Routing/Firewall Question (SOLVED)

[cfs]

EDIT
Bridging the interfaces works fine. Thanks Everybody!

I am having a devil of a time setting this up, and was wondering if anybody could shed some light on my problems.

Here is what I am wanting to do. I am the sysadmin of a campus network, and want to set up a firewal. We have a public /26 subnet, and a private /22 that both sit on the same physical network. The router, which is owned by the state and I have no access to, provides NAT services for the machines that need them.

What I am wanting to do is stick a machine between the router and my network, and have it act as a firewall. It does not need to do NAT (in fact it cannot, or I'd use something like shorewall), but it needs to pass all the traffic on the inside interface to the router, and vice-versa.

As a test setup, I have a machine with 2 NICs, set up as such:

eth0: connected to network at large
eth1: connected directly to my laptop

My laptop is set up with an IP in my public subnet, along with both NICs in the firewall. I have ip forwarding on, and also static routes set up so traffic to the router goes over eth0 and traffic to my laptop over eth1.

From the laptop, I can ping the firewall, on both interfaces. From the firewall, I can ping the laptop and the router. I cannot ping the router from the laptop, or ping the laptop from a machine on my main network. I know the traffic is being forwarded from eth1 to eth0 from checking the TX count displayed from ifconfig, if I set /proc/sys/net/ipv4/ip_forward to 0, the count doesn't change, set to 1, it does. There are no iptables rules on the firewall, either.

Am I approaching this the wrong way? Does anyone have a clue how to do something like this?

[morodoch]

I guess if you have the same subnet addresses on both sides of your firewall, the hosts on either side won't realise that they need to use the firewall to route to each other - try setting host routes, and see if that fixes it.

Without this, both your laptop and the network will think they're directly connected, and not use the firewall.

Does this sound right?
_________________
Well, the Sister was right. You boys could use a little churching up. Slide on down to the Triple Rock, and catch Rev. Cleophus. You boys listen to what he's got to say.

-- Curtis

[daeghrefn]

Your best bet is to configure your nics in a transparent bridge-firewall. Your firewall would then have no IP address, and would be transparent to the network (put it between your hub/switch and the router) but would allow you to set up IPtables rules to filter the traffic to your designs.

I don't see why you couldn't use shorewall for that config. The only difference is you don't need to configure masquerade or nat in any form.

There's a howto that I've seen on tldp.org. Here it is: Bridge + Firewall Howto

I hope that helps.

[cfs]

[daeghrefn]

You can't use routing tables to pass traffic between devices on the same subnet... you need to configure a bridge. Use the bridge, then configure iptables/netfilter to filter traffic (firewall).

[cfs]

[morodoch]

FWIW, I'm pretty sure you *can* use a firewall between hosts on the same net, you just have to add a host route, not a net route, like

[Sheepdogj15]

you could alternatively set it up so the laptop is on a distinct subnet (e.g. 172.16.0.0 where the private network is 192.168.0.0). but that is overkill... try to get the bridge setup going first.
_________________
Sheepdog
Why Risk It? | Samba Howto