Re: router/firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Friday 02 July 2004 6:35 am, Askar Ali Khan wrote:

> Im learning lot of new things here specially from Mr. Antony Stone he
> is master :)

Please - I do not necessarily know more than other people who are here - I 
just happen to answer more of the questions, and possibly answer them a 
little sooner than others.

> Alright here with another very beginner question :)
> my linux box is part of LAN where net is connected via windowz system.
> my linux box uses windows box as gateway to Internet.

Sounds like the wrong way round to me - what protects (firewalls) your Windows 
machine from all the bad stuff out there on the Internet?

> There is another windowz client (1) now I want to make my this linux
> box "gateway/firewall" for that window client.
>
> first thing I did to enbble forwarding on  my linux box with..
>                 net.ipv4.ip_forward = 1
>
> my only  interface on this linux box is eth0 i also created another
> vitual interface eth0:1, now i want to accept LAN tarffic from windows
> client on eth0 and forward it "outbound" on eth0:1
> howto? :)

So, you have a Linux machine with only one interface, and you want to make it 
a router for a machine on your network, with its upstream gateway being 
another machine on the same network?

This sounds like a horribly complicated routing setup to me (this *is* a 
routing question, by the way - not a netfilter question), and I really 
wouldn't advise doing it.

>From a security point of view, if you do not physically separate two networks 
by plugging them into different network cards on a router (firewall), then 
the security can be so easily bypassed that it is pointless.

>From a network management point of view, trying to route packets between 
different machines, all on the same physical LAN (and, I suspect, also all on 
the same logical subnet), is a very difficult thing to make work (and in my 
opinion not something you should even try to make work).

However, to answer your netfilter-specific questions, and educate you about 
virtual interfaces:

> I will appreciate if someone teach me for both cases
> 1) to use the interface etho0 to foward packets
> 2) also to use the other virtual interface eth0:1 for fowarding
>
> It means I need to separate scripts one for eth0 and another for eth0:1

Routing is a separate matter from netfilter - you have to get the routing 
working first, and then you can use netfilter to block certain packets so 
that they don't get routed.

Secondly, netfilter doesn't allow things like eth0:1 (it won't accept the 
colon), so all you do is use the normal interface name (eth0).   It's the 
asme physical interface anyway, and this will do what you want - you can use 
-i eth0 and -o eth0 to match packets coming in or going out on eth0:1

If you *really* want some help getting that weird setup your described earlier 
working, you'll need to provide a network diagram with some IP addresses, and 
a clear description of what you want routed where and how you think replies 
should get routes back again.

I really do not advise it though :)

Regards,

Antony.

-- 
Having been asked for a reference for this man,
I can confirm that you will be very lucky indeed if you can get him to work 
for you.

                                                     Please reply to the list;
                                                           please don't CC me.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux