"Firewall" NAT...

Support for security such as Firewalls and securing linux
mrpaulo
Posts: 16
Joined: 2007/06/10 14:18:50

Re: "Firewall" NAT...

Postby mrpaulo » 2009/03/19 20:41:21

Hi !

I have tried that way also but it did not work:

Firewall Nat
eth0 - 10.0.0.1/8 - static
gateway 192.168.0.1

eth1 - 192.168.0.2/24 - by dhcp
gateway 192.168.0.1

Router 192.168.0.1

Any other suggestion ?

michaelnel
Posts: 1478
Joined: 2006/05/29 16:50:11
Location: San Francisco, CA

Re: "Firewall" NAT...

Postby michaelnel » 2009/03/19 21:21:56

After the system boots, give us the outputs of:

ifcfg eth0
ifcfg eth1
route -n
service iptables status

mrpaulo
Posts: 16
Joined: 2007/06/10 14:18:50

Re: "Firewall" NAT...

Postby mrpaulo » 2009/03/19 21:54:00

[root@firewall adminuser]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:13:D4:68:7F:71
inet addr:10.0.0.1 Bcast:10.255.255.255 Mask:255.0.0.0
inet6 addr: fe80::213:d4ff:fe68:7f71/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:867 errors:0 dropped:0 overruns:0 frame:0
TX packets:813 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:79475 (77.6 KiB) TX bytes:132732 (129.6 KiB)
Interrupt:21 Base address:0x8000

eth1 Link encap:Ethernet HWaddr 00:0F:B5:F8:E7:5F
inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::20f:b5ff:fef8:e75f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:187 errors:0 dropped:0 overruns:0 frame:0
TX packets:469 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:26538 (25.9 KiB) TX bytes:185747 (181.3 KiB)
Interrupt:20 Base address:0xe000

[root@firewall adminuser]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 10 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 10 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 10 0 0 eth0
10.0.0.0 0.0.0.0 255.0.0.0 U 10 0 0 eth0
0.0.0.0 192.168.0.1 0.0.0.0 UG 10 0 0 eth1

[root@firewall adminuser]# /etc/init.d/iptables status
[root@firewall adminuser]#

michaelnel
Posts: 1478
Joined: 2006/05/29 16:50:11
Location: San Francisco, CA

Re: "Firewall" NAT...

Postby michaelnel » 2009/03/19 23:22:26

Config looks correct to me. When you say you cannot ping from the 10 net to the internet, what exactly happens? Can you please cut & paste an example of the failure here?

Have you looked at /var/log/messages for network related stuff, dmesg too?

BTW, I don't see how this box is going to be either a firewall or provide NAT services without iptables being installed, but for right now it would be nice just to get basic networking operating correctly.

mrpaulo
Posts: 16
Joined: 2007/06/10 14:18:50

Re: "Firewall" NAT...

Postby mrpaulo » 2009/03/20 00:23:00

Hi ! When I try to ping from 10 net out to internet...

C:\>ping 200.176.3.142 -t

Pinging 200.176.3.142 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.

Looking at /var/log/messages... I only found this:

Mar 19 21:01:09 firewall kernel: device eth1 left promiscuous mode
Mar 19 21:01:09 firewall kernel: audit(1237510869.049:29): dev=eth1 prom=0 old_prom=256 auid=4294967295
Mar 19 21:01:44 firewall kernel: eth1: Promiscuous mode enabled.
Mar 19 21:01:44 firewall kernel: device eth1 entered promiscuous mode
Mar 19 21:01:44 firewall kernel: audit(1237510904.651:30): dev=eth1 prom=256 old_prom=0 auid=4294967295

I also.. tcpdump'ed my eth1 (192.168.0.5) interface... look what I found:

21:08:27.322283 IP 10.0.0.2 > www.terra.com.br: ICMP echo request, id 512, seq 63233, length 40
21:08:27.322723 IP 192.168.0.1 > 10.0.0.2: ICMP redirect www.terra.com.br to host dsldevice.lan, length 36
21:08:29.197297 IP 10.0.0.2.63033 > resolver1.telesp.net.br.domain: 36197+ A? www.mandrivabrasil.org. (40)
21:08:29.197357 IP 10.0.0.2.63033 > resolver2.telesp.net.br.domain: 36197+ A? www.mandrivabrasil.org. (40)
21:08:29.197388 IP 10.0.0.2.63033 > 192.168.0.1.domain: 36197+ A? www.mandrivabrasil.org. (40)
21:08:29.197785 IP 192.168.0.1 > 10.0.0.2: ICMP redirect resolver1.telesp.net.br to host dsldevice.lan, length 36
21:08:29.198119 IP 192.168.0.1 > 10.0.0.2: ICMP redirect resolver2.telesp.net.br to host dsldevice.lan, length 36
21:08:29.241577 IP 192.168.0.1.domain > 10.0.0.2.63033: 36197 1/6/0 A[|domain]
21:08:32.822533 IP 10.0.0.2 > www.terra.com.br: ICMP echo request, id 512, seq 63489, length 40
21:08:32.822999 IP 192.168.0.1 > 10.0.0.2: ICMP redirect www.terra.com.br to host dsldevice.lan, length 36
21:08:33.197445 IP 10.0.0.2.63033 > resolver1.telesp.net.br.domain: 36197+ A? www.mandrivabrasil.org. (40)
21:08:33.197508 IP 10.0.0.2.63033 > resolver2.telesp.net.br.domain: 36197+ A? www.mandrivabrasil.org. (40)
21:08:33.197539 IP 10.0.0.2.63033 > 192.168.0.1.domain: 36197+ A? www.mandrivabrasil.org. (40)
21:08:33.197928 IP 192.168.0.1 > 10.0.0.2: ICMP redirect resolver1.telesp.net.br to host dsldevice.lan, length 36
21:08:33.198260 IP 192.168.0.1 > 10.0.0.2: ICMP redirect resolver2.telesp.net.br to host dsldevice.lan, length 36
21:08:33.242398 IP 192.168.0.1.domain > 10.0.0.2.63033: 36197 1/3/1 A[|domain]
21:08:38.196620 arp who-has 192.168.0.1 tell 192.168.0.5
21:08:38.196861 arp reply 192.168.0.1 is-at 00:1c:f0:7e:47:5a (oui Unknown)
21:08:38.322664 IP 10.0.0.2 > www.terra.com.br: ICMP echo request, id 512, seq 63745, length 40
21:08:38.323099 IP 192.168.0.1 > 10.0.0.2: ICMP redirect www.terra.com.br to host dsldevice.lan, length 36
21:08:43.822793 IP 10.0.0.2 > www.terra.com.br: ICMP echo request, id 512, seq 64001, length 40
21:08:43.823234 IP 192.168.0.1 > 10.0.0.2: ICMP redirect www.terra.com.br to host dsldevice.lan, length 36
21:08:49.323081 IP 10.0.0.2 > www.terra.com.br: ICMP echo request, id 512, seq 64257, length 40
21:08:49.323524 IP 192.168.0.1 > 10.0.0.2: ICMP redirect www.terra.com.br to host dsldevice.lan, length 36
21:08:54.823152 IP 10.0.0.2 > www.terra.com.br: ICMP echo request, id 512, seq 64513, length 40
21:08:54.823590 IP 192.168.0.1 > 10.0.0.2: ICMP redirect www.terra.com.br to host dsldevice.lan, length 36

192.168.0.1 is my router
resolver1.telesp.net.br and resolver2.telesp.net.br are my DSL DNS

Looks like I will have to bring my public IP to one of my interfaces, right ?