Success (was Transparent Firewalling)

Nathan Le Nevez npl at acis.com.au
Tue Jan 15 08:56:09 EST 2002 

Guys,

Thanks for all your help. I did manage to get it working perfectly. For 
those of you who wanted to know how to do it, here is my version:

I have a BSD Gauntlet firewall (which is our gateway machine) sitting on 
10.2.1.1, with the LAN on 10.2.1.x (netmask of 255.255.255.0). 

I built a new linux box with two ethernet cards, and connected eth0 to the 
10.2.1.x network. I disconnected the gateway machine and ran a cross over 
cable from it, into eth1 on our new box. 

The next step, was to do the Proxy ARP stuff:

echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
echo 1 > /proc/sys/net/ipv4/ip_forward

I then have to trick the network into thinking its directly connected to 
the gateway, by spoofing the ARP request:

/sbin/arp -i eth0 -Ds 10.2.1.1 eth0 netmask 255.255.255.255 pub

This works in two directions, so I needed to trick the gateway machine 
into thinking its directly connected to the LAN:

/sbin/arp -i eth1 -Ds 10.2.1.2 eth1 netmask 255.255.255.255 pub
/sbin/arp -i eth1 -Ds 10.2.1.3 eth1 netmask 255.255.255.255 pub
/sbin/arp -i eth1 -Ds 10.2.1.4 eth1 netmask 255.255.255.255 pub
/sbin/arp -i eth1 -Ds 10.2.1.5 eth1 netmask 255.255.255.255 pub
...

(I needed to add one for each machine, because apparently you cant use a 
proper netmask with ARP)

Now to get it all working, I needed to flush the ARP caches on all your 
machines (this will happen automatically after a few minutes).

I can now ping 10.2.1.1 from any 10.2.1.x machine, and 10.2.1.1 can ping 
any other machine. 

I didnt need to add any firewalling rules, just some Accounting rules so I 
can count bytes going in and out, so I added some IPTables rules like so:

iptables -N 10.2.1.8
iptables -A FORWARD -s 10.2.1.8 -d 0/0 -j 10.2.1.8
iptables -A FORWARD -s 0/0 -d 10.2.1.8 -j 10.2.1.8
iptables -A 10.2.1.8 -i eth0 -o eth1
iptables -A 10.2.1.8 -i eth1 -o eth0

To view the packet counters:

iptables -nL -v -x

Thanks to everyone who provided help!

Cheers,

Nathan


-- 

____________________________________________
Nathan Le Nevez (nathan.lenevez at acis.com.au)
Australian Corporate Information Solutions
(ACIS Pty Ltd)
Tel. (02) 6122 2102
Fax. (02) 6282 4328
Mob: 0413 411 136

More information about the linux mailing list