Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

[solved] - Test lab - need some thoughts [solved]
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Varminter
n00b
n00b


Joined: 31 Oct 2008
Posts: 17
PostPosted: Thu Jan 30, 2014 8:18 pm    Post subject: [solved] - Test lab - need some thoughts [solved] Reply with quote
Hey all,
I'm building a lab / test environment at my office to check firewalls and VPN tunnels before sending them out to client sites. Here's a rough network diagram:

PC1 <10.10.10.xxx> Firewall1 <65.182.254.xxx> Gentoo <Client Public IP subnet> Firewall2 <Client LAN IP> PC2

So, what is going to be the best way for me to set up the Gentoo box in the middle to act as a bridge / router? I need the "public" IP of Firewall1 and Firewall2 to be able to talk to one another without being on the same sub-net. Kind of like the rest of us going to sites on the interweb. The gentoo box has the built in ethernet and dual PCI ethernet cards. I'm keeping the built in ethernet pointed to the office LAN, and the two PCI cards are for the testing.

I tried generic port forwarding with IPTables, but that didn't appear to work. Bridging appears to use just one IP address and a "Null" on the other (192.168.0.x / 0.0.0.0). I've not tried NAT or DNS Masqing yet but I might before the day is done.

Here's the iptables script that I took and modified from the IPTables wiki / forum thread:

Code:
#!/bin/bash
IPTABLES='/sbin/iptables'
# Set interface values
CSRT_LAN='eth0'
CSRT_LAB='enp1s4'
CLIENT='enp1s5'

# enable ip forwarding in the kernel
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
# flush rules and delete chains
$IPTABLES -F
$IPTABLES -X

# enable masquerading to allow LAN internet access
$IPTABLES -t nat -A POSTROUTING -o $CSRT_LAN -j MASQUERADE

# forward LAN traffic from $CSRT_LAB to Internet interface $CSRT_LAN
$IPTABLES -A FORWARD -i $CSRT_LAB -o $CLIENT -m state --state NEW,ESTABLISHED -j ACCEPT

# forward LAN traffic from $CLIENT to Internet interace $CSRT_LAN
$IPTABLES -A FORWARD -i $CLIENT -o $CSRT_LAB -m state --state NEW,ESTABLISHED -j ACCEPT

#echo -e "       - Allowing access to the SSH server"
$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT

#echo -e "       - Allowing access to the HTTP server"
$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT

# block out all other Internet access on $CSRT_LAN
$IPTABLES -A INPUT -i $CSRT_LAN -m state --state NEW,INVALID -j DROP
$IPTABLES -A FORWARD -i $CSRT_LAN -m state --state NEW,INVALID -j DROP


I know I can get rid of the HTTP access line, and using the SSH is fine since that's how I'm getting into the box at the moment.

Here's the /etc/conf.d/net. I'd like to be able to just have to modify at the worst this file for doing the changes from client to client

Code:
# Built in NIC
config_eth2="192.168.76.51 broadcast 192.168.76.255 netmask 255.255.255.0"
routes_eth2="default via 192.168.76.46"

# CSRT Side
config_enp1s4="65.182.245.1 broadcast 65.182.245.255 netmask 255.255.255.0"
routes_enp1s4="65.182.245.0 via 65.182.245.1"

# Client side - CHANGE THIS AREA ONLY!!!!!!
config_enp1s5="40.150.98.148 broadcast 75.150.98.151 netmask 255.255.255.252"
routes_enp1s5="40.150.98.149 via 40.150.98.148"


And actually this brings up a side note. Bogons. I know these IPs that I'm using for the testing are not being used on the web, I've tried looking them up (nslookup) and found nothing. But if I try to use the client's actual IP address range
Code:
# Client side - CHANGE THIS AREA ONLY!!!!!!
config_enp1s5="75.150.98.148 broadcast 40.150.98.151 netmask 255.255.255.252"
routes_enp1s5="75.150.98.149 via 75.150.98.148"


I get this with the routing tables:
Code:
netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         pfsense.csrtit. 0.0.0.0         UG        0 0          0 eth2
75-150-98-148-n *               255.255.255.252 U         0 0          0 enp1s5
75-150-98-149-n 75-150-98-148-n 255.255.255.255 UGH       0 0          0 enp1s5
loopback        localhost       255.0.0.0       UG        0 0          0 lo
192.168.76.0    *               255.255.255.0   U         0 0          0 eth2


Any thoughts on that too?

Thanks in advance from a networking novice!

--
Rich

Last edited by Varminter on Tue Feb 11, 2014 5:33 pm; edited 2 times in total
Back to top
View user's profile Send private message
666threesixes666
Veteran
Veteran


Joined: 31 May 2011
Posts: 1248
Location: 42.68n 85.41w
PostPosted: Fri Jan 31, 2014 2:28 am    Post subject: Reply with quote
ip tables was one of those packages i deemed too crazy for me to learn... you remind me that nftables should be supported by my kernel. quagga & bird do ospf rip and bgp afaik.....

its probably not working because you need to setup routes. see if it works with iptables turned off.... if not then you probably need a route set.

https://wiki.gentoo.org/wiki/Static_Routing
Back to top
View user's profile Send private message
Varminter
n00b
n00b


Joined: 31 Oct 2008
Posts: 17
PostPosted: Mon Feb 03, 2014 9:43 pm    Post subject: Reply with quote
edit: Updated the iptables script with the latest settings. These now route from LAB <-> CLIENT when the IPs match, otherwise it routes all traffice out LAN to the real internet.

Got it fixed. The firewalls I'm working on are pfSense, and there was no check box for reply to ping on WAN. I took the time this morning to ping the my Global Research Team (a.k.a. Google) and found I needed to create a simple firewall rule on the WAN side, and everything worked. That and I was using an invalid IP for the subnet for $CLIENT_WAN since it is a 255.255.255.252 netmask. Anyways, here's the configs that I'm using. The nice thing is I've got what I wanted, a bridging environment that I only have to change 1 file for: /etc/conf.d/net.

/etc/conf.d/net:
Code:
# Built in NIC - CSRT LAN
config_eth0="192.168.76.51 broadcast 192.168.76.255 netmask 255.255.255.0"
routes_eth0="default via 192.168.76.46"

# CSRT Lab Side
config_enp1s4="65.182.245.1 broadcast 65.182.245.255 netmask 255.255.255.0"
routes_enp1s4="65.182.245.0 via 65.182.245.1"

# Client side - CHANGE THIS AREA ONLY!!!!!!
config_enp1s5="75.150.98.150 broadcast 75.150.98.151 netmask 255.255.255.252"
routes_enp1s5="75.150.98.0 via 75.150.98.150"


$HOME/ip_script.sh: A iptables script that did my initial settings for IPTables.
Code:
#! /bin/bash
IPTABLES='/sbin/iptables'
#Define interfaces
CSRT_LAN_IF='eth0'
CSRT_LAB_IF='enp1s4'
CLIENT_WAN_IF='enp1s5'

#Get Interface IPs
CSRT_LAN_IP=`ip -4 addr show dev $CSRT_LAN_IF | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//'`
CSRT_LAB_IP=`ip -4 addr show dev $CSRT_LAB_IF | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//'`
CLIENT_WAN_IP=`ip -4 addr show dev $CLIENT_WAN_IF | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//'`

#Get Interface networks
CSRT_LAN_NET=`ip route list proto kernel | grep $CSRT_LAN_IF | grep -v default |  sed 's! .*$!!'`
CSRT_LAB_NET=`ip route list proto kernel | grep $CSRT_LAB_IF | grep -v default |  sed 's! .*$!!'`
CLIENT_WAN_NET=`ip route list proto kernel | grep $CLIENT_WAN_IF | grep -v default |  sed 's! .*$!!'`

# Flush old rules and chains
echo "Flushing old rules and chains"
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X

# Auto-accept some stuff
echo -e " - Allowing $CSRT_LAN_IF access"
$IPTABLES -I INPUT 1 -i $CSRT_LAN_IF -j ACCEPT
echo -e " - Allowing $CSRT_LAB_IF access"
$IPTABLES -I INPUT 1 -i $CSRT_LAB_IF -j ACCEPT
echo -e " - Allowing $CLIENT_WAN_IF access"
$IPTABLES -I INPUT 1 -i $CLIENT_WAN_IF -j ACCEPT

# ================ Table 'filter', automatic rules
# accept established sessions
$IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT


# ================ Table 'nat',  rule set NAT
#
# Rule 0 (NAT)
#
echo "NAT Rules";
echo " - NAT 0 - Out on $CSRT_LAN_IF if from $CSRT_LAB_NET and destination is not $CLIENT_WAN_NET"
$IPTABLES -t nat -A POSTROUTING -o $CSRT_LAN_IF -s $CSRT_LAB_NET  -j SNAT --to-source $CSRT_LAN_IP
#
# Rule 1 (NAT)
#
echo " - NAT 1 - Out on $CSRT_LAN_IF if from $CLIENT_WAN_NET and destination is not $CSRT_LAB_NET"
$IPTABLES -t nat -A POSTROUTING -o $CSRT_LAN_IF -s $CLIENT_WAN_NET  -j SNAT --to-source $CSRT_LAN_IP

# ================ Table 'filter', rule set Policy
#
# Rule 0 ($CSRT_LAN_IF)
#
echo "Routing Rules";
echo " - Rule 0 - Allow anything out to the $CSRT_LAN_NET from this server $CSRT_LAN_IP"
$IPTABLES -A INPUT -i $CSRT_LAN_IF -s $CSRT_LAN_IP -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $CSRT_LAN_IF -m state --state NEW,ESTABLISHED  -j ACCEPT
#
# Rule 1 ($CSRT_LAN_IF)
#
echo " - Rule 1 - allow SSH access to this server"
$IPTABLES -A INPUT -i $CSRT_LAN_IF  -p tcp -m tcp  -s $CSRT_LAN_NET   -d $CSRT_LAN_IP   --dport 22  -m state --state NEW  -j ACCEPT
$IPTABLES -A OUTPUT -o $CSRT_LAN_IF  -p tcp -m tcp  -s $CSRT_LAN_NET   -d $CSRT_LAN_IP   --dport 22  -m state --state NEW  -j ACCEPT
#
# Rule 2 (global)
#
echo " - Rule 2 - Forward anything from $CSRT_LAB_NET on $CSRT_LAB_IF for $CLIENT_WAN_NET out $CLIENT_WAN_IF"
$IPTABLES -A FORWARD -i $CSRT_LAB_IF -s $CSRT_LAB_NET -o $CLIENT_WAN_IF -d $CLIENT_WAN_NET -m state --state NEW,ESTABLISHED -j ACCEPT
#
# Rule 3 (global)
#
echo " - Rule 3 - Forward anything from $CLIENT_WAN_NET on $CLIENT_WAN_IF for $CSRT_LAB_NET out $CSRT_LAB_IF"
$IPTABLES -A FORWARD -i $CLIENT_WAN_IF -s $CLIENT_WAN_NET -d $CSRT_LAB_NET -o $CSRT_LAB_IF -m state --state NEW,ESTABLISHED -j ACCEPT
#
# Rule 4 (global)
#
echo " - Rule 4 - Forward anything from $CSRT_LAB_NET on $CLIENT_LAB_IF for !$CLIENT_WAN_NET out $CSRT_LAN_IF"
#$IPTABLES -A FORWARD -i $CSRT_LAB_IF -s $CSRT_LAB_NET -d $CSRT_LAN_NET -o $CSRT_LAN_IF -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $CSRT_LAB_IF -s $CSRT_LAB_NET -o $CSRT_LAN_IF -m state --state NEW,ESTABLISHED -j ACCEPT
#
# Rule 5 (global)
#
#$IPTABLES -A FORWARD  -s $CLIENT_WAN_NET   -d $CSRT_LAB_NET   -m state --state NEW  -j ACCEPT
echo " - Rule 5 - Forward anything from $CLIENT_WAN_NET on $CLIENT_LAB_IF for !$CSRT_LAB_NET out $CSRT_LAN_IF"
$IPTABLES -A FORWARD -i $CLIENT_WAN_IF -s $CLIENT_WAN_NET -o $CSRT_LAN_IF -m state --state NEW,ESTABLISHED -j ACCEPT
#
# Rule 6 (global)
#
echo " - Rule 6 - deny all unsolicited $CSRT_LAN_NET access to either $CSRT_LAB_NET or $CLIENT_WAN_NET"
$IPTABLES -N RULE_6
$IPTABLES -A OUTPUT -j RULE_6
$IPTABLES -A INPUT -j RULE_6
$IPTABLES -A FORWARD -j RULE_6
#$IPTABLES -A RULE_6 -j LOG  --log-level info --log-prefix "RULE 5 -- DENY "
$IPTABLES -A RULE_6 -j REJECT

echo "...done."
exit 0


--
Rich
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy