LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-08-2004, 12:58 PM   #1
caremaker
LQ Newbie
 
Registered: Jan 2004
Posts: 7

Rep: Reputation: 0
Firewall - filter for public IPs


I have 3 machines that have public IPs that I want to stick behind a firewall:

209.208.89.51
209.208.89.52
209.208.89.53

My firewall (RH 9 box) has 2 interfaces:

eth0 = 209.208.89.50
eth1 = ?

I've got the linux machine up and I'm able to surf the web. My question is how do I send the 3 above IPs through to their designated servers. I won't be doing any nat or masquerading because they will have real IPs. But I want to force their connections through the firewall (to filter).

What I've done is plugged the 3 machines (all with their designated IPs above) and eth1 into a switch.

1) What IP do I assign to eth1?


2) What IP tables command(s) will forward the connections through the firewall? I have already: echo 1 > /proc/sys/net/ipv4/ip_forward


3) What should my routing table look like?




Thanks for the help!
 
Old 01-08-2004, 08:34 PM   #2
benjithegreat98
Senior Member
 
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019

Rep: Reputation: 45
I would nat them. put them on the local network and have your firewall route the info you want to the specific computer. EX eth0 has several public IPs. if something comes in looking for 209.208.89.51 then nat it to 10.1.1.2. f something comes in looking for 209.208.89.52 then nat it to 10.1.1.3. And so on. You will have to do some configurations to all the PCs and use port forwarding on the firewall.
I know that's not what you wanted, but it is more secure in my opinion to do it that way. Plus you will only have one set of rules to handle.

if I were you I would do something like this

internet
|
rh firewall (eth 0 - 209.208.89.51 209.208.89.52 209.208.89.53) (eth1 - 10.1.1.1)
|
|
|
switch - goes to 3 servers or pcs or whatever
| | | (that's supposed to be 3 lines to 3 computers)
computer 1 - 10.1.1.2
computer 2 - 10.1.1.3
computer 3 - 10.1.1.4


And again, your rh firwall is reponsible for ipforwarding. You will have to write specific commands to forward the ports/IPs to the specific computers.
 
Old 01-08-2004, 11:38 PM   #3
caremaker
LQ Newbie
 
Registered: Jan 2004
Posts: 7

Original Poster
Rep: Reputation: 0
Thanks for the advice. NATing (like you said) was the alternative.

I still would like to know how the scenario I described would be done, regardless of whether I use it or NAT. It's bugging me that it didn't work!!

I'm confused on what I would set eth1's IP to.

Thanks again.
 
Old 01-09-2004, 12:20 AM   #4
benjithegreat98
Senior Member
 
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019

Rep: Reputation: 45
I don't really think it is possible with the 1st scenario. But then again it could be. I think you would have to assign a realworld IP address that you don't own to your eth1, and assign all 4 addresses to eth0 and forward everything that is appropriate but that is bad practice. We had some ass-clown create a network where I work w/ real IP addresses (we have a 10. network and also a 163.34.44. network) and now we have to set it up within our whole network to where we can never access those realworld IPs. It hasn't caused us anytrouble, yet. But if a business partner had those IPs we would have a hell of time communicating with them.

But like I said before. Using the RFC-compliant internal address and using NAT or something similar is the suggestion.

Also the way that I gave you the first time is much more flexible and scalable.
 
Old 01-09-2004, 02:02 AM   #5
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Quote:
Originally posted by benjithegreat98
I don't really think it is possible with the 1st scenario. But then again it could be. I think you would have to assign a realworld IP address that you don't own to your eth1, and assign all 4 addresses to eth0 and forward everything that is appropriate but that is bad practice. We had some ass-clown create a network where I work w/ real IP addresses (we have a 10. network and also a 163.34.44. network) and now we have to set it up within our whole network to where we can never access those realworld IPs. It hasn't caused us anytrouble, yet. But if a business partner had those IPs we would have a hell of time communicating with them.
Holy..!..!!! what the?!!?!?

That is BAD. Never assign an IP you don't own to any of your devices. That is breaking a cardinal rule of the Internet. RFC1918 addresses exists specifically so that is never to happen.

What the original poster could do is bridge the two NICs so neither one has an IP, then put all your public IP boxes on a switch behind. Since the NICs are bridge, the traffic passes right through to the appropriate box on the inside. You can still put filtering rules on the firewall, but neither NIC has an IP.

So far as I know, the above is the only way to do it without NAT or advertising routes. If your ISP let you, you could configure the Linux box as a router and advertise your public IPs to your ISP letting them know they're reachable via your external firewall IP, then just put static routes for them on your firewall

Actually, come to think of it you can probably setup proxy-arp on your outside firewall interface to make your public IPs be announced on the outside interface when some host sends an ARP request for them. I'm not sure what IP you would give your internal interface, though. Read up on how to proxy arp.
 
Old 01-09-2004, 09:02 AM   #6
benjithegreat98
Senior Member
 
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019

Rep: Reputation: 45
Yeah, in my post I forgot to mention that using ips you don't own is very wrong. Sorry.
I wish we knew who did it to our network so we could ask them what the hell their problem was. And unfortunately it is too late to make any changes because it is a hospital and most of the equipment is specialized radiaology equipment and we can't just make changes ourselve. It would take the full collaboration of about 7 companies to help us change that problem in as little time as possible. I don't see it happening.
 
Old 01-09-2004, 01:17 PM   #7
dubman
Member
 
Registered: Jan 2003
Distribution: Redhat 9, Fedora Core 1, Suse 8
Posts: 188

Rep: Reputation: 30
NAT, Routing, and IPtables is what you want. Here is a good how to:

http://eressea.pikus.net/~pikus/plug...all/page0.html
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
NAT + public IPS (+ firestarter) Stefan Pantiru Linux - Networking 2 05-17-2005 06:43 AM
Router with multiple public IPs Neodymium Linux - Newbie 1 04-13-2004 07:39 PM
Public IPs behind router Buzer Linux - Networking 2 09-20-2003 02:36 PM
Sharing two public IPs. Unseen Linux - Networking 8 03-20-2003 02:17 PM
Linux firewall that supports USB ADSL & multiple public IPs? Smoothieu Linux - Security 1 08-21-2002 07:23 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:09 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration