Help adding a 2nd local network to firewall.stronger

jakev383 · 04-29-2008, 10:26 AM

I've been using this script on my home LAN for a while now:
http://www.ecst.csuchico.edu/~dranch...ables-stronger

But I recently rebuilt my home server and added a third NIC for a separate
LAN here for testing. I'd like the 2 local LANs to use the external interface for Internet traffic (obviously) but to not be able to talk to each other. I tried to add extra lines to the script by creating a INTIF2, INTNET2, and a INTIP2 in the script and just mirroring the INTIF, INTNET, INTIP lines for it but that did not seem to work - do I need to add a route in there for the new network as well, or am I missing something in my firewall script? The original LAN works great - it's just adding a second LAN subnet that's troubling me.
Thanks in advance.

jakev383 · 04-29-2008, 02:02 PM

I think I need to add a route for the new network to allow devices on the 192.168.100.x network to access the Internet. Here's my current routing table:

Code:

[root@home ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
78.61.257.152   0.0.0.0         255.255.255.248 U     0      0        0 eth2
172.16.55.0     0.0.0.0         255.255.255.0   U     0      0        0 vmnet8
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.76.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
172.16.250.0    0.0.0.0         255.255.255.0   U     0      0        0 vmnet1
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth2
0.0.0.0         78.61.257.153   0.0.0.0         UG    0      0        0 eth2

(IPs changed for protection - yes I know one is invalid!)
Would adding a route for this network (192.168.100.x) be all I need, and if so what would the command be? I have the 192.168.76.x network working exactly the way I want it and have DHCP set up for both networks now.
Thanks!

dkm999 · 04-29-2008, 02:19 PM

This illustrates the problem with depending on other people's scripts: the one you have referred to only knows about one external interface and one internal interface. Since your system does not conform to that description, it is unsurprising that it doesn't work.

You do not need to add any routes to your routing table; the networking section of the kernel already knows that you have connectivity to the network 192.168.100.x.

You DO need to improve the rules generated by your script to allow traffic that arrives from the outside world back through your firewall when it is destined for your new network interface. This means that you will need to visit how you are doing SNAT for outbound traffic (a cursory look indicates that is OK as is), and how returning traffic is filtered (the same cursory look indicates that there may be a problem here).

To get the best advice, I recommend that you do not obscure your network setup; that is why you are using a firewall in the first place. I further recommend that you post the resulting iptables rules (in numeric form), rather than asking us to infer them from a script. It makes diagnosis so much easier when one has reliable data upon which to make a diagnosis.

jakev383 · 04-29-2008, 04:37 PM

At least you stated one thing useful there, that I did not need to add a route.
After playing around a little I found that with my modifications that traffic was going out, but not coming back. I adjusted the script to fit my needs and posted it here in case anyone else needs something similar.

dkm999 · 04-30-2008, 11:47 AM

You're welcome.