Basically what I'm trying to do with this configuration is replace a
current firewall. I am just having trouble getting the ISP
gateway's(JACK's) arp requests to recognize my firewall's (BILL's) MAC
address for all arp requests to my network. When I switch firewalls
(BILL'S), everything will work fine until the ISP's gateway (JACK) sends
an arp request to my network for an ip, as the ISP's gateway requests
ip's on my network they return unanswered. On the old firewall(Previous
BILL) when the ISP's gateway would send an arp request for anything on
my network my firewall machine would respond with it's MAC address.
My current network setup (a.b.c. Refers to public ip's; X= any # between
3 and 62)
-------------
| Internet |
------------- (ISP gateway) a.b.c.1 255.255.255.192 (JACK)
|
|
|
-------------------- eth0 a.b.c.2 255.255.255.192
| gateway/firewall | (BILL)
-------------------- eth1 192.168.1.2 255.255.255.0
|
|
|
-------------------- (192.168.1.X) 255.255.255.0
| Internal Machines |
--------------------
NAT
iptables -t nat -A PREROUTING -d a.b.c.X -i eth0 -j DNAT
--to-destination 192.168.1.X
iptables -t nat -A POSTROUTING -s 192.168.1.X -o eth0 -j SNAT
--to-source a.b.c.X
Or
Iptables -L -t nat -nvx
(pkts bytes target prot opt in out)
PREROUTING
0 0 DNAT all -- eth0 * 0.0.0.0/0 a.b.c.X to:192.168.1.X
POSTROUTING
0 0 SNAT all -- * eth0 192.168.1.X 0.0.0.0/0 to:a.b.c.X
The rest of the iptables ruleset Policies are currently set to accept.
Routing tables (sample)
Destination GW Genmask Iface
a.b.c.X * 255.255.255.255 UH eth1 (??eth0??)
a.b.c.0 * 255.255.255.192 U eth0
192.168.1.0 * 255.255.255.0 U eth1
127.0.0.0 * 255.0.0.0 U lo
Default a.b.c.1 0.0.0.0 UG eth0
(??Do I need to add any of the routes below??)
192.168.1.0 192.168.1.2 255.255.255.0 UG eth1
a.b.c.0 a.b.c.2 255.255.255.0 UG eth0
192.168.1.2 * 255.255.255.255 UH eth1 (??eth1??)
192.168.1.X * 255.255.255.255 UH eth1 (??eth1??)
a.b.c.2 * 255.255.255.255 UH eth1 (??eth0??)
>On the new firewall I have a few questions about my current setup; if
anyone would be so kind to take a look and let me know if there are any
issues with the configuration. Thanks!
-Patrick Ahler
-----Original Message-----
From: netfilter-admin@xxxxxxxxxxxxxxxxxxx
[mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Antony Stone
Sent: Thursday, July 29, 2004 5:56 PM
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Re: Network config review
On Thursday 29 July 2004 10:25 pm, Patrick Ahler wrote:
> I have a few questions about my current setup; if anyone would be so
> kind to take a look and let me know if there are any issues with the
> configuration. Thanks!
Instead of the output from "iptables -L", please post either your
iptables rules (the script you use to set up the ruleset) or else the
output from "iptables -L -nvx; iptables -L -t nat -nvx", since that
tells us much more information, which is helpful.
More importantly, however, please tell us what you want your firewall to
do (what to allow, what to block, that sort of thing) - then we can
suggest opinions on whether your ruleset is a good way of achieving it.
Regards,
Antony.
--
It is also possible that putting the birds in a laboratory setting
inadvertently renders them relatively incompetent.
- Daniel C Dennett
Please reply to the
list;
please don't
CC me.
