Iptables and redirecting Internal addresses.

[drumz]

Howdy all:

This is a theoretical question that I have that someone here with more experience might be able to answer. I've been playing around with multiple network interfaces in one box and iptables on an internal network at home.

Let's say you have an internal network (192.168.1.x) with a bunch of hosts scattered throughout that address space. You want to split that network in half without subnetting it, and put a firewall between the two parts. Is this possible, using the following setup:

Box A and Box B (192.168.1.10, 192.168.1.60) are on one side of the middle box.

Box C (middle box) has two network interfaces (eth0 - 192.168.1.20, eth1 - 192.168.1.21) and will act as the router/firewall between the two halves. Each interface connects to a hub on that side which is then connected to the two boxes on that side.

Boc D and Box E (192.168.1.15, 192.168.1.65) are on the other side of the middle box.

On one side there is a cable modem router to go out to the internet, and both halves of the network should be able to freely go about their business in accessing the internet.

Box A, B -> hub -> eth0 (middle box C) eth1 <- hub <- Box D, E, Cable Modem Router

Now I understand this would be much easier if both sides were in different address spaces, but the goal is to split the network in half, let each half be able to access everthing in it's half, but apply firewall rules between the halves without having to change address spaces/subnet/re-ip/physically rewire everything.

Please include host settings that would have to be made in case I've missed something in my setup. Wouldn't Box A and B have their default route set to be box C since it's acting as a router for them to get to the other boxes on the internal network AND the internet (cable modme router)?

Thoughts and insights welcome. Much TIA because my brain currently hurts.

Drumz

[grimshaw]

This is possible with a lot of static route configurations. As you are probably aware an IP subnet is what tells the host what addresses are local. Everything not in the subnet is somewhere else and goes to the default route. So, you are quite right that this is MUCH easier to achieve by simply using two subnets.

If you have a static route table on EACH machine telling it which machines are on the other side of the middle box and list the middle box as the gateway, this will mostly function. Then all you have to do is force the middle box to push broadcast traffic to the other subnet. I encourage you to resubnet. This is a guarnated snake pit.

Alternately, you could consider a layer 2 packet filter to do some tricky host protection that is impractical at layer 3. I'd go read up on this one based on openBSD and see if it is more in keeping with your needs. http://www.feu-nrmf.ph/norbert/misc/transparent_firewall_howto.html

- John
_________________
All that is necessary for the triumph of evil is that good men do nothing.
-- Edmund Burke (1729-1797)

[drumz]

Thanks for your suggestions John, much appreciated. Just remember, this was all theoretical while playing around with my home network, just a challenge.

Someone did suggest looking into using Box C as a bridge, so I've been taking a look at the following items:

http://bridge.sourceforge.net/
http://ebtables.sourceforge.net/

Some of the stuff mentioned in the samples or docs are similar enough to what I was attempting to do that it may be made to work, have to try it and see

Thanks again!
Drumz