Welcome to Linux Forums! With a comprehensive Linux Forum, information on various types of Linux software and many Linux Reviews articles, we have all the knowledge you need a click away, or accessible via our knowledgeable members.
Write an article for LinuxForums Today! Win Great Prizes!
Hi, i need to setup a firewall for a set of computers at my university.
The net is structured as follows: There are a total of 5 groups of computers, all computers have publics ip's and a /24 netmask, including the firewall. 1 group is interconnected through a switch, there is another set interconnected through another switch. The second switch is connected to the first switch and the first switch is connected to the gateway. The another 3 groups have the same gateway, netmask and subnet as the rest of the network, but they're not connected to the first switch, they are connected to some-place-i-dont-know-about.
All groups are in the same broadcast address.
I've already setup a machine between the first group and the first switch, but i haven't been able to route packets properly. Packets get to the firewall and, seeing the routing cache of the firewall, the packets are forwarded properly to the internet, but i've never been able to get a response, nor i've been able to connect from the outside with the firewall on. The only way i've been able to connect to the internet is source-nating all packets leaving the firewall to the firewall ip-address, but that's no good because i want to be able to connect from the outside.
I'm attaching the routing table and a "ascii graphic" of the network to make the picture more clear.
The firewall i'm trying to install would be between group1 and switch1
Since all the computers on the network can communicate to each other without problems, my guess is that the-place-i-dont-know-about is actually a switch where my gateway is connected.
I solved the problem. It turned out that the-place-i-know-nothing-about was a switch and my gateway was connected to it.
When a packet from the outside tried to reach a machine firewalled section of the network, the switch would only see the firewall but none of the machines behind it. The solution was to make the firewall a bridge (using brctl) and the using the physdev match of iptables to match against the bridged interfaces. Without physdev i would be impossible to match packets against interfaces other than the virtual one created by the bridge, witch may not work for you in certain cases. However, it only works with kernels 2.6.* and up. Make sure to activate stp on the bridge if your network has more than 1 switch, otherwise a serius BROADCAST storm may occur. There is a way to do it without physdev using Shorewall, i leave you the link here: Shorewall and Bridged Firewalls without using physdev match support. And a very interesting link about ebtables here: ebtables/iptables interaction on a Linux-based bridge
Here i leave the final diagram of what my network it turned out to be:
Another way to do it without a bridge is making the routed firewall respond to every arp request to a machine behind it, i imagine it could be possible with arpd. Of course, it could bring trouble since the ip associated with the mac address of the firewall would change constantly and it could be seen as a ManInTheMiddleAttack
Open Source Security Myths Dispelled Dispel the five major myths surrounding Open Source Security and gain the tools necessary to make a truly informed decision for your IT organization subscribe
InformationWeek InformationWeek is the only newsweekly you'll need to stay on top of the latest developments in information technology. subscribe
Linux Networking Hardware/Software related, Modems, Internet connection sharing, IPTables etc.
Submit Your Article
Latest Articles
Editor's Choice
Article Categories
Join Linux Forums Today
Win Great Prizes
Linear Mode
