Problems configuring gateway/firewall with static IP addresses

Tod Merley todbot88 at gmail.com
Fri Aug 18 00:31:06 UTC 2006 

On 8/17/06, Matt Singerman <msingerman at ncemch.org> wrote:
> Hi everyone,
>
> First off, I apologize if I am slightly incoherent, as thi problem has
> been driving me nuts for days now.
>
> I have used Linux before, and have even configured basic network
> settings, but I have never set up a machine as a gateway/firewall.  I am
> now attempting to do this, but I am running into all sorts of problems.
>
> The gateway will be replacing an existing one which is beginning to show
> its age.  It has static IP addresses for both the LAN and WAN, and the
> machines behind it (servers) have publically-addressable static IP
> addresses (not 10.x.x.x, 192.168.x.x, etc.).  This is important, obviously.
>
> I have found numerous guides online for setting up a gateway and
> firewall using DHCP and NAT to use private IP ranges for machines on the
> LAN, but this is obviously not what I want to do.  I cannot find any
> information about setting it up using all static IP addresses.  I would
> assume that this would be if anything simpler to configure, but I am
> havind a devil of a time.
>
> Our local subnet is the entire 141.161.111.0/24 block
> (141.161.111.0-141.161.111.255).  I have a working router on
> 141.161.111.241, and the subnet mask being used by all machines here is
> 255.255.255.0
>
> Basically, I have eth0 configured to be the WAN connection, and it is
> working fine.  I can ping machines off the network, and machines can
> ping it.  Where I am running into problems is with IP forwarding
> actually allowing connections through.
>
> Here is eth0's config file:
>
> DEVICE=eth0
> ONBOOT=yes
> BOOTPROTO=static
> IPADDR=141.161.111.243
> GATEWAY=141.161.111.241
> NETMASK=255.255.255.0
> NETWORK=141.161.111.0
>
> eth1 is configured to be the LAN interface.  It has the following settings:
>
> DEVICE=eth1
> BOOTPROTO=static
> BROADCAST=141.161.111.255
> HWADDR=00:0E:2E:79:F6:17
> IPADDR=141.161.111.242
> GATEWAY=141.161.111.242
> NETMASK=255.255.255.0
> NETWORK=141.161.111.0
> ONBOOT=yes
>
> I have modified /etc/sysctl.conf so that net.ipv4.ip_forward is set to 1.
>
> Other than that...  I am at a loss as to what to do.  Can anyone point
> me in the direction as to what my next step should be?
>
> Thanks!
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>

Hi Matt!

I am no expert here but hope to learn about this sort of thing.

A couple of things right off:

1. Probably not good to post your IPs on a Linux mail list.  Espically
giving any detail as to your actual network structure.  The net is
hostile.

2. I absolutely agree with Ed.  First things first.  You need to write
out the goals of the network.  If I were to guess it would be that you
have some web service servers and some desktops in the mix.  But, you
are using a block of Public IPs for all!?!?!  You are the owner of
those Public IPs?  Certianly in a labrotory setting not connected to
the Internet you can do as you please, but you mention a "gateway"
which could imply that at least that IP somehow has access to the
Public Internet.  I do not think you can have your public IPs on the
inside and the Internet have the same IPs and the two be connected
together.

I would think you would need some Info for the list(s):

The Computers: Apparently thier static IPs?:  Services used:
Applications used:  Purpose(s) of network connection(s): Network
hardware used:  Expected network loading:

The networks used:  Purpose of the network:  Range of IP/mask: Ports:
Style of address management (e.g. DHCP):  Style of Name Service
(web/zone DNS): any other management services (LDAP, SNMP, Wins,
etc...).

Which Public Internet addresses do we own??!!??  Why do we own them
(what are they expected to be used for??

Should we be using NAT??!!??

How many firewalls do I need?  Where should they be placed?  Note:
possibley each box can have it's own firewall or two.  If I use a
special outside box how do I know that the box will not be
compromised?

Should I be useing network "sniffers" for security (sort of "cameras"
on the network)?

What auditing/security tools do my OSs, applications, and
servers/desktops have (or should they have).

You need, I think, to draw pictures and charts with the information
above included in the picture/chart.  I think you will find that this
really helps.

Good Hunting and Charting!

Tod

More information about the fedora-list mailing list