Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I asked for advice about setting up an iptables firewall in a post a few days ago, but now I'd like to run a different scenario by you guys. At the company I'm doing my internship at, we have a small private network connected to the internet via a Cisco router and a T1 line. I'd like to know if it is possible to filter all incoming traffic to our network with iptables, without changing any settings on our router. Here is a rough diagram of what I'd like to do:
T1 line
|
|
|************public IP address
Cisco router
|************default gateway address 192.168.0.1
|
|
|*************eth0 - private ip 192.168.0.150
iptables firewall
|*************eth1 - private ip 192.168.0.140
|
|
|
private network
In all the scenarios I've seen, iptables is used as either a default gateway or as a firewall for the host machine, which means that packets were addressed to the IP address of the NIC's on the firewall. In this scenario it won't be either so here is my ultimate question: Is it possible to make the iptables firewall accept packets that are not destined for its IP address, filter them, then forward them on to the proper address?
I guess this would be transparent firewalling, because the router and the private network would not be aware that the firewall even existed.
**I just did a search on Google for "transparent firewall" and lo and behold, it's an actual term. Transparent firewalling is possible and as I suspected it involves putting the NIC's in permiscuous mode. I still have questions though, can anyone point me in the right direction?
Last edited by Arnold Poindext; 06-05-2003 at 10:40 AM.
Hmm. I don't quite understand, but then again I'm no networking hero. In your setup you'll be presenting addresses on both LAN ranges as one large "overlapping NAT block" to the Cisco. What's the benefit from doing it that way?
Is it possible to make the iptables firewall accept packets that are not destined for its IP address, filter them, then forward them on to the proper address?
AFAIK this is what NAT'ting is all about, isn't it? In your proposal it looks like you'll be doing double NAT, once on the Linux box static routing it to the Cisco box, and once on the Cisco. I'm wondering how this would work compared to bridging and what routing is to be involved...
Since you're the one with the Cisco I don't have to point out looking at say Denise Richards at Routergod will give you idea's the Cisco docs can't, right? :-]
Is it possible to make the iptables firewall accept packets that are not destined for its IP address, filter them, then forward them on to the proper address?
unSpawn wrote:
Quote:
AFAIK this is what NAT'ting is all about, isn't it?
Maybe I phrased it incorrectly. I don't want the iptables machine to do NAT, I want the Cisco router to do NAT. I simply want the linux box to inspect the packets and send them along. The Cisco router and the nodes on the internal network need not even know that the linux machine is there. The router will remain as the default gateway and all nodes on the network will still use it as the default gateway. Iptables would simply sit between them and filter.
The link you put up about transparent firewall bridging looks like it's exactly what I'd like to do. I'm going to read it several times and try to figure out how to apply it.
I don't want the iptables machine to do NAT, I want the Cisco router to do NAT. I simply want the linux box to inspect the packets and send them along.
Then I gotta ask "inspect them for *what* attributes?" Since your Cisco will validate/handle all the connections (flags, DoS, ACL's, etc etc), are you sure it's not just a promiscuous sniffer you want? Like Snort can?
The router will remain as the default gateway and all nodes on the network will still use it as the default gateway. Iptables would simply sit between them and filter.
I'm no routing hero, so this doesn't make sense to me. How on earth can you force connections *tru* the iptables box unless you made it the default gw or play a MiM game?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.