----- Original Message ----- From: "Jun Tanamal" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, June 05, 2003 5:26 PM Subject: Re: [plug] Firewall before a NAT machine
> it is connected to the old firewall/NAT.
ok with your current setup:
Internet ---> router ---> switch ---> Old all-in-one machine --->LAN1
\--->LAN2
i assume that your public network segment and its subnet mask between the router and the old all-in-one machine is a.b.c.0 /255.255.255.0 (but of course you can replace this with your real address later on)
i assume right now the following ip address of your router and your old all-in-one public ip address are the followings:
router public ip address is a.b.c.1/255.255.255.0 old all-in-one public ip address is a.b.c.254/255.255.255.0
ok here are the steps:
step 1, at your new firewall/nat box
1.1. install two nics
1.2. nic one (eth0) ip address is a.b.c.126/255.255.255.128 (choose between .2 to .126 as the last byte)
1.3. nic two (eth1) ip address is a.b.c.129/255.255.255.128 (choose between .129 to .253) as the last byte)
1.4. enable ip forwarding
1.5. configure NAT/masquerading for LAN1 and LAN2 network addresses either at nic one (eth0) or nic two (eth1)
1.6. set default gateway pointing to your router ip address which dev attach to nic one (eth0)
1.7. add static route for LAN1 network address pointing to your old all-in-one machine ip address as its gateway which dev attach to nic two (eth1)
1.8. add static route for LAN2 network address pointing to your old all-in-one machine ip address as its gateway which dev attach to nic two (eth1)
1.9. attach two straight thru cables from your two nics to your switch
take note steps 1.2 and 1.3... the subnet mask is divided into two (from 255.255.255.0 into 255.255.255.128) because im splitting your public network segment into two public segments... segment one is a.b.c.0/255.255.255.128 and segment two is a.b.c.128/255.255.255.128
step 2, at your old all-in-one machine box
2.1. modify your default gateway, instead of pointing to your router ip address, point it to your new firewall/nat box nic two (eth1) ip address
now the flow of packets coming from the old all-in-one machine going to the internet is that, it will pass thru to your new firewall/nat box and forward it to your router (because of step 1.4 and step 1.6)... upon returning the packets coming from the internet and pass thru the router, the router will simply forward it directly to old all-in-one ip address (mac to mac communication)
take note at this stage, netmask is not important right now because netmask of the router and the old all-in-one machine is different from the netmask of nic one (eth0) and nic two (eth1) at the new firewall/nat box... what important most right now is the routing of packets...
step 3, at your router side
3.1 modify the netmask of your ethernet interface from 255.255.255.0 into 255.255.255.128 (or its equivalent to your real sub divided netmask)
3.2. add a static route for segment two (a.b.c.128/255.255.255.128) and point it to your new firewall/nat box nic one (eth0) as its gateway
step 4, at your old all-in-one machine box again
4.1. modify the netmask of its ethernet interface from 255.255.255.0 into 255.255.255.128 (or its equivalent to your real sub divided netmask)
4.2. remove the NAT/masquerading rules because your new firewall/nat box will take care of NATing/masquerading as what step 1.5 said
and the last final step
remove the two cables... cable 1 from old all-in-one machine box to switch and cable 2 from new firewall/nat box (connected from nic two (eth1)) to switch and connect your old all-in-one machine box to your new firewall/nat box nic two (eth1) interface using cross-over cable so that it will look like this as what you wanted:
Internet--->router--->switch--->Firewall/NAT--->Old machine--->LAN1
\--->LAN2
by the way, your firewall rules must move from the old all-in-one machine to your new firewall/nat box...
fooler.
-- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
