Firewall & Routing - help!

Rodolfo J. Paiz rpaiz at simpaticus.com
Thu Jun 10 18:07:22 UTC 2004 

At 11:09 6/10/2004, James Kosin wrote:
>Kevin F. Berrien wrote:
>|
>| "external subnet" - eth0 - 192.168.50.0
>| gatway to internet - 192.168.50.1
>| eth0 ip 192.168.50.48/255.255.255.0 gw = 192.168.50.1
>|
>| "internal subnet" - eth1 - 192.168.5.0
>| eth1 ip 192.168.5.200/255.255.255.0 gw = 192.168.50.1??
>|
>| test host "internal"
>| ip 192.168.5.3/255.255.255.0 gw = 192.168.5.200??
>|
><<-- snip -->>
>
>a)  make a route in 192.168.50.1 that routes traffic for 192.168.5.0 to
>your IP of 192.168.50.48...  This will allow your gateway server/router
>to route packets to this additional network properly.

Remember that the 192.168.0.0/16 space is reserved for private IP 
addresses. The Internet gateway *cannot* receive traffic from the open 
Internet destined to a 192.168.x.y address... it would be invalid or 
spoofed. The Internet gateway should instead enable masquerading for all 
outbound traffic received from 192.168.50.48. Return traffic will be 
allowed automatically. One easy solution is that the internal server can 
also enable masquerading via eth0 for all traffic received from eth1.

Two masquerading layers, but the solution should work pretty much 
transparently *AS LONG AS* you don't need or want people on the Internet to 
be able to reach those internal machines. If such a thing is desirable, 
you'll have to add additional DNAT rules to both firewalls.

>b)  I don't believe you need a gateway for eth1.  I could be wrong....

You don't. When you have multiple devices like this, each device should 
have its gateway for the local network (or no gateway if *it* is the 
gateway), and then you should have a statement like this in your 
/etc/sysconfig/network file:

GATEWAYDEV=eth0

So eth0 should have 192.168.50.1 as its gateway for the 192.168.50.0/24 
network on which it participates, and eth1 does not need a gateway since it 
*is* the gateway. The GATEWAYDEV line will tell Linux how to route packets 
to the default route correctly. Note that all other machines on the 
192.168.5.0/24 subnet *do* need to have 192.168.5.3 as their gateway.

I just set up something like this yesterday. One subnet (192.168.200.0/24) 
allows outbound masquerading *only* for ports 80 and 443 via a Fedora Core 
2 box with Shorewall and two interfaces. The external interface is part of 
a larger office whose firewall (also FC2+Shorewall) allows outbound 
masquerading to the Internet. Incoming access to port 80 for one box is 
permitted via a DNAT rule in Shorewall. Works like a charm, piece of cake.

Cheers,


-- 
Rodolfo J. Paiz
rpaiz at simpaticus.com
http://www.simpaticus.com

More information about the fedora-list mailing list