View previous topic :: View next topic |
Author |
Message |
Varminter n00b
Joined: 31 Oct 2008 Posts: 17
|
Posted: Thu Jan 30, 2014 8:18 pm Post subject: [solved] - Test lab - need some thoughts [solved] |
|
|
Hey all,
I'm building a lab / test environment at my office to check firewalls and VPN tunnels before sending them out to client sites. Here's a rough network diagram:
PC1 <10.10.10.xxx> Firewall1 <65.182.254.xxx> Gentoo <Client Public IP subnet> Firewall2 <Client LAN IP> PC2
So, what is going to be the best way for me to set up the Gentoo box in the middle to act as a bridge / router? I need the "public" IP of Firewall1 and Firewall2 to be able to talk to one another without being on the same sub-net. Kind of like the rest of us going to sites on the interweb. The gentoo box has the built in ethernet and dual PCI ethernet cards. I'm keeping the built in ethernet pointed to the office LAN, and the two PCI cards are for the testing.
I tried generic port forwarding with IPTables, but that didn't appear to work. Bridging appears to use just one IP address and a "Null" on the other (192.168.0.x / 0.0.0.0). I've not tried NAT or DNS Masqing yet but I might before the day is done.
Here's the iptables script that I took and modified from the IPTables wiki / forum thread:
Code: | #!/bin/bash
IPTABLES='/sbin/iptables'
# Set interface values
CSRT_LAN='eth0'
CSRT_LAB='enp1s4'
CLIENT='enp1s5'
# enable ip forwarding in the kernel
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
# flush rules and delete chains
$IPTABLES -F
$IPTABLES -X
# enable masquerading to allow LAN internet access
$IPTABLES -t nat -A POSTROUTING -o $CSRT_LAN -j MASQUERADE
# forward LAN traffic from $CSRT_LAB to Internet interface $CSRT_LAN
$IPTABLES -A FORWARD -i $CSRT_LAB -o $CLIENT -m state --state NEW,ESTABLISHED -j ACCEPT
# forward LAN traffic from $CLIENT to Internet interace $CSRT_LAN
$IPTABLES -A FORWARD -i $CLIENT -o $CSRT_LAB -m state --state NEW,ESTABLISHED -j ACCEPT
#echo -e " - Allowing access to the SSH server"
$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT
#echo -e " - Allowing access to the HTTP server"
$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT
# block out all other Internet access on $CSRT_LAN
$IPTABLES -A INPUT -i $CSRT_LAN -m state --state NEW,INVALID -j DROP
$IPTABLES -A FORWARD -i $CSRT_LAN -m state --state NEW,INVALID -j DROP |
I know I can get rid of the HTTP access line, and using the SSH is fine since that's how I'm getting into the box at the moment.
Here's the /etc/conf.d/net. I'd like to be able to just have to modify at the worst this file for doing the changes from client to client
Code: | # Built in NIC
config_eth2="192.168.76.51 broadcast 192.168.76.255 netmask 255.255.255.0"
routes_eth2="default via 192.168.76.46"
# CSRT Side
config_enp1s4="65.182.245.1 broadcast 65.182.245.255 netmask 255.255.255.0"
routes_enp1s4="65.182.245.0 via 65.182.245.1"
# Client side - CHANGE THIS AREA ONLY!!!!!!
config_enp1s5="40.150.98.148 broadcast 75.150.98.151 netmask 255.255.255.252"
routes_enp1s5="40.150.98.149 via 40.150.98.148" |
And actually this brings up a side note. Bogons. I know these IPs that I'm using for the testing are not being used on the web, I've tried looking them up (nslookup) and found nothing. But if I try to use the client's actual IP address range
Code: | # Client side - CHANGE THIS AREA ONLY!!!!!!
config_enp1s5="75.150.98.148 broadcast 40.150.98.151 netmask 255.255.255.252"
routes_enp1s5="75.150.98.149 via 75.150.98.148" |
I get this with the routing tables:
Code: | netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default pfsense.csrtit. 0.0.0.0 UG 0 0 0 eth2
75-150-98-148-n * 255.255.255.252 U 0 0 0 enp1s5
75-150-98-149-n 75-150-98-148-n 255.255.255.255 UGH 0 0 0 enp1s5
loopback localhost 255.0.0.0 UG 0 0 0 lo
192.168.76.0 * 255.255.255.0 U 0 0 0 eth2
|
Any thoughts on that too?
Thanks in advance from a networking novice!
--
Rich
Last edited by Varminter on Tue Feb 11, 2014 5:33 pm; edited 2 times in total |
|
Back to top |
|
|
666threesixes666 Veteran
Joined: 31 May 2011 Posts: 1248 Location: 42.68n 85.41w
|
Posted: Fri Jan 31, 2014 2:28 am Post subject: |
|
|
ip tables was one of those packages i deemed too crazy for me to learn... you remind me that nftables should be supported by my kernel. quagga & bird do ospf rip and bgp afaik.....
its probably not working because you need to setup routes. see if it works with iptables turned off.... if not then you probably need a route set.
https://wiki.gentoo.org/wiki/Static_Routing |
|
Back to top |
|
|
Varminter n00b
Joined: 31 Oct 2008 Posts: 17
|
Posted: Mon Feb 03, 2014 9:43 pm Post subject: |
|
|
edit: Updated the iptables script with the latest settings. These now route from LAB <-> CLIENT when the IPs match, otherwise it routes all traffice out LAN to the real internet.
Got it fixed. The firewalls I'm working on are pfSense, and there was no check box for reply to ping on WAN. I took the time this morning to ping the my Global Research Team (a.k.a. Google) and found I needed to create a simple firewall rule on the WAN side, and everything worked. That and I was using an invalid IP for the subnet for $CLIENT_WAN since it is a 255.255.255.252 netmask. Anyways, here's the configs that I'm using. The nice thing is I've got what I wanted, a bridging environment that I only have to change 1 file for: /etc/conf.d/net.
/etc/conf.d/net:
Code: | # Built in NIC - CSRT LAN
config_eth0="192.168.76.51 broadcast 192.168.76.255 netmask 255.255.255.0"
routes_eth0="default via 192.168.76.46"
# CSRT Lab Side
config_enp1s4="65.182.245.1 broadcast 65.182.245.255 netmask 255.255.255.0"
routes_enp1s4="65.182.245.0 via 65.182.245.1"
# Client side - CHANGE THIS AREA ONLY!!!!!!
config_enp1s5="75.150.98.150 broadcast 75.150.98.151 netmask 255.255.255.252"
routes_enp1s5="75.150.98.0 via 75.150.98.150" |
$HOME/ip_script.sh: A iptables script that did my initial settings for IPTables.
Code: | #! /bin/bash
IPTABLES='/sbin/iptables'
#Define interfaces
CSRT_LAN_IF='eth0'
CSRT_LAB_IF='enp1s4'
CLIENT_WAN_IF='enp1s5'
#Get Interface IPs
CSRT_LAN_IP=`ip -4 addr show dev $CSRT_LAN_IF | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//'`
CSRT_LAB_IP=`ip -4 addr show dev $CSRT_LAB_IF | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//'`
CLIENT_WAN_IP=`ip -4 addr show dev $CLIENT_WAN_IF | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//'`
#Get Interface networks
CSRT_LAN_NET=`ip route list proto kernel | grep $CSRT_LAN_IF | grep -v default | sed 's! .*$!!'`
CSRT_LAB_NET=`ip route list proto kernel | grep $CSRT_LAB_IF | grep -v default | sed 's! .*$!!'`
CLIENT_WAN_NET=`ip route list proto kernel | grep $CLIENT_WAN_IF | grep -v default | sed 's! .*$!!'`
# Flush old rules and chains
echo "Flushing old rules and chains"
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
# Auto-accept some stuff
echo -e " - Allowing $CSRT_LAN_IF access"
$IPTABLES -I INPUT 1 -i $CSRT_LAN_IF -j ACCEPT
echo -e " - Allowing $CSRT_LAB_IF access"
$IPTABLES -I INPUT 1 -i $CSRT_LAB_IF -j ACCEPT
echo -e " - Allowing $CLIENT_WAN_IF access"
$IPTABLES -I INPUT 1 -i $CLIENT_WAN_IF -j ACCEPT
# ================ Table 'filter', automatic rules
# accept established sessions
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# ================ Table 'nat', rule set NAT
#
# Rule 0 (NAT)
#
echo "NAT Rules";
echo " - NAT 0 - Out on $CSRT_LAN_IF if from $CSRT_LAB_NET and destination is not $CLIENT_WAN_NET"
$IPTABLES -t nat -A POSTROUTING -o $CSRT_LAN_IF -s $CSRT_LAB_NET -j SNAT --to-source $CSRT_LAN_IP
#
# Rule 1 (NAT)
#
echo " - NAT 1 - Out on $CSRT_LAN_IF if from $CLIENT_WAN_NET and destination is not $CSRT_LAB_NET"
$IPTABLES -t nat -A POSTROUTING -o $CSRT_LAN_IF -s $CLIENT_WAN_NET -j SNAT --to-source $CSRT_LAN_IP
# ================ Table 'filter', rule set Policy
#
# Rule 0 ($CSRT_LAN_IF)
#
echo "Routing Rules";
echo " - Rule 0 - Allow anything out to the $CSRT_LAN_NET from this server $CSRT_LAN_IP"
$IPTABLES -A INPUT -i $CSRT_LAN_IF -s $CSRT_LAN_IP -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $CSRT_LAN_IF -m state --state NEW,ESTABLISHED -j ACCEPT
#
# Rule 1 ($CSRT_LAN_IF)
#
echo " - Rule 1 - allow SSH access to this server"
$IPTABLES -A INPUT -i $CSRT_LAN_IF -p tcp -m tcp -s $CSRT_LAN_NET -d $CSRT_LAN_IP --dport 22 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $CSRT_LAN_IF -p tcp -m tcp -s $CSRT_LAN_NET -d $CSRT_LAN_IP --dport 22 -m state --state NEW -j ACCEPT
#
# Rule 2 (global)
#
echo " - Rule 2 - Forward anything from $CSRT_LAB_NET on $CSRT_LAB_IF for $CLIENT_WAN_NET out $CLIENT_WAN_IF"
$IPTABLES -A FORWARD -i $CSRT_LAB_IF -s $CSRT_LAB_NET -o $CLIENT_WAN_IF -d $CLIENT_WAN_NET -m state --state NEW,ESTABLISHED -j ACCEPT
#
# Rule 3 (global)
#
echo " - Rule 3 - Forward anything from $CLIENT_WAN_NET on $CLIENT_WAN_IF for $CSRT_LAB_NET out $CSRT_LAB_IF"
$IPTABLES -A FORWARD -i $CLIENT_WAN_IF -s $CLIENT_WAN_NET -d $CSRT_LAB_NET -o $CSRT_LAB_IF -m state --state NEW,ESTABLISHED -j ACCEPT
#
# Rule 4 (global)
#
echo " - Rule 4 - Forward anything from $CSRT_LAB_NET on $CLIENT_LAB_IF for !$CLIENT_WAN_NET out $CSRT_LAN_IF"
#$IPTABLES -A FORWARD -i $CSRT_LAB_IF -s $CSRT_LAB_NET -d $CSRT_LAN_NET -o $CSRT_LAN_IF -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $CSRT_LAB_IF -s $CSRT_LAB_NET -o $CSRT_LAN_IF -m state --state NEW,ESTABLISHED -j ACCEPT
#
# Rule 5 (global)
#
#$IPTABLES -A FORWARD -s $CLIENT_WAN_NET -d $CSRT_LAB_NET -m state --state NEW -j ACCEPT
echo " - Rule 5 - Forward anything from $CLIENT_WAN_NET on $CLIENT_LAB_IF for !$CSRT_LAB_NET out $CSRT_LAN_IF"
$IPTABLES -A FORWARD -i $CLIENT_WAN_IF -s $CLIENT_WAN_NET -o $CSRT_LAN_IF -m state --state NEW,ESTABLISHED -j ACCEPT
#
# Rule 6 (global)
#
echo " - Rule 6 - deny all unsolicited $CSRT_LAN_NET access to either $CSRT_LAB_NET or $CLIENT_WAN_NET"
$IPTABLES -N RULE_6
$IPTABLES -A OUTPUT -j RULE_6
$IPTABLES -A INPUT -j RULE_6
$IPTABLES -A FORWARD -j RULE_6
#$IPTABLES -A RULE_6 -j LOG --log-level info --log-prefix "RULE 5 -- DENY "
$IPTABLES -A RULE_6 -j REJECT
echo "...done."
exit 0 |
--
Rich |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|