Jump to content



Photo

Linux gateway/router issues, please help!

linux debian gateway router

  • Please log in to reply
58 replies to this topic

#16 n_K

n_K

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 19-March 06
  • Location: here.
  • OS: FreeDOS
  • Phone: Nokia 3315

Posted 05 January 2013 - 21:39

Yes, you are now accepting packets from the 192.168.0.x network to the debian 'sever'.
You need to filter them then either just pass them off out the other interface or use NAT's prerouting to change them to come out the other interface.
(Plus you'll want to use FORWARD not ACCEPT)


#17 OP Captain_Rainbowbeard

Captain_Rainbowbeard

    Neowinian

  • Joined: 05-January 13
  • Location: London, UK
  • OS: Debian, Windows 7 & Server 2008 R2
  • Phone: Galaxy S3 I9300-GT

Posted 05 January 2013 - 22:04

Yes, you are now accepting packets from the 192.168.0.x network to the debian 'sever'.
You need to filter them then either just pass them off out the other interface or use NAT's prerouting to change them to come out the other interface.
(Plus you'll want to use FORWARD not ACCEPT)


Hmmm, I appear to be having some trouble with the syntax of the IP tables, I attempted to add a FORWARD line and this broke the routing, are you able to be more specific?

#18 n_K

n_K

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 19-March 06
  • Location: here.
  • OS: FreeDOS
  • Phone: Nokia 3315

Posted 05 January 2013 - 22:28

-A INPUT -i eth0 -j FORWARD

(From what I remember, can't check as the half-NAT I did for a firewall for my server is offline)

#19 OP Captain_Rainbowbeard

Captain_Rainbowbeard

    Neowinian

  • Joined: 05-January 13
  • Location: London, UK
  • OS: Debian, Windows 7 & Server 2008 R2
  • Phone: Galaxy S3 I9300-GT

Posted 05 January 2013 - 23:04

-A INPUT -i eth0 -j FORWARD

(From what I remember, can't check as the half-NAT I did for a firewall for my server is offline)


This appears to break the routing :(

Anyways, it's getting late and I'm growing tired of this for today. I am going to sleep on it and try again tomorrow.

#20 HawkMan

HawkMan

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 31-August 04
  • Location: Norway
  • Phone: Noka Lumia 1020

Posted 05 January 2013 - 23:14

As I before mentioned I am trying to gain a more advanced understanding of routing and firewall configuration from the CLI as apposed to a GUI based pre-prepared distro. I understand that this will give me (more) headaches however I would never have gained the experience in Linux that I now have if hadn't already spent a great deal of time attempting to play with things that I have no idea how to work. What can I say, I learn better by throwing myself in at the deep end :D


Don't think if it as doing it the easy way, think of it as choosing the right tool for the job.

#21 OP Captain_Rainbowbeard

Captain_Rainbowbeard

    Neowinian

  • Joined: 05-January 13
  • Location: London, UK
  • OS: Debian, Windows 7 & Server 2008 R2
  • Phone: Galaxy S3 I9300-GT

Posted 05 January 2013 - 23:25

Don't think if it as doing it the easy way, think of it as choosing the right tool for the job.


TBH that's quite a fair point, and if I can't make this work within the next couple of days I may consider changing my approach somewhat, however I am a stubborn b*****d and will keep on at this for now at least.

IF I were to consider using a specific firewall distro what are people's genral opinions on the best, most configurable and most secure distro to use?

#22 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 25
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 06 January 2013 - 00:37

I believe pfsense will do nicely for what you are trying to accomplish...has a web based front end with a linux based back end. Probably the best of both worlds for you...you can see where you are screwing up.

#23 +Karl L.

Karl L.

    xorangekiller

  • Tech Issues Solved: 15
  • Joined: 24-January 09
  • Location: Virginia, USA
  • OS: Debian Testing

Posted 06 January 2013 - 00:56

I believe pfsense will do nicely for what you are trying to accomplish...has a web based front end with a linux based back end. Probably the best of both worlds for you...you can see where you are screwing up.


I definitely agree that pfSense is a very nice firewall distribution, but it is not Linux based: its based on FreeBSD. In general, networking theory applies equally to both Debian and FreeBSD, but some of the configuration tools are a little different. Since iptables is merely a kernel-level firewall, not a POSIX standard, its specific to the Linux kernel. FreeBSD currently uses the OpenBSD PacketFilter firewall, which is also kernel-level. You can get basic iptables documentation from the Debian Wiki, CentOS Wiki, and RHEL Manual, and basic pf documentation from the FreeBSD Handbook and OpenBSD Wiki.

#24 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 93
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 06 January 2013 - 14:30

Right tool is the better term yes.

Your not going to learn anything being frustrated having to try and get syntax exactly right! What does that teach you??

Get the concepts down, then you can worry about knowing the exact command to do what you want from a command line.

As mentioned - pfsense would be a great choice, and yes it is freebsd based not linux. But to to be honest from just doing commands, its not any different than any other linux distro. Pretty much all the linux commands are the same, its just you use different tools.

Get your network secured and working - and get the basic concepts down, then you can mess with the inner workings.

Heres the thing if you just route and don't nat - your not going to be able to talk machines on the .0 since you don't have control over their router or the hosts there is no way for you to setup the routing correctly for them to talk between the 2 networks. So your going to need to nat, then every box behind your firewall will just look like another .0 host to the boxes on that network - even their router your just going to look like another one of its clients.

Boxes on the .0 will be able to get to ips on the .1 through the .0.x address of your wan interface on your router/firewall (pfsense) Once you forward the ports you want to the specific .1.x addresses you want to serve up those services to people on the .0 network.

Now the issue your going to have in a double net setup, and without control of the .0 router anyway - is your not going to be able to do any port forwarding from the internet to boxes inside your .1 network - unless you can have whoever controls the .0 router to setup the forwards to your .0 address, etc.

But that is part of the problem with double natting.

#25 OP Captain_Rainbowbeard

Captain_Rainbowbeard

    Neowinian

  • Joined: 05-January 13
  • Location: London, UK
  • OS: Debian, Windows 7 & Server 2008 R2
  • Phone: Galaxy S3 I9300-GT

Posted 06 January 2013 - 15:09

@ BUDMAN:

Sure, to be fair you make a very reasonable point and I am definitely swaying to the idea. I will look into pfsense and see how I go, fortunately BSD based distros are no mystery to me, I spent some time playing with a range of UNIX-like systems some time ago and was pleased to see that bash is still the preferred shell. You are entirely correct, of course, that it is most likely the best way I can learn the basic principles of what I am trying to achieve and as +sc302 rightly said it would help me understand where I'm screwing up. Thanks for the good advice guys.

I was also considering another option; A friend of mine has given me his old Cisco 2600 series router and I have been looking into configuring this as a firewall. This would give me an excellent opportunity to get to grips with the Cisco command console though I am unsure of what pros/cons this would have over using a UNIX/GNU based firewall instead. Which do you think would be the most preferable solution for my purposes?

#26 HawkMan

HawkMan

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 31-August 04
  • Location: Norway
  • Phone: Noka Lumia 1020

Posted 06 January 2013 - 15:30

Do you ever plan on becoming a network engineer or network manager at a larger corporation with network management as you main responsibility ? If so you might want to use the Cisco, however in that case you'd probably be better of using it as a learning tool and experiment with it. and you probably don't want to experiment to much with your main route to the internet :p

#27 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 93
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 06 January 2013 - 15:31

Do you have plans to work in the IT field as network guy? Are you going for your CCNA? If not knowing the IOS of cisco gets you nothing. And again lets learn the basic concepts before jump into the inner workings of cisco's ios.

And a 2600 is just that a router - does it have the firewall feature set installed?

http://www.cisco.com...ide/fw3600.html

Again your looking to be dropped off in the middle of the ocean without so much as even some floaties let alone a life vest.

Here is the other point - wanting to play with the inner workings of iptables or pf or ipfw on freebsd or any of the other firewalls on linux/bsd that is great - but not sure I would use it as my gateway to the internet and firewall between these other machines on the .0 while your on a steep learning curve.

Why not play with those things inside the safety of your own network. You can quite easy split your network up as much as you want once you have isolated it from the hostiles on .0 network ;)

If you don't have real hardware - you can play with using any linux/bsd distro as router/firewall all you want just on a few VMs. Same goes for cisco, if you know someone that can get you the images (hmm wonder who might be able to help you there?<grin>) you can setup fairly extensive cisco lab just using http://www.gns3.net/

#28 OP Captain_Rainbowbeard

Captain_Rainbowbeard

    Neowinian

  • Joined: 05-January 13
  • Location: London, UK
  • OS: Debian, Windows 7 & Server 2008 R2
  • Phone: Galaxy S3 I9300-GT

Posted 06 January 2013 - 16:09

Do you ever plan on becoming a network engineer or network manager at a larger corporation with network management as you main responsibility ? If so you might want to use the Cisco, however in that case you'd probably be better of using it as a learning tool and experiment with it. and you probably don't want to experiment to much with your main route to the internet :p


Oddly enough I do have long(ish) term aspirations to get into networking, not just as a field of study but as a career path also, I have my CCNA self study guided here at home and was working on this a little until a friend recommended that if I wish to break into the IT industry I should probably take the short route initially and get into helpdesk work first as a 'foot in the door'. I already have an MCTS qualification and am some way towards gaining an MCITP certificate, hope to take exam next month :laugh:

You are correct though that messing with my main route to the internet is probably not the most recommendable option, I like my internet! :D


Do you have plans to work in the IT field as network guy? Are you going for your CCNA? If not knowing the IOS of cisco gets you nothing. And again lets learn the basic concepts before jump into the inner workings of cisco's ios.

And a 2600 is just that a router - does it have the firewall feature set installed?


I'm unsure if it does have the firewall feature set installed though would have been prepared to do this myself, of course with some guidance from online walkthroughs and how-to's (the source of a good portion of my current knowledge)... :rolleyes:

Here is the other point - wanting to play with the inner workings of iptables or pf or ipfw on freebsd or any of the other firewalls on linux/bsd that is great - but not sure I would use it as my gateway to the internet and firewall between these other machines on the .0 while your on a steep learning curve.

Why not play with those things inside the safety of your own network. You can quite easy split your network up as much as you want once you have isolated it from the hostiles on .0 network ;)


Fair point, though as before mentioned I would like to make sure that my web/FTP server is as secure from potential attacks as possible and I figured a hardware firewall between me and the outside world would be the best way to achieve this. If you could offer any alternative solutions that would give me the security and piece of mind I would like I'm quite open to suggestion...

If you don't have real hardware - you can play with using any linux/bsd distro as router/firewall all you want just on a few VMs. Same goes for cisco, if you know someone that can get you the images (hmm wonder who might be able to help you there?<grin>) you can setup fairly extensive cisco lab just using http://www.gns3.net/


I have a real, hardware based Cisco lab at home compliments of an old friend when I bought my CCNA study guide comprising of 2x 2600 series routers, 1x 2500 series router and a Catalyst 2900 XL series switch to 'play' around with (complete with crossover cables, and rollover cable with DB9 adapter to access the console), also have a copy of Cisco Networking Academy, though would still be quite interested in getting hold of those images... (cough, cough...) :rolleyes:

VMs also sound like a reasonable idea for experimentation, I do have VMware with VIX and VSphere too, would be interesting to play with some virtualized environments, particularly considering that it seems to be a much more common standard for large businesses to use these days than individual, physical hardaware.

#29 n_K

n_K

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 19-March 06
  • Location: here.
  • OS: FreeDOS
  • Phone: Nokia 3315

Posted 06 January 2013 - 16:24

From what I remember of cisco, only the catalyst series of devices had firewalls.

#30 OP Captain_Rainbowbeard

Captain_Rainbowbeard

    Neowinian

  • Joined: 05-January 13
  • Location: London, UK
  • OS: Debian, Windows 7 & Server 2008 R2
  • Phone: Galaxy S3 I9300-GT

Posted 06 January 2013 - 16:31

From what I remember of cisco, only the catalyst series of devices had firewalls.


I understand that the Cisco IOS Firewall feature set IS available for the 2600 series routers though does not come pre-installed, this can be downloaded from Cisco here:

http://www.cisco.com...ide/fw3600.html