I asked for advice about setting up an iptables firewall in a post a few days ago, but now I'd like to run a different scenario by you guys. At the company I'm doing my internship at, we have a small private network connected to the internet via a Cisco router and a T1 line. I'd like to know if it is possible to filter all incoming traffic to our network with iptables, without changing any settings on our router. Here is a rough diagram of what I'd like to do:

T1 line
|
|
|************public IP address
Cisco router
|************default gateway address 192.168.0.1
|
|
|*************eth0 - private ip 192.168.0.150
iptables firewall
|*************eth1 - private ip 192.168.0.140
|
|
|
private network

In all the scenarios I've seen, iptables is used as either a default gateway or as a firewall for the host machine, which means that packets were addressed to the IP address of the NIC's on the firewall. In this scenario it won't be either so here is my ultimate question: Is it possible to make the iptables firewall accept packets that are not destined for its IP address, filter them, then forward them on to the proper address?

I guess this would be transparent firewalling, because the router and the private network would not be aware that the firewall even existed.

**I just did a search on Google for "transparent firewall" and lo and behold, it's an actual term. Transparent firewalling is possible and as I suspected it involves putting the NIC's in permiscuous mode. I still have questions though, can anyone point me in the right direction?

Hmm. I don't quite understand, but then again I'm no networking hero. In your setup you'll be presenting addresses on both LAN ranges as one large "overlapping NAT block" to the Cisco. What's the benefit from doing it that way?

Is it possible to make the iptables firewall accept packets that are not destined for its IP address, filter them, then forward them on to the proper address?
AFAIK this is what NAT'ting is all about, isn't it? In your proposal it looks like you'll be doing double NAT, once on the Linux box static routing it to the Cisco box, and once on the Cisco. I'm wondering how this would work compared to bridging and what routing is to be involved...

If you're looking for docs I'd say start with the basic Linux NAT HOWTO, move on to LARTC and bridging.

Since you're the one with the Cisco I don't have to point out looking at say Denise Richards at Routergod will give you idea's the Cisco docs can't, right? :-]

Is it possible to make the iptables firewall accept packets that are not destined for its IP address, filter them, then forward them on to the proper address?

unSpawn wrote:

Maybe I phrased it incorrectly. I don't want the iptables machine to do NAT, I want the Cisco router to do NAT. I simply want the linux box to inspect the packets and send them along. The Cisco router and the nodes on the internal network need not even know that the linux machine is there. The router will remain as the default gateway and all nodes on the network will still use it as the default gateway. Iptables would simply sit between them and filter.

The link you put up about transparent firewall bridging looks like it's exactly what I'd like to do. I'm going to read it several times and try to figure out how to apply it.

I don't want the iptables machine to do NAT, I want the Cisco router to do NAT. I simply want the linux box to inspect the packets and send them along.
Then I gotta ask "inspect them for *what* attributes?" Since your Cisco will validate/handle all the connections (flags, DoS, ACL's, etc etc), are you sure it's not just a promiscuous sniffer you want? Like Snort can?

The router will remain as the default gateway and all nodes on the network will still use it as the default gateway. Iptables would simply sit between them and filter.
I'm no routing hero, so this doesn't make sense to me. How on earth can you force connections *tru* the iptables box unless you made it the default gw or play a MiM game?