LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 06-16-2003, 01:31 PM   #1
nicedreams
LQ Newbie
 
Registered: Jun 2003
Location: Phoenix, AZ
Posts: 26

Rep: Reputation: 15
Question router/firewall/nat/dhcp with 5 NICs?


This is my post I copied from neowin, but no one know's how to help me so I'm just copy and pasting it here. Hope someone can help.
-------------------------------------
I need to make a router/dhcp/firewall/nat for my work of about 10 users.

I need it to be able to share the internet between these 3 subnets and I don't want the subnets to be able to see each other so people can't see the PCs and Server on each subnet. And of course protection from the internet.

I'm thinking of using a PC with LINUX and 5 NICs to do this. I've seen some floppy firewalls that look good I guess, but only support 2 nics.

Can someone help me on a script to do this? I'll probably use Redhat and rebuild the kernel. I'm intermediate with LINUX so I'm not the bomb with scripting, but I can figure it and I know what I'm doing.
------------------------------------
It is a cost issue since we don't have many people on this network. We are a small company and I love PIX's. I told them I can probably make them a router/nat/dhcp/firewall to split between these 3 subnets.

So I'd buy a mobo and put 5 NICs in it and install Linux and do the script.

Right now we have 3 different companies all on the same subnet, and our server and the other servers can be seen by everyone. These 3 companies on basicly in the same building, but in different rooms. We are in a small plaza type deal and we lease the rooms out to other small business's.

We want to make it so no one can see each other, but share the same internet. I want a DMZ because they are talking about maybe using a FTP server or something in the future.

I'll explain more if needed. I'm going to look into the PIX, but hope it doesn't cost too much for what we want.
 
Old 06-16-2003, 01:41 PM   #2
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Rep: Reputation: 57
If the machines is going to be a designated firewall/router/dhcp then you could try something like smoothwall. It seems to be everybodies favorite choice for this type of project.
 
Old 06-16-2003, 02:08 PM   #3
nicedreams
LQ Newbie
 
Registered: Jun 2003
Location: Phoenix, AZ
Posts: 26

Original Poster
Rep: Reputation: 15
Do you know if it supports 3 subnets? I can't find that info on their site. I've seen a few router/firewall distro's on floppy, but only support 2 nics.

I need support for at least 3 subnets and a DMZ.

Thanks for the link though. Looks cool. I've been reading up on FrazierWall which is pretty cool floppy distro, but only 2 NICs.
 
Old 06-16-2003, 04:24 PM   #4
dorian33
Member
 
Registered: Jan 2003
Location: Poland, Warsaw
Distribution: LFS, Gentoo
Posts: 587

Rep: Reputation: 32
Hi.
Please explain me why did you write about 5 NICs?
I see the necessity of 4 ones only (3 for each the subnets, 4th for the internet). Am I right?

Regarding the matter I suppose to
1. setup DHCP server giving constant IPs for all of the machines on the MAC base - this way you can create 3 separate network (for instance 192.168.0.0/16)
2. setup the netfilter for control the packet traffic between the subnets independently; if there is a risk of IP spoofing (or just improper configuration of the client's box) you can use MAC base for netfilter rules.

As far as the 3rd (4th) NIC is concerned - just use ifconfig eth2 (eth3) up to get it run. Any problems with it?
 
Old 06-16-2003, 05:05 PM   #5
nicedreams
LQ Newbie
 
Registered: Jun 2003
Location: Phoenix, AZ
Posts: 26

Original Poster
Rep: Reputation: 15
The 5th NIC is for a DMZ. They are talking about maybe adding a FTP server in the future, but dunno. Maybe not.

I'm intermediate with Linux so I basicly know what I'm doing, but not the best.

I've made a DHCP script back in the day, but what I'm trying to do now is new to me with Linux. I'm willing to keep learning and try what ever it takes.

Have to learn somehow...
 
Old 06-16-2003, 11:57 PM   #6
nicedreams
LQ Newbie
 
Registered: Jun 2003
Location: Phoenix, AZ
Posts: 26

Original Poster
Rep: Reputation: 15
I found this program from my other post on Neowin called freesco. I'm gonna look more into that one.

www.neowin.net
www.freesco.org
 
Old 06-17-2003, 12:26 AM   #7
jvannucci
Member
 
Registered: Jan 2003
Location: Connecticut, US
Distribution: Red Hat 9.0
Posts: 98

Rep: Reputation: 15
I agree with dorian33. This should all just work with minor changes. But be careful. There's a lot involved to make sure you're as secure as you think you are. I highly recommend "Building Secure Servers with Linux; Michael D. Bauer; O'Reilly". Very good discussion of perimeter networks, firewalls, routers, three-homed firewalls, DMZs, etc.
 
Old 06-17-2003, 03:01 AM   #8
Robert0380
Guru
 
Registered: Apr 2002
Location: Atlanta
Distribution: Gentoo
Posts: 1,280

Rep: Reputation: 47
well, i'll write some hypothetical iptables rules for 3 subnets hat cant see each other:

subnets: 192.168.1.0 , 192.168.2.0, 192.168.3.0

Code:
iptalbes -P FORWARD DROP  #DO NOT FORWARD ANYTHING

then to share the internet connection:

iptables -A PREROUTING -t nat -s 192.168.0.0/16 -o eth0 -j SNAT --to $INTERNET_IP

or if you are MASQUERADING instead:

iptables -A PREROUTING -t nat -s 192.168.0.0/16 -o eth0 -j MASQUERADE

protection from the internet:

Code:
iptables -P INPUT DROP ### dont let anything in
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 
#the above allows connections that were established by us

iptables -A INPUT -p tcp --dport $PORTOFCHOICE -j ACCEPT
#the above allows connections on PORTOFCHOICE (like 80 or 22...etc)
the FORWARD rule prevents packets from being forwarded through your router (i.e. from subnet to subnet)


---DHCP---

dhcp is easy stuff and from what i gathered from what someone on here told me, it will sort out which NIC to give which IPs on:

here is a sample entry in /etc/dhcpd.conf:

[code]
subnet 192.168.2.0 netmask 255.255.255.0 {
option domain-name "decatur-sub";
option subnet-mask 255.255.255.0;
range dynamic-bootp 192.168.2.100 192.168.2.200;
}
[code]

that is actually my entire dhcpd.conf file

you could add subnets as you like and there are more options you can have but really all you need for successful basic dhcp service is the ip range, the netmask and dns servers, oh, and the default gateway (router). the rest seems like fluff to me...but that's because i had no need for those other options.

1.so we have subnets and no one can see anyone
2.half done protection from the net
3.dhcp

the DMZ part is something i dont know about in terms of setting it up on a linux box. i'm familiar with the check box and ip option on home routers but on linux....no clue. but if i wanted a host visible to the internet, i'd just do this:


iptables -A PREROUTING -t nat -d $MYIPADDRESS -j DNAT --to $DMZHOST

that forwards ALL incomming (MYIPADDRESS = the ip of the router) to the DMZHOST (the internal ip of the FTP server)

i guess you could set up a seperate chain for incomming that has the rules listed in a way so taht you could forward (or not) other ports, then use the DMZ as a catch all for the rest of the ports.

hope this helped to shed more light.
 
Old 06-17-2003, 03:04 AM   #9
Robert0380
Guru
 
Registered: Apr 2002
Location: Atlanta
Distribution: Gentoo
Posts: 1,280

Rep: Reputation: 47
i would like to add:


http://webmin.com this piece of software is awsome, especially for setting up the dhcp server. i use it to add new subnest because i dont really care to edit the config file myself (i've done it before so i know how it's done).

the only downside to webmin is that it kinda takes control from you. you can opt to edit some of the config files by hand if you want though, but for the most part you just fill in some text boxes and hit Save and it edits your config files for you (that really is a plus, but i see the negative side to that....Linux server admins who arent really Linux server admins).

anyway, i still recommend it because it speeds things up if you need it done quick fast and in a hurry with minimal margin for error.
 
Old 06-17-2003, 09:10 AM   #10
EvilTwinSkippy
Member
 
Registered: Mar 2003
Location: Philadelphia, PA
Distribution: RedHat, Gentoo
Posts: 51

Rep: Reputation: 15
Don't need 5 NICs

You don't need 5 NIC's if you control the DHCP server! You just need 2: one for the public internet and 1 for the private LAN.

As long as the DHCP server gives each "group" of machines a seperate subnet, the subnets won't know they can talk to each other. (Just make sure you don't allow traffic to be forwarded between subnets.)

I'm assuming that you know ahead of time which machines belong on which subnets, and can easily track down the MAC numbers for each network card. (Under Linux it's displayed by running ifconfig, windows shows it when you run ipconfig /all a/o winipconfig.)

Here is a noddy example with 3 networks (1 is a blackhole for unknown hosts.) Your DHCP server Configuration will look like this:
Code:
default-lease-time 604800;
max-lease-time 604800;
ddns-domainname "internal.fubar.com.";
ddns-update-style none;

shared-network internal {
        # Subnet A
        subnet 192.168.10.0 netmask 255.255.255.0 {
          option domain-name "red.internal.fubar.com";
          option domain-name-servers 192.168.10.1;
          option routers 192.168.10.1;
          option subnet-mask 255.255.255.0;
        }
        # Subnet B
        subnet 192.168.11.0 netmask 255.255.255.0 {
          option domain-name "green.internal.fubar.com";
          option domain-name-servers 192.168.11.1;
          option routers 192.168.11.1;
          option subnet-mask 255.255.255.0;
        }

        # Unknown hosts are sent to a different subnet
        subnet 192.168.1.0 netmask 255.255.255.0 {
          option domain-name "blackhole.internal.fubar.com";
          option domain-name-servers 192.168.1.1;
          option routers 192.168.1.1;
          option subnet-mask 255.255.255.0;
          range 192.168.1.100 192.168.1.200;
        }

        # Hosts on the RED network
        host pinky {
                fixed-address 192.168.10.100;
                hardware ethernet 08:00:4e:35:76:5a;
         }

        host brain {
                fixed-address 192.168.10.101;
                hardware ethernet 08:00:4e:35:76:ab;
         }

         # Hosts on the GREEN Network
        host babs {
                fixed-address 192.168.11.100;
                hardware ethernet 08:00:cd:35:76:5a;
         }

        host buster {
                fixed-address 192.168.11.101;
                hardware ethernet 08:00:ef:35:76:ab;
         }
}

shared-network public {
     # Match with public network card
     # Leave empty unless you really want
     # to have your ISP knocking on your door
     subnet 10.0.0.0 netmask 255.255.255.0 {
          option domain-name "public.fubar.com";
     }
}
You IPTABLES script would look like this:

Code:
public=eth0
private=eth1

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface ${public} -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

# Uncomment to prevent the blackhole network from getting on the internet
# iptables --append FORWARD --in-interface ${private} --source 192.168.1.0/255.255.255.0 -j REJECT

# For simplicity sake, just allow everyone through who is trying to 
# get out on the net, regardless of the starting subnet (The above 
# exclusion is applied before getting to this rule.)

iptables --append FORWARD --in-interface ${private} -j ACCEPT
 
Old 06-17-2003, 01:15 PM   #11
dorian33
Member
 
Registered: Jan 2003
Location: Poland, Warsaw
Distribution: LFS, Gentoo
Posts: 587

Rep: Reputation: 32
Re: Don't need 5 NICs

Quote:
Originally posted by EvilTwinSkippy
You don't need 5 NIC's if you control the DHCP server! You just need 2: one for the public internet and 1 for the private LAN.
EvilTwinSkippy: you are wrong! Only using separate NICs you can be sure about the packet traffic.
1. There is no method to force the client box to use DHCP.
2. If a box has improper IP (let's say the user set IP statically and improperly) there is no way to really block the packets using IP.
3. Of course you can check the MAC address with netfilter but assuming attack you can't be sure that the MAC is not spoofed also.
So only physical separation of the subnets and correct netfilter allows you to _assume_ that the user see boxes from his subnet only.
 
Old 06-17-2003, 03:26 PM   #12
nicedreams
LQ Newbie
 
Registered: Jun 2003
Location: Phoenix, AZ
Posts: 26

Original Poster
Rep: Reputation: 15
Thank you all for your help. Thanks for the script examples and everything.

I need 5 NICs.

One NIC per LAN/subnet = 3x
One NIC for DMZ
One NIC for WAN

I'm thinking about just doing it this way since I don't seem to have time to find this script since the connection is probably going to be live here in a day or two.

..............................Inet (3 IPs)
....................Modem/Router
..........................Switch
..............|...................|............................|
.........router...........router.............router
.......switch............switch.............switch
..........PCs................PCs.................PCs

(had to use periods [.] as spaces since it won't space out without them)

I'll get 3 internet IPs and give the router of each subnet it's own static internet IP and have it go like that. I'll use Linksys routers since they seem to have the most features for the small price.

I'm still going to play with the Linux box still and get that to work and get it working better and maybe replace this idea above with the linux box once it is done.

If anyone know's of a better SOHO solution than using the Linksys, then please let me know. I'm not sure if Linksys just using NAT is secure enough, but it seems like it'll be the best solution for now. At least until I can get the Linux Box up.

I'm going to try to find a PCI NIC card with 5 or less integrated NICs on each card. That would save on having to use one per PCI slot.
 
Old 06-21-2003, 08:28 AM   #13
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,280

Rep: Reputation: 61
That sounds like a good way to go but you can still use linux with this configuration as well, if you have any spare PC's lying around, p100 133 166 etc... just substitute the linksey router's for a the linux router (Smoothwall/IPCOP), you may just have to buy a few more NIC's and a 4 port switch, may be a bit more cost effective than buying the linksey routers as well.
 
Old 06-21-2003, 03:26 PM   #14
Robert0380
Guru
 
Registered: Apr 2002
Location: Atlanta
Distribution: Gentoo
Posts: 1,280

Rep: Reputation: 47
Re: Don't need 5 NICs

Quote:
Originally posted by EvilTwinSkippy

I'm assuming that you know ahead of time which machines belong on which subnets, and can easily track down the MAC numbers for each network card. (Under Linux it's displayed by running ifconfig, windows shows it when you run ipconfig /all a/o winipconfig.)

man, that could take forever and lends itself to many errors. that is only good if you have like no more than 10 hosts. if you have somewhere around 6,000 (or even 100) that would just plain suck.lol



Quote:
..............................Inet (3 IPs)
....................Modem/Router
..........................Switch
..............|...................|............................|
.........router...........router.............router
.......switch............switch.............switch
..........PCs................PCs.................PCs


those 3 routers could easily be 1 router handling all subnets. i guess if that works though then stick with it, just that there is a lot going on. you could have set it all up and just turned off ipforwarding in the router as suggested before. now instead of having 1 DHCP server and 1 firewall, you have many of each and adding a subnet will now be a pain because you'd have to buy a new router and set it up rather than buying just a switch and a NIC.

Last edited by Robert0380; 06-21-2003 at 03:32 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables, nat, dhcp with adsl modem/router and wireless AP gjhicks Linux - Wireless Networking 8 05-16-2005 07:15 AM
Router/firewall/webserver 2 nics dsl question don_from_wi Linux - Networking 2 03-29-2005 07:02 PM
how to configure 6 NICs on Red hat 9.0 to make a firewall/router for 5 lans? johnny_boy_2k3 Linux - Hardware 1 05-02-2004 09:28 PM
Setting up NAT/DHCP/Router/Firewall on Red Hat wingphil Red Hat 1 01-29-2004 08:34 AM
Iptables firewall with 4 NICs and nat jod Linux - Security 7 08-06-2003 06:14 AM


All times are GMT -5. The time now is 05:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration