[SOLVED] Ip forwarding publics IP's

[plaga701]

Hi, i need to setup a firewall for a set of computers at my university.
The net is structured as follows: There are a total of 5 groups of computers, all computers have publics ip's and a /24 netmask, including the firewall. 1 group is interconnected through a switch, there is another set interconnected through another switch. The second switch is connected to the first switch and the first switch is connected to the gateway. The another 3 groups have the same gateway, netmask and subnet as the rest of the network, but they're not connected to the first switch, they are connected to some-place-i-dont-know-about.
All groups are in the same broadcast address.

I've already setup a machine between the first group and the first switch, but i haven't been able to route packets properly. Packets get to the firewall and, seeing the routing cache of the firewall, the packets are forwarded properly to the internet, but i've never been able to get a response, nor i've been able to connect from the outside with the firewall on. The only way i've been able to connect to the internet is source-nating all packets leaving the firewall to the firewall ip-address, but that's no good because i want to be able to connect from the outside.

I'm attaching the routing table and a "ascii graphic" of the network to make the picture more clear.

Code:

---------                          -----------------------------
-gateway-                          -the-place-I-dont-know-about-
---------                          -----------------------------
    ^                               ^            ^            ^
    ^                               ^            ^            ^ 
---------           ----------      ^            ^            ^
-switch1- <<<<<<<<< -switch2-       ^            ^            ^
---------           ----------      ^            ^            ^ 
    ^                    ^          ^            ^            ^
    ^                    ^          ^            ^            ^
---------            ---------  ---------    ---------    --------- 
-group 1-            -group 2-  -group 3-    -group 4-    -group 5-
---------            ---------  ---------    ---------    ---------

Kernel IP routing table
Destination        Gateway           Genmask               Flags    Iface
220.20.10.1        0.0.0.0           255.255.255.255       UH       eth_int
220.20.10.0        0.0.0.0           255.255.255.0         U        eth_pci
127.0.0.0          0.0.0.0           255.0.0.0             U        lo
0.0.0.0            220.20.10.1       0.0.0.0               UG       eth_int

The firewall i'm trying to install would be between group1 and switch1

Since all the computers on the network can communicate to each other without problems, my guess is that the-place-i-dont-know-about is actually a switch where my gateway is connected.

[plaga701]

I solved the problem. It turned out that the-place-i-know-nothing-about was a switch and my gateway was connected to it.
When a packet from the outside tried to reach a machine firewalled section of the network, the switch would only see the firewall but none of the machines behind it. The solution was to make the firewall a bridge (using brctl) and the using the physdev match of iptables to match against the bridged interfaces. Without physdev i would be impossible to match packets against interfaces other than the virtual one created by the bridge, witch may not work for you in certain cases. However, it only works with kernels 2.6.* and up. Make sure to activate stp on the bridge if your network has more than 1 switch, otherwise a serius BROADCAST storm may occur. There is a way to do it without physdev using Shorewall, i leave you the link here: Shorewall and Bridged Firewalls without using physdev match support. And a very interesting link about ebtables here: ebtables/iptables interaction on a Linux-based bridge

Here i leave the final diagram of what my network it turned out to be:

Code:

                               ---------
                               -gateway-
                               ---------
                                   ^
                                   ^
----------------------------------------------------------------------
-------------SuperMasterGigantUltraMegaPowerfullSWITCH----------------
----------------------------------------------------------------------
    ^                               ^            ^            ^
    ^                               ^            ^            ^ 
---------           ----------      ^            ^            ^
-switch1- <<<<<<<<< -switch2-       ^            ^            ^
---------           ----------      ^            ^            ^ 
    ^                    ^          ^            ^            ^
    ^                    ^          ^            ^            ^
---------            ---------  ---------    ---------    --------- 
-group 1-            -group 2-  -group 3-    -group 4-    -group 5-
---------            ---------  ---------    ---------    ---------

[plaga701]

Another way to do it without a bridge is making the routed firewall respond to every arp request to a machine behind it, i imagine it could be possible with arpd. Of course, it could bring trouble since the ip associated with the mac address of the firewall would change constantly and it could be seen as a ManInTheMiddleAttack