Re: Problems configuring gateway/firewall with static IP addresses

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 8/17/06, Matt Singerman <msingerman@xxxxxxxxxx> wrote:
Hi everyone,

First off, I apologize if I am slightly incoherent, as thi problem has
been driving me nuts for days now.

I have used Linux before, and have even configured basic network
settings, but I have never set up a machine as a gateway/firewall.  I am
now attempting to do this, but I am running into all sorts of problems.

The gateway will be replacing an existing one which is beginning to show
its age.  It has static IP addresses for both the LAN and WAN, and the
machines behind it (servers) have publically-addressable static IP
addresses (not 10.x.x.x, 192.168.x.x, etc.).  This is important, obviously.

I have found numerous guides online for setting up a gateway and
firewall using DHCP and NAT to use private IP ranges for machines on the
LAN, but this is obviously not what I want to do.  I cannot find any
information about setting it up using all static IP addresses.  I would
assume that this would be if anything simpler to configure, but I am
havind a devil of a time.

Our local subnet is the entire 141.161.111.0/24 block
(141.161.111.0-141.161.111.255).  I have a working router on
141.161.111.241, and the subnet mask being used by all machines here is
255.255.255.0

Basically, I have eth0 configured to be the WAN connection, and it is
working fine.  I can ping machines off the network, and machines can
ping it.  Where I am running into problems is with IP forwarding
actually allowing connections through.

Here is eth0's config file:

DEVICE=eth0
ONBOOT=yes
BOOTPROTO=static
IPADDR=141.161.111.243
GATEWAY=141.161.111.241
NETMASK=255.255.255.0
NETWORK=141.161.111.0

eth1 is configured to be the LAN interface.  It has the following settings:

DEVICE=eth1
BOOTPROTO=static
BROADCAST=141.161.111.255
HWADDR=00:0E:2E:79:F6:17
IPADDR=141.161.111.242
GATEWAY=141.161.111.242
NETMASK=255.255.255.0
NETWORK=141.161.111.0
ONBOOT=yes

I have modified /etc/sysctl.conf so that net.ipv4.ip_forward is set to 1.

Other than that...  I am at a loss as to what to do.  Can anyone point
me in the direction as to what my next step should be?

Thanks!

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list


Hi Matt!

I am no expert here but hope to learn about this sort of thing.

A couple of things right off:

1. Probably not good to post your IPs on a Linux mail list.  Espically
giving any detail as to your actual network structure.  The net is
hostile.

2. I absolutely agree with Ed.  First things first.  You need to write
out the goals of the network.  If I were to guess it would be that you
have some web service servers and some desktops in the mix.  But, you
are using a block of Public IPs for all!?!?!  You are the owner of
those Public IPs?  Certianly in a labrotory setting not connected to
the Internet you can do as you please, but you mention a "gateway"
which could imply that at least that IP somehow has access to the
Public Internet.  I do not think you can have your public IPs on the
inside and the Internet have the same IPs and the two be connected
together.

I would think you would need some Info for the list(s):

The Computers: Apparently thier static IPs?:  Services used:
Applications used:  Purpose(s) of network connection(s): Network
hardware used:  Expected network loading:

The networks used:  Purpose of the network:  Range of IP/mask: Ports:
Style of address management (e.g. DHCP):  Style of Name Service
(web/zone DNS): any other management services (LDAP, SNMP, Wins,
etc...).

Which Public Internet addresses do we own??!!??  Why do we own them
(what are they expected to be used for??

Should we be using NAT??!!??

How many firewalls do I need?  Where should they be placed?  Note:
possibley each box can have it's own firewall or two.  If I use a
special outside box how do I know that the box will not be
compromised?

Should I be useing network "sniffers" for security (sort of "cameras"
on the network)?

What auditing/security tools do my OSs, applications, and
servers/desktops have (or should they have).

You need, I think, to draw pictures and charts with the information
above included in the picture/chart.  I think you will find that this
really helps.

Good Hunting and Charting!

Tod


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux