Jason Costomiris on 20 Dec 2004 13:23:20 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] "bridging" firewall?


On Mon, 20 Dec 2004 00:08:29 -0500 (EST), Ron Mansolino
<rmsolino@netaxs.com> wrote:

> the ciscos insist on having both ethernet interfaces on different networks,
> we have a /28 to work with and address space is tight. So subnetting
> means we lose addresses and I can't think of a graceful way of getting
> 4 on one side, and 12 on the other, which isn't enough anyway. I fumbled
> my way through setting up bridging on the 1605 but then I couldn't get
> the access-lists to take affect.

I'm VERY wary of bridging firewalls.  If the firewalling code EVER
gets confused as to what level of access a certain MAC addr gets, you
could wind up with compromised systems on your hands.  Here's what I'd
do...

You've got several public addresses to work with, so add them as
aliased i/f's on the outside of the fw, giving you eth0, eth0:0,
eth0:1, and so forth.  Now use iptables to do stuff like this:

(assumes 1.1.1.2 is one of your public IP addrs, on an eth0:X i/f)
iptables -t nat -A PREROUTING -d 1.1.1.2 --dport 3389 -j DNAT --to
internal.ip.goes.here
iptables -A FORWARD -p tcp -m state --state NEW -d
internal.ip.goes.here --dport 3389 -j ACCEPT

Of course, make sure you put something toward the top like:

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

-- 
Jason Costomiris <><
E: jcostom {at} gmail {dot} com / W: http://www.jasons.org/
186,000 miles per second. It's not just a good idea, it's the law.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug