Thanks Pierre... I'd originally had this working between two NAT'd networks with a firewall that basically sent all 'other network' traffic over to the other firewall, basically the routing tables on the subnet boxes used the local firewall as the default route and the other network subnet was a statiuc route in the firewall routing table pointing to the other firewall. And visa versa... hope you follow me.
How RFC's may or may not have broken is another matter but it worked well enough ... anyway those are discussions for the wee small hours over a few beers ;-) I'd the ports written wrong in my example... need to be careful as taken too literally... actually 19922, 19822 ... Anyway.. Enter Bastille on Mandrake-SNF... everything is working well from single subnet to outside and outside to subnet (apart from the multiple port/host forwarding requirement) but I plain can't get the routing between f/w to work without removing Bastille completely... which seems to defeat the object of using it... If there were a VPN solution... great but you'd still have the private subnet to private subnet routing problem... Any ideas ? Dominic -----Original Message----- From: Pierre Fortin [mailto:[EMAIL PROTECTED]] Sent: 12 March 2002 15:44 To: [EMAIL PROTECTED] Subject: Re: [expert] Bastille firewall setup - missing options ? On Tue, 12 Mar 2002 09:55:13 -0500 "Baines, Dominic" <[EMAIL PROTECTED]> wrote: > Thanks Richard, > > ...I'd seen the example but that is not applicable for use > with the external interface. > > The 192.168.100. subnet is behaind one firewall connected > to the internet... the 192.168.200. subnet is behind > another firewall somewhere else on the internet... You're fighting a couple of basic problems before you can get to the point of routing traffic... 1. 192.168.*.* is _not_ directly routable over the Internet -- see http://www.ietf.org/rfc/rfc1918.txt 2. Since these [sub]nets are not routable over the 'net, you have to establish a virtual link between them to allow connectivity. Alternatively, you can use NAT at both gateways; but that will not allow transparent any-to-any connectivity between the 2 subnets -- just client to remote service. 3. Any virtual link should be part of a "routed" network; a "switched" (bridged) network will waste bandwidth with broadcasts/multicasts... while a "virtual link" is not a real link, it *does* use real bandwidth over a real link... but you already knew that... :^) More below... > -----Original Message----- > From: Richard Bown [mailto:[EMAIL PROTECTED]] > Sent: 12 March 2002 12:14 > To: linux-expert > Subject: Re: [expert] Bastille firewall setup - missing options ? > > lookin /sbin/bastille-netfilter > there is an example of routing between different subnets on the internal > interface. > > <snip> > > On Tue, 2002-03-12 at 11:32, Baines, Dominic wrote: > > Is there a way to do these with Bastille: > > > > 1. Port forward say ssh (22) to more than one host internally ? > > say something like: > > port 19922 to host 1:22 > > port 19822 to host 2:22 > > port 19722 to host 3:22 I must've missed the announcement that port numbers higher than 65535 were now allowed... :^) A suggestion: use 22xxx where xxx is the last octet of the IP address at the far-end. Works either way; hosts local to each other can just use 22 (at each location). Oops fat fingers... should be 19... not 99 ... ;-) A LinkSys router is *supposed* to be able to do that; but seems to have problems which I'm still fighting with LinkSys over (see http://pfortin.com/Linux/LinkSys/) Want to stay totally open on the router OS... otherwsaie might as well go Watchguard. You should be able to connect the two subnets with iptables NAT in the gateways at both ends (http://www.netfilter.org), then ssh What I thought... > > I can only seem to enable just single host port forwarding and it is a > > bit limiting. Combining ssh with NAT should work -- haven't done it myself; but the architecture allows it AFAIK... just takes some planning and meticulous table creation. And really meticulous planning agreed and lots of thought. > > 2. Connect a whole remote network (actually 3 systems behind another > > Bastille firwall also NAT'd...) to the local network . > > > > Local network 192.168.100. network > > Remote network 192.168.200. network > > > > What I'd like to do is setup both systems so that they KNOW that the > > gateway to the other is through the firewall... > > > > I used be able to do this 'simply' enough by adding rules to both > > firewalls to tell them the other network gateway was the PUBLIC IP > > address of the other firewall... > > > > Can't seem to do this, with Bastille .... Suspect that each gateway should know about each other at the global Internet level in order to provide a virtual link which the 2 192.168 segments should treat as a point-to-point inter-router/gateway link. They do... > > 3. Use the Bastille firewall system as a VPN server. Ideally 2 uses > > these or a remote user would.. > > > > Has anyone else been able to accomplish any of these tasks whilst not > > completely mitigating the use of Bastille (which is what I'm faced > > with otherwise) ? Not sure of the details; but I get the impression you are not viewing this problem as: 1. virtual link between sites 2. 192.168.100.* and 192.168.200.* uses the virtual link between gateways 3. The virtual link may also need to be an IP subnet; if so, suggest using 192.168.255.{1,2}. No you have it right... just a virtual network doesn't appear to function correctly. So I backed out and trying to get the two network to try to talk to each other instead using routing tables... Dominic
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
