hi all, I use the following network topology: Internet | (official IP) Router1 (192.168.1.1) | | eth0 (192.168.1.2) eth0 (official IP) Router2/Firewall eth2(192.168.1.3) --- DMZ eth1 (official IP) eth0:1 (192.168.1.4) | | Local Network (official IPs) The official Network consists of a Subnet with 16 IP adresses. The router/fw is an p133 which uses kernel 2.4.2 and iptables. The DMZ (yes, its not a really DMZ :) is one host, running a www server, a mail server and some other daemons. Default gateway for DMZ is 192.168.1.3 (eth2 on FW) how you can see. The problem is, linux uses the first IP (?), which it can use for the fastest hop and therefor, if I ping the internet, the router1 can't forward the internal IP to the net. If I use ping -I OFFICIAL_IP internet, everything works fine! I installed the package "iproute" but I can't set up the routing with this. There is no manpage and the howto is little bit short. :) Is it possible to give the system an other IP (official) than the internal IP which linux uses as default ? Same problem occurs on the FW host. Second problem: How can I accept dhcp in iptables ? Can I use connection tracking ? Someone telled me, dhcp isn't using protocols like tcp or udp so how do I have to filter/accept them ? Last thing :) : iptables is messing up my messagelog. I wrote a script where I can define a loglevel at first what should I add do syslogd.conf if I want to write all firewall-msgs to /var/log/firewall for example ? The ULOG option is more complicated so I think adding a rule to syslogd is easier. thx for any help ! Marco -- Marco Ahrendt phone : +49-341-98-474-0 adconsys AG fax : +49-341-98-474-59 Karl-Liebknecht-Str. 19 email : marco.ahrendt@adconsys.de 04107 Leipzig/Germany gnupg key at www.aktex.net/marco_work.asc
* Marco Ahrendt wrote on Fri, Mar 02, 2001 at 10:19 +0100:
Internet | (official IP) Router1 (192.168.1.1) | | eth0 (192.168.1.2) eth0 (official IP) Router2/Firewall eth2(192.168.1.3) --- DMZ eth1 (official IP) eth0:1 (192.168.1.4) | | Local Network (official IPs)
Default gateway for DMZ is 192.168.1.3 (eth2 on FW) how you can see. The problem is, linux uses the first IP (?), which it can use for the fastest hop
yep, and usually that is correct ;) But why do you need the eth0:1 IP? It seems, you use it just for routing? You could drop that eth0:1 interface (eth0:0 does not exists?). on router2 you set up a host route: dest gw mask dev DMZ-off-IP 0.0.0.0 255.255.255.255 eth0 (something like: "route add -host <DMZIP> dev eth0" should do it). On DMZ you have only a default route to router2. you have a little problem if all official IPs are in the same net, since local network don't know that DMZIP needs to be routed through router2. Maybe it's enough to set the mask of the localnet machines to /32, so that the router is used everytime, and redirects the machines for the most IPs, this shouldn't eat up too much performance. After all, if you have only a few IPs for much nets, usually it's the simplest and best idea to route anything per hostroutes. You don't need to give non-routeable IPs for mininets, of couse this is causeing problems. But the router2 don't need to ping in the internet, ain't :) Otherwise use masquerading on outer router.
define a loglevel at first what should I add do syslogd.conf if I want to write all firewall-msgs to /var/log/firewall for example ? The ULOG
This is a FAQ, in short: (standard) syslogd cannot sort messages by strings/expressions, only by priority and facility. firewall is facility kernel IIRC, and so syslogd cannot distinguish between kernel and firewall entries (with same priority, maybe warn or whatever). oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
On Fri, Mar 02, 2001 at 11:13:41AM +0100, Steffen Dettmer wrote:
yep, and usually that is correct ;) But why do you need the eth0:1 IP? It seems, you use it just for routing?
Yes, I want to route all traffic for DMZ through the eth2 interface. The eth1 interface is only for the LAN.
You could drop that eth0:1 interface (eth0:0 does not exists?). on router2 you set up a host route: (something like: "route add -host <DMZIP> dev eth0" should do it). On DMZ you have only a default route to router2.
Good idea! I could give the FW on interface eth2 the same official IP which it has on eth1. Then host-route for DMZ and on DMZ the default route to FW. Fine! :)
you have a little problem if all official IPs are in the same net, since local network don't know that DMZIP needs to be routed through router2. Maybe it's enough to set the mask of the localnet machines to /32, so that the router is used everytime, and redirects the machines for the most IPs, this shouldn't eat up too much performance.
If all local network machines has the FW as default route, the FW should now that the packets for the DMZ (from LAN) should be routed with the host-route to DMZ. weeew.. routing isn't easy :)
is causeing problems. But the router2 don't need to ping in the internet, ain't :) Otherwise use masquerading on outer router.
You're right. The FW doesn't need to reach the internet.
This is a FAQ, in short: (standard) syslogd cannot sort messages by strings/expressions, only by priority and facility. firewall is facility kernel IIRC, and so syslogd cannot distinguish between kernel and firewall entries (with same priority, maybe warn or whatever).
I see. Well, I think I'll use an exotic loglevel which I can parse to another file. This should be ok for now. cu, Marco -- Marco Ahrendt phone : +49-341-98-474-0 adconsys AG fax : +49-341-98-474-59 Karl-Liebknecht-Str. 19 email : marco.ahrendt@adconsys.de 04107 Leipzig/Germany gnupg key at www.aktex.net/marco_work.asc
* Marco Ahrendt wrote on Fri, Mar 02, 2001 at 14:10 +0100:
This is a FAQ, in short: (standard) syslogd cannot sort messages by strings/expressions, only by priority and facility. firewall is facility kernel IIRC, and so syslogd cannot distinguish between kernel and firewall entries (with same priority, maybe warn or whatever).
I see. Well, I think I'll use an exotic loglevel which I can parse to another file. This should be ok for now.
I've forgotten to talk about the alternative: filtering after syslog. There are tools, that can filter syslogs by patterns and so some actions, i.e. sending mail. Firewall logs with a string like: Feb 22 17:22:01 dx kernel: Packet log: input DENY As regex (perl syntax - untested): ^\w{3} \d\d \d\d:\dd:\d\d [\w-]+ kernel: Packet log: \w+ (DENY|REJECT) This should match all those entries. I use http://sws.dett.de/logmail/ for filtering that (so I get one mail per hour, max, and so I know what's going on). BTW, usually I don't want to get those entries. Syslogd can log through a named pipe directly; a script could read out the pipe and do Something Special (TM). oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (2)
-
Marco Ahrendt
-
Steffen Dettmer