[SOLVED] Ip forwarding publics IP's

10-29-2008	#1 (permalink)
plaga701 Just Joined! Join Date: Oct 2008 Posts: 7	[SOLVED] Ip forwarding publics IP's Hi, i need to setup a firewall for a set of computers at my university. The net is structured as follows: There are a total of 5 groups of computers, all computers have publics ip's and a /24 netmask, including the firewall. 1 group is interconnected through a switch, there is another set interconnected through another switch. The second switch is connected to the first switch and the first switch is connected to the gateway. The another 3 groups have the same gateway, netmask and subnet as the rest of the network, but they're not connected to the first switch, they are connected to some-place-i-dont-know-about. All groups are in the same broadcast address. I've already setup a machine between the first group and the first switch, but i haven't been able to route packets properly. Packets get to the firewall and, seeing the routing cache of the firewall, the packets are forwarded properly to the internet, but i've never been able to get a response, nor i've been able to connect from the outside with the firewall on. The only way i've been able to connect to the internet is source-nating all packets leaving the firewall to the firewall ip-address, but that's no good because i want to be able to connect from the outside. I'm attaching the routing table and a "ascii graphic" of the network to make the picture more clear. Code: --------- ----------------------------- -gateway- -the-place-I-dont-know-about- --------- ----------------------------- ^ ^ ^ ^ ^ ^ ^ ^ --------- ---------- ^ ^ ^ -switch1- <<<<<<<<< -switch2- ^ ^ ^ --------- ---------- ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ --------- --------- --------- --------- --------- -group 1- -group 2- -group 3- -group 4- -group 5- --------- --------- --------- --------- --------- Kernel IP routing table Destination Gateway Genmask Flags Iface 220.20.10.1 0.0.0.0 255.255.255.255 UH eth_int 220.20.10.0 0.0.0.0 255.255.255.0 U eth_pci 127.0.0.0 0.0.0.0 255.0.0.0 U lo 0.0.0.0 220.20.10.1 0.0.0.0 UG eth_int The firewall i'm trying to install would be between group1 and switch1 Since all the computers on the network can communicate to each other without problems, my guess is that the-place-i-dont-know-about is actually a switch where my gateway is connected.
	Looking for Linux Hosting? Click Here

11-16-2008	#2 (permalink)
plaga701 Just Joined! Join Date: Oct 2008 Posts: 7	brctl+iptables+physdev I solved the problem. It turned out that the-place-i-know-nothing-about was a switch and my gateway was connected to it. When a packet from the outside tried to reach a machine firewalled section of the network, the switch would only see the firewall but none of the machines behind it. The solution was to make the firewall a bridge (using brctl) and the using the physdev match of iptables to match against the bridged interfaces. Without physdev i would be impossible to match packets against interfaces other than the virtual one created by the bridge, witch may not work for you in certain cases. However, it only works with kernels 2.6.* and up. Make sure to activate stp on the bridge if your network has more than 1 switch, otherwise a serius BROADCAST storm may occur. There is a way to do it without physdev using Shorewall, i leave you the link here: Shorewall and Bridged Firewalls without using physdev match support. And a very interesting link about ebtables here: ebtables/iptables interaction on a Linux-based bridge Here i leave the final diagram of what my network it turned out to be: Code: --------- -gateway- --------- ^ ^ ---------------------------------------------------------------------- -------------SuperMasterGigantUltraMegaPowerfullSWITCH---------------- ---------------------------------------------------------------------- ^ ^ ^ ^ ^ ^ ^ ^ --------- ---------- ^ ^ ^ -switch1- <<<<<<<<< -switch2- ^ ^ ^ --------- ---------- ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ --------- --------- --------- --------- --------- -group 1- -group 2- -group 3- -group 4- -group 5- --------- --------- --------- --------- --------- Last edited by plaga701; 11-17-2008 at 01:23 AM.. Reason: Final diagram

11-17-2008	#3 (permalink)
plaga701 Just Joined! Join Date: Oct 2008 Posts: 7	Another way Another way to do it without a bridge is making the routed firewall respond to every arp request to a machine behind it, i imagine it could be possible with arpd. Of course, it could bring trouble since the ip associated with the mac address of the firewall would change constantly and it could be seen as a ManInTheMiddleAttack

Are you a Linux Guru who is willing to share your in-depth Linux knowledge? Try our new Article submission system.