables.sourceforge.net/
http://www.securityfocus.com/infocus/1737

Plus you can also do traffic shaping with Linux, probably on any solution you come up with, you might want to look into that later when you get this figured out.

You mentioned that you're getting a Framed-IP from the ISP - does this mean you had to setup the DSL router for PPPoE/PPPoA ? If so put the DSL into bridging mode and setup PPPoE on eth1. If eth0 is in the /29 subnet, there'll already be a route for it on the debian box, so just turn on forwarding and you should be away. No need to configure any translations or strangeness to do with the 10.0.0.0/24 range.

There's always the first option of using a private subnet if you're not authenticating over PPP, but you will need to NAT traffic originating from 10.0.0.0/24 on the WAN interface of the ADSL router (81.xxx.xxx.203) - if you don't NAT this traffic, you'll find that everything on the routed subnet can talk to the internet, but the Debian box can't. Whether or not you can NAT on specific subnets really depends on the feature set of your Router, however.

so, for the PPPoE option, something like :

ISP Static Route 213.xxx.xxx.160/29 -> 81.xxx.xxx.203
ADSL Router External: (n/a - bridging mode)
Debian ppp0 External: 81.xxx.xxx.203 - crossover to ADSL Router : route add default dev ppp0
Debian eth0: 213.xxx.xxx.163 - connected to switch
Rest of network using 213.xxx.xxx.161,2,4,5,6

If you want to talk to the DSL for any reason (ie: to configure or debug it), then there's nothing stopping you from still setting the ADSL LAN IP to 10.0.0.1 and then the eth1 interface to 10.0.0.2. All your outbound traffic will head out the PPP interface anyway, so this subnet will just be for talking to the router. Just don't setup a default gateway to 10.0.0.1 or there'll be confusion.

I can give you sample PPPoE configs if you like. I'm running this sort of PPPoE setup at home, with a basic Netcom NB1300 in bridging mode.

slacky makes some good points though. The only thing i'm not too sure about is whether you can force traffic out an Ethernet interface and expect it to pop out the other end (like a PPP adapter). If you're getting a Framed IP (81.xxx.xxx.203), then chances are a bridging setup may not work correctly unless you have an upstream gateway to send traffic to. ie: another host in the 81.xxx.xxx.0 range, or whatever the subnet is your ISP is using.

Interesting! So you're saying that just by enabling bridge then the Debian box will assume the WAN IP that my ISP static's to me on a ppp0 interface, as opposed to to on the eth1 interface? The router is set up with PPPoA to the ISP, so would this be compatible and just pass the IP down the crossover?

The option in my Zyxel router for bridging is:

Menu 12.3.1 - Edit Bridge Static Route

Route #: 1
Route Name= ?
Active= No
Ether Address= ?
IP Address=
Gateway Node= 1

So I'd fill out the debian's external nic MAC as the Ether Address, but what would i put in the IP address - the 81.xxx.xxx.203?

And how would i enable PPPoE on eth1 of the debian?

This would be the ideal setup as then, like you say, I could ignore the router part completely.

As for the upstream gateway, the next hop from my dsl will change depending on which LNS i jump to (randomly if my dsl drops) at my isp, although there is another hop further up which stays the same for all the LNS's. Would this work?

Well, you don' t put the WAN IP on eth1... you don't even have to give eth1 an IP if you dont want to...

If you 'apt-get install pppoe' it will install pppoe, and should also generate an /etc/ppp/peers/dsl-provider file. If you have a look at this file there'll be a line like :

pty "/usr/sbin/pppoe -I eth1 -T 80 -m 1452"

So this is where you specify the interface your LLC packets will be sent out. It doesn't matter what IP this interface has, or if it even has an IP, it just needs to be up. ie: my /etc/network/interfaces file just contains :

auto lo
iface lo inet loopback

auto eth0 eth1

iface eth0 inet static
address 210.x.x.1
netmask 255.255.255.240
network 210.x.x.0

The only reason for having an IP on eth1 will be to talk directly to the ADSL, like so :

# uncomment this to talk directly to the netcomm
#iface eth1 inet static
# address 192.168.1.2
# netmask 255.255.255.0
# broadcast 192.168.1.255
# network 192.168.1.0

Putting your ADSL router into bridging mode should just have it pass through whatever packets it sees on each interface transparently. Not sure why it needs that config information, but I guess if you have to fill it in, then maybe these settings (you might need to play with them to get it working) :

Route #: 1
Route Name= debian box
Active= yes
Ether Address= aa:bb:cc:dd:ee:ff
IP Address= 81.xxx.xxx.203
Gateway Node= 1

back to the pppoe stuff, a config like this should be okay for you (just create a new /etc/ppp/peers/dsl-provider file and backup the dpkg one) :

#################################################################
# Configuration file for PPP, using PPP over Ethernet
# to connect to a DSL provider.
#
# See the manual page pppd(8) for information on all the options.

user myusername@myprovider.net
pty "/usr/sbin/pppoe -I eth1 -T 80 -m 1452"
noipdefault
defaultroute
hide-password
lcp-echo-interval 20
lcp-echo-failure 3
connect /bin/true
noauth
persist

#################################################################

in /etc/ppp/options maybe uncomment 'debug' and set a 'kdebug' level so you can diagnose any problems.

just plug your username/password in (if required) into your /etc/ppp/pap-secrets or chap-secrets file so it uses the correct authentication. (ie: where I've put myusername@myprovider.net, put in your own username, and then specify the password in the secrets file).

Have a look through the ppp documentation to see if there's anything else you might want to do, but this basic setup should get it working, on the proviso that the DSL router will bridge the way its meant to.

btw. to start and stop the pppoe dialer, just type in 'pon {peersfilename}' or 'poff {peersfilename}' ... so 'pon dsl-provider' by default etc. If it works, then add it to your ppp startup script in /etc/init.d/.

If everything works as expected, you should have an interface list something like this (substituting my IP's for yours, obviously :

eth0 Link encap:Ethernet HWaddr 00:40:95:07:1E:0C
inet addr:210.x.x.1 Bcast:210.x.x.15 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:216346 errors:0 dropped:0 overruns:0 frame:0
TX packets:280106 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:59486081 (56.7 MiB) TX bytes:274249330 (261.5 MiB)
Interrupt:11 Base address:0xc400

eth1 Link encap:Ethernet HWaddr 00:48:54:1D:A6:C6
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:181404 errors:0 dropped:0 overruns:0 frame:0
TX packets:184239 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:156260960 (149.0 MiB) TX bytes:36648573 (34.9 MiB)
Interrupt:10 Base address:0xe000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:23128 errors:0 dropped:0 overruns:0 frame:0
TX packets:23128 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:13193407 (12.5 MiB) TX bytes:13193407 (12.5 MiB)

ppp0 Link encap:Point-to-Point Protocol
inet addr:210.x.x.69 P-t-P:210.x.x.7 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:43271 errors:0 dropped:0 overruns:0 frame:0
TX packets:43928 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:41109018 (39.2 MiB) TX bytes:5220098 (4.9 MiB)

and a routing table something like :

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
210.x.x.7 * 255.255.255.255 UH 0 0 0 ppp0
210.x.x.0 * 255.255.255.240 U 0 0 0 eth0
default 210.x.x.7 0.0.0.0 UG 0 0 0 ppp0



good luck

Curious. I'm not sure that the PPPoE thing will work though as my connection is PPPoA, and the router already logs in for me, so surely the username information would be redundant?

Maybe this is why it is asking for those settings?

I'm 99% sure you just need pppoe, as the ADSL router will be performing the translation from ethernet packets to atm frames. ATM kernel and pppd patches are still in their infancy I think. I tried getting my modem to talk ATM on the wire and this setup still worked without problems, anyway.

Authenticating on the dsl router won't work properly, if it even works at all. If it does work, you may experience some pretty heavy packet loss. It comes back to the problem of not being able to set an ethernet interface as a default gateway device, as you're recieving a framed IP over PPP. The reason I'm choosing a ppp adapter is that the protocol permits me to just pump data into the ppp interface, not know anything about the peer IP, and expect the packets to just pop out the other end - perfect for your type of setup.

ie...

work : route add default dev ppp0

not work : route add default dev eth1

someone elses comments would be appreciated, incase I'm making no sense at all

You may need to play with your bridging settings to get this working for you. If worse comes to worse, you could always go with the first option of a private subnet between eth1 and the dsl, but then there's the problem of NAT for the 10.0.0.0/24 range

Right, after completely trashing my Debian box over the weekend (disk errors all over the shop somehow) I've reinstalled him (which he needed anyway) and I've got the bits necessary from work to try this out.

Looking at other threads about this as well (not that I don't trust you, angrybeaver! ) i'm pretty confident that it will work. The only worry was the PPPoE -> PPPoA translation, but your theory has reassured me.

Fingers crossed - I'll post back here when it's up and running and nicely firewalled!

Woohoo!

The PPPoE thing worked, and I now have a nice ppp0 interface picking up the Framed IP address, and the range is routed perfectly to the rest of the network. Got the iptables rules set up and after a quick "nmap 213.xxx.xxx.160/29" from a box at work, I can confirm that it's all set up and working perfectly!

I'm so chuffed, I've been trying to get this done for ages now.

angrybeaver, if you have a Paypal account, please mail me the address as I owe you a couple of beers for your help

Just glad it worked out for you