Hi All,

i need some help to setup firewall.

DSL Router --- linux box ( 2 nics) --- LAN

My problem is DSL router will give only 192.168.1.x ip which is private ip , non routable.

No i want to implement NAT for internet sharing. As far as i know firewalls filter out private ip traffic from enternal interface. So now how can i use fire wall. Is there any script which can support private ips
at external ips ? whats the best way to setup iptables based firewall in this case

Thanks for your time
Samg

If I understand this you want to replace the dsl router with the linux box with two nics.?
Is the dsl router seperate from the modem?
If so then check out this site to build your firewall script by answering the questions. http://easyfwgen.morizot.net/gen/

Now if the modem and dsl router is one piece then see if the router offers DMZ setup. It is used to bounce all the network traffic from the external IP to one single internal IP.

Lets see what your answers are before going further.

Brian1

If the routers WAN address is 192.168.xxx.xxx, your IP access is already behind the ISP's NAT router, so you won't be able to offer services on the web. They are assigning several users to the same Internet IP address, so if you wanted to use port forwarding to offer services on one of your lan hosts, you need to find another ISP. Only traffic coming in response to your traffic can be forwarded to you. Otherwise, the ISPs NAT router will have no way of knowing which 192.168.xxx.xxx address initial incoming traffic is destined for.

Thanks for your replies:

Here is more details.

My DSL and router is same piece. my dsl router will allow to forward all traffic one internal lan ip. At present iam able to run web server which can access from internet. so DMZ is there in my DLS+router device(zyxel dsl router).


Now i will direct all internet traffic to my linux box ( dual nic) and i want this box to perform port forwarding.for this work i need to use iptables firewall. Most of firewalls reject private ip address traffic from external interface, if i make chnages in rules and allow private ip traffc on extrnal interface will that be security problem ?

So basically my requirment is protforwading from my linux box to remain LAN boxes.

DSL router ------- DMZ[linux box] ----port forwarding to lan boxes
[modem+router]
[live ip&192.168.1.1]

Should be no problem. This is the way I would do it.

DSL/Router
External wan. Leave as is.
Internal Lan
IP 192.168.1.1
Define DMZ to 192.168.1.10

Linux box
Wan eth0 nic
IP 192.168.1.10
Gateway 192.168.1.1
Subnet 255.255.255.0
DNS Use providers DNS IP for /etc/resolv.conf

Lan side eth1 nic
IP 192.168.2.1
Subnet 255.255.255.0
Gateway. Do not define a gateway. IP Masquerading will take car of that.

Setup IPtables as you like either from some software tool, write it yourself, or from the above link in the above post. Just answer the question as the system is configured here.

Lan machines
IP from 192.168.2.2 to 192.168.2.254
gateway 192.168.2.1
Subnet 255.255.255.0
DNS use same as ones for the linux box as provider uses.

Note. I would run a firewall on each lan machine allowing only the needed services access.

Should take care of it.
Brian1

very good explaation, thanks for your time.

Final question -- allowing private ip traffic on extrnal interface is security risk ( like spoofing with lan ips ) ? am i correct ?

installaing firewall on each lan box will prevent above problem ?

The firewall will defiantly stop lan traffic that is not destained to an external address except some misc Arp packets. Not sure if the router does the same but pretty sure they do the same. My thoughts on the firewall per lan machine just helps stop attacks on other lan machines if the server you allow to the access is comprimised. To better secure a system is to setup a DMZ on the linux box using 3 nics instead of 2. eth0 is wan side to the router. eth1 to the lan, and eth2 to the dmz for servers. So if they get comprimised then the only thing that can be attack at this point are the machines in the DMZ interface. As long as you don't add iptable commands from dmz to lan then that should be good. This would be a better way. Still run a firewall on an lan and DMZ machines. The more security the better. A server can have all ports closed except the only needed ones for the service. In the lan side users like to have tcpip over netbios which is the basis of the Network Neighborhood of Windows and Samba for Linux so users open the ports for that so simply network shareing. Not a good thing to have open in a server enviroment unless very restrictive setup.

This is my main firewall router setup as an example.
eth0 wan interface to internet
eth1 2nd wan interface to internet
both eth0 and eth1 are channel bonded to a single bond0
eth2 is lan ( no input from anything but eth3, but limited. Only outgoing connections)
eth3 is the wireless access point with mac and ip filtering with radius and wpa encrytion. (usually only allow conections to the outside unless I need to transfer data to eth2. Then it is configured with vpn tunneling support to bridge over to eth2)
eth4 dmz running 2 servers but not up now.

every machine is running a firewall of its own. Call me parinod maybe.


Brian1

it worked !!!! for me .

gr8, thanks for your time and help.


SAMG