On Tue, 12 Mar 2002 11:53:41 -0500 "Baines, Dominic" <[EMAIL PROTECTED]> wrote:
> Thanks Pierre... > > I'd originally had this working between two NAT'd networks > with a firewall that basically sent all 'other network' > traffic over to the other firewall, basically the routing > tables on the subnet boxes used the local firewall as the default > route and the other network subnet was a statiuc route in > the firewall routing table pointing to the other firewall. > And visa versa... hope you follow me. Maybe this will help as a discussion point... http://linuxdoc.org/HOWTO/Adv-Routing-HOWTO-5.html > How RFC's may or may not have broken is another matter > but it worked well enough ... > anyway those are discussions for the wee small hours > over a few beers ;-) Is that an offer...? :*D > I'd the ports written wrong in my example... need to be careful > as taken too literally... actually 19922, 19822 ... > > Anyway.. OK... similar... my suggestion would have covered 22001-22254... > Enter Bastille on Mandrake-SNF... everything is working well > from single subnet to outside and outside to subnet (apart from > the multiple port/host forwarding requirement) > but I plain can't get the routing between f/w to work without removing > Bastille completely... which seems to defeat the object of using > it... Never used Bastille... but sounds like it might not be VPN aware, so it might not complain if you established a tunnel (looks like a serial link)... > If there were a VPN solution... great but you'd still have the > private subnet to private subnet routing problem... Not an issue once the two subnets are "connected" via a private link (VPN, tunnel,...) > Any ideas ? Check out the link above and let me know if you need more help with it if one of the tunnels sounds acceptable... I'd recommend IP-in-IP vs GRE... HTH, Pierre > Dominic > > > -----Original Message----- > From: Pierre Fortin [mailto:[EMAIL PROTECTED]] > Sent: 12 March 2002 15:44 > To: [EMAIL PROTECTED] > Subject: Re: [expert] Bastille firewall setup - missing options ? > > > On Tue, 12 Mar 2002 09:55:13 -0500 "Baines, Dominic" > <[EMAIL PROTECTED]> wrote: > > > Thanks Richard, > > > > ...I'd seen the example but that is not applicable for use > > with the external interface. > > > > The 192.168.100. subnet is behaind one firewall connected > > to the internet... the 192.168.200. subnet is behind > > another firewall somewhere else on the internet... > > You're fighting a couple of basic problems before you can get to the > point of routing traffic... > > 1. 192.168.*.* is _not_ directly routable over the Internet > -- see http://www.ietf.org/rfc/rfc1918.txt > > 2. Since these [sub]nets are not routable over the 'net, you have to > establish a virtual link between them to allow connectivity. > Alternatively, you can use NAT at both gateways; but that will not allow > transparent any-to-any connectivity between the 2 subnets -- just client > to remote service. > > 3. Any virtual link should be part of a "routed" network; a "switched" > (bridged) network will waste bandwidth with broadcasts/multicasts... > while a "virtual link" is not a real link, it *does* use real bandwidth > over a real link... but you already knew that... :^) > > More below... > > > -----Original Message----- > > From: Richard Bown [mailto:[EMAIL PROTECTED]] > > Sent: 12 March 2002 12:14 > > To: linux-expert > > Subject: Re: [expert] Bastille firewall setup - missing options ? > > > > lookin /sbin/bastille-netfilter > > there is an example of routing between different subnets on the > > internal interface. > > > > <snip> > > > > On Tue, 2002-03-12 at 11:32, Baines, Dominic wrote: > > > Is there a way to do these with Bastille: > > > > > > 1. Port forward say ssh (22) to more than one host internally ? > > > say something like: > > > port 19922 to host 1:22 > > > port 19822 to host 2:22 > > > port 19722 to host 3:22 > > I must've missed the announcement that port numbers higher than 65535 > were now allowed... :^) A suggestion: use 22xxx where xxx is the last > octet of the IP address at the far-end. Works either way; hosts local > to each other can just use 22 (at each location). > > Oops fat fingers... should be 19... not 99 ... ;-) > > A LinkSys router is *supposed* to be able to do that; but seems to have > problems which I'm still fighting with LinkSys over (see > http://pfortin.com/Linux/LinkSys/) > > > Want to stay totally open on the router OS... otherwsaie might as well > go Watchguard. > > You should be able to connect the two subnets with iptables NAT in the > gateways at both ends (http://www.netfilter.org), then ssh > > What I thought... > > > > I can only seem to enable just single host port forwarding and it is > > > a bit limiting. > > Combining ssh with NAT should work -- haven't done it myself; but the > architecture allows it AFAIK... just takes some planning and meticulous > table creation. > > And really meticulous planning agreed and lots of thought. > > > > 2. Connect a whole remote network (actually 3 systems behind another > > > Bastille firwall also NAT'd...) to the local network . > > > > > > Local network 192.168.100. network > > > Remote network 192.168.200. network > > > > > > What I'd like to do is setup both systems so that they KNOW that the > > > gateway to the other is through the firewall... > > > > > > I used be able to do this 'simply' enough by adding rules to both > > > firewalls to tell them the other network gateway was the PUBLIC IP > > > address of the other firewall... > > > > > > Can't seem to do this, with Bastille .... > > Suspect that each gateway should know about each other at the global > Internet level in order to provide a virtual link which the 2 192.168 > segments should treat as a point-to-point inter-router/gateway link. > > They do... > > > > 3. Use the Bastille firewall system as a VPN server. Ideally 2 uses > > > these or a remote user would.. > > > > > > Has anyone else been able to accomplish any of these tasks whilst > > > not completely mitigating the use of Bastille (which is what I'm > > > faced with otherwise) ? > > Not sure of the details; but I get the impression you are not viewing > this problem as: 1. virtual link between sites > 2. 192.168.100.* and 192.168.200.* uses the virtual link between > gateways 3. The virtual link may also need to be an IP subnet; if so, > suggest using 192.168.255.{1,2}. > > No you have it right... just a virtual network doesn't appear to > function correctly. So I backed out and trying to get the two network > to try to talk to each other instead using routing tables... > > Dominic > >
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com