NAT is probably the best way to setup the network if at all possible. You get the most security from doing it this way. However, if for some reason you can't (you have tons of machines pointed at the gateway and can't change them easily or etc). You can put a bridge between the router and the rest of the network. http://bridge.sourceforge.net/ This page has the source for bridging in a linux 2.4 kernel (should already be in 2.4 kernels) and also firewalling from that bridge(which I don't believe is in the 2.4 kernel). I have not tried the 2.4 kernel (however I'm fixing to) with this patch, but I have been using it to easily firewall 2500 machines (mac, unix, linux, windows, and etc) that could not be easily reconfigured to point at a new gateway. I still believe nat is your best solution and provides the most security, but it is not always feasable to re-point the clients to the new router. This should give you an alternative method. Robert -----Original Message----- From: Ulrich Keil [mailto:ulrich@der-keiler.de] Sent: Tuesday, November 27, 2001 11:21 AM To: security-discuss@linuxsecurity.com Subject: Re: Linux Firewall On Tue, 27 Nov 2001, Benjamin Stocker wrote: > > Hy all, > > I maintain a small Hosting center with 6 webservers, fax, pop3-mail. > etc. I only have one C Subnet! I would like to protect my servers with a > iptables firewall. Unfortunately, it seems to be odd to put the fw AND > the servers in the same subnet. > > It seems to be possible to install two NIC's in the firewall and point > one of them to the Net, the other to the webservers, but both configured > for the same subnet. But that configuration seems to be rare and I > cannot find documentation about it. > > What's your opinion? > Many thanks, Benjamin Hi Benjamin, The problem with the configuration you want to install is that you can not set up the firewall with two IPs (from the same C-Net) on two different NICs, because the computer has to sent the packets depending on their destination net to his NICs. If the FW would be configured like this: eth0: 210.1.1.2, eth1: 210.1.1.129, and you send an packet from the internet to (lets say) 210.1.1.180, it has to go the following way: Internet --> Router (210.1.1.1) --> Firewall (eth0:210.1.1.2) --> ... .. and here comes the trick: The firewall receives a Packet for 210.1.1.180 on eth0 and "should" sent it to the destination ip (or better: destination net) through eth1. Because eth0 is allready on the destination net, there is no need for the FW to route here, because routing is only possible between networks. Another reason why this is impossible is the fact that the FW never knows on which NIC local packets (e.g. to 210.1.1.1) have to be send, because both NICs are in the same local net, so local packets would be sent on both NICs, which generates lots of errors. A possible solution for you could be an internal splitting of your C-Net: FW: eth0: 210.1.1.2 /25 (255.255.255.128); eth1: 210.1.1.129/25 (255.255.255.128) Hosts: Default GW: 210.1.1.129; IP > 210.1.1.128 (Netmask: 255.255.255.128) This config fits your nedds but has several disadvantages: You loose 127 IPs, and the configuration of the FW in this case is not to easy (you have to enable ARP-forwarding, etc.). I would suggest you do 1:1 NAT (Network Adress Translation) with your FW: FW: eth0: 210.1.1.2, 210.1.1.3, ..., 210.1.1.254 (all Public IPs on eth0) eth1: 192.168.0.1 Hosts: Private IPs (e.g. 192.168.0.5) This configuration is easy to set up, has (nearly) no disadvantages, and there exists lots of documentation. The outer world (the internet) would not recognize that the hosts have private IPs. Ulrich Searching for an archive of the most important Security Mailing-Lists? http://www.der-keiler.de ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.
