[Gllug] Network configuration

Jack Bertram jack at jbertram.net
Fri Jun 20 09:44:45 UTC 2003


* Alistair Mann <alistair at lgeezer.net> [030620 10:16]:
> Thus spaketh Jonathan Dye on Friday 20 June 2003 8:36 am:
> > I will shortly be getting ADSL (assuming my line tests pass) and with that
> > I have been given eight ip addresses (although one is the network address
> > and one the broadcast address).  My ISP has told me that the router they
> > are sending me will be assigned one of these addresses.  I want to use the
> > other 4 for my own machines behind a firewall machine.
> 
> Stop there. Only your firewall machine will need to have one of your eight IP 
> addresses. m1, m2 and m3 would all get private addresses such as192.168.0.2  
> and use the firewall's internal IP address as their gateway. The firewall 
> would use NAT to get the traffic out onto the Internet. Only machines which 
> are connected to the router need public IPs!

Well, there are good reasons to want firewalled machines to have public
IPs - for example, if you are running services which don't respond to
NAT very well.  However, if you don't need to provide this functionality
(no servers, for example) then you could use NAT.

* Tethys <tet at accucard.com> [030620 09:06]:
> Jonathan Dye writes:
> >I'm slightly worried about the routing on the firewall box.  Presumably I
> >need to set it's default gateway to be the router and add a route to the
> >router with a /32 netmask.  Can I then also set the internal interface to
> >have a /29? netmask even though one of the machines for that network (the
> >router) is on the external interface?
> 
> Theoretically yes. You might want to have a look at the Bridge / Firewall
> HOWTO:
> 
> 	http://www.ibiblio.org/mdw/HOWTO/mini/Bridge+Firewall.html
> 
> Or you could just NAT your public facing IPs to the private ones on
> your LAN.

Another (possibly simpler alternative) is to use proxy arp on the
firewall.  The router will think that it is talking directly to all the
machines behind the firewall, although in fact the firewall will be
handling these requests.  I have set up a DMZ using exactly this setup.

Once the firewall rules are correct (so it filters traffic and is
configured to forward traffic across your /29 network), it is simply a
matter of something like

# cat 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp

or similar on the firewall box.  Your router and servers need not even
know that the firewall is there - it is a completely transparent "drop
in" solution.  The servers would be configured to route through the
router and the firewall would sit in the middle.

jack
jack

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list