[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]
full solution to the anna univ routing problem (long)

To: ilugc@xxxxxxxxxxxxxxxxxx
Subject: full solution to the anna univ routing problem (long)
From: "Dr. P. Sriram" <sriram@xxxxxxxxxxxxxxxxxx>
Date: Fri, 11 Aug 2000 23:42:02 +0530 (IST)
Delivered-to: ilug-c-archive@lists.linux-india.org
Reply-to: ilugc@xxxxxxxxxxxxxxxxxx
Sender: ilugc-bounce@xxxxxxxxxxxxxxxxxx
(this is a longish article; perhaps, someone can post it on to linux
india? it may be of interest to a wider audience; i will let the
linux india subscribers on ilugc decide)
-----------------------------------------------

routing through firewalls
author: p. sriram, iit madras

here is a complete routing solution for the single firewall setup.  though
i prepared this as a solution for a problem posed by anna university, this
may be of interest to many users in india and hence i am posting it here.
this can even be read for entertainement! i have basically presented the
routing configuration to use where a leased line connects a lan/wan
(intranet) to the internet and a two-ethernet card firewall sits at the
intranet/internet interface. the intranet is assumed to be full of hosts
with reserved/private ip addresses and a few hosts that have valid
internet ip addresses. the problem is how to set up routing so things work
as desired.  the firewall is a ip-forwarding/filtering type.  there are
excellent linux how-to's that address the problem, but some aspects are
not covered fully in the how-to's. hence, i write this. i have some
footnotes and comments in the end which may be read before the solution is
used. i would suggest reading through the firewall howto for more details
on the use of ipfwadm or ipchains (or firewalls in general).  actually, as
routing problems go, this one is rather elementary (can assign as home
work, but not good enough to be on an exam). 

disclaimer:
----------
this is free advice. and remember, all my degrees are in aerospace 
engineering and that is what i teach for a living.  so, any claims about 
my competence in computer networking will not be admissible in a court 
of law under the indian evidence act. many people say that advice is 
worth only what you pay for it. that is a warped western idea, like the 
warped western phrase 'there is no free lunch'; go to tirupati and you 
can get free lunch - annadaanam. (i urge you to read up on how the then 
popular annadaanam practice was eliminated during the colonial raj). i 
am not venkatachalapathy, so i dont give free lunches; but my advice is 
free indian advice of the type found in the vedas and the gita. it is 
good, sound, correct and it works; and free (hey, that sounds like 
linux!). however, you cant sue me or iit madras if you get lung 
cancer/bubonic plague/excessive pimples because you used my advice.

the specific setting:
------------------
using annauniv example, the isp assigned 'internet valid' ip addresses 
are 202.54.64.96 to 111; so the netmask for the subnet is 
255.255.255.240 or /28; this / notation is so compact that i will use it 
from here on.  your linux box may or may not support this type of 
notation in the setup commands; if it does not, you will have replace 
the /28 (or whatever) with 'netmask 255.255.255.240' (or whatever). the 
anna univ 'valid' subnet can be thus denoted as 202.54.64.96/28. the 
firewall host is connected to the router - and in fact is the only host 
connected to the router. in a sense, the presence of internet on the 
anna univ campus is limited to that small segment of the ethernet 
network (cables/hubs whatever) that connects the router to the firewall.  
the firewall uses an ip of 202.54.64.101 on eth0 (which connects to the 
router) and 10.1.1.1 on eth1; eth1 connects to the campus network 
(intranet). the campus network uses private 10.x ip numbers for all the 
hosts. the single firewall sits between the campus network and the 
internet. now, it is proposed to add a new host in the intranet with an 
ip address of 10.1.1.30; this host needs to be visible on the internet 
with an ip address of 202.54.64.102. there is also another host 
10.1.1.100 which is an intranet only host (no direct access to the 
internet; it accesses internet through the firewall). how to do routing 
for this setup?

the solution
-----------
i will start with the router and work my way into the network. i dont 
know the address given to the ethernet interface of the router, so i 
will assume it is 202.54.64.97; this is the conventionally used address; 
the lowest, 96, is reserved for the network, and the highest, 111, is 
reserved for the subnet broadcast address; the lowest address available, 
97, is for the router/gateway, leaving the 13 addresses (202.54.64.98 
through 110) available for other hosts in the intranet which need a 
direct connection to the internet. the firewall uses 202.54.64.101, 
leaving 12 more internet valid ip addresses. though my solution is for 
202.54.64.102, it obviously applies for any of these 12.

(read my important footnote regarding the single firewall configuration 
in the indian context)

(1) router
---------
default route points to the serial interface
202.54.64.101/32 points to the ethernet interface
202.54.64.102/28 points to 202.54.64.101
(router programming depends on vendor and model; consult router manual 
to figure out how to make the entries as above. the second entry is a 
host route and the third entry is a gateway route to a subnet)

without the firewall, the standard routing on the router would be
default points to the serial interface
202.54.64.96/28 points to the ethernet interface

(2)firewall
----------
(first setup the two ethernet cards)

ifconfig eth0 202.54.64.101/28
ifconfig eth1 10.1.1.1/x  (appropriate netmask to be added depending on 
how large the 10.x local domain is; i will just show this with an x; i 
am assuming the intranet is sized for at least 256 addresses so x is 24 
or lower)

(and now, the routing)
ip address of router points to eth0 device
202.54.64.96/28 points to eth1 device
10.1.1.1/x points to eth1 device
default route points to ip address of router (202.54.64.97 assumed)

the following commands will accomplish this routing; some of these may 
have been automatically added by the system during installation.

route add -host 202.54.64.97 dev eth0
route add -net 202.54.64.96 netmask 255.255.255.240 dev eth1
route add -net 10.1.1.0 netmask x dev eth1
route add default gateway 202.54.64.97

note that since both 202.x and 10.x are present on the intranet, the 
interface connecting to the intranet (eth1) has a routing entry for 
both. the internet is accessed through the router on eth0 and the other 
two routing entries set this up.

(and finally, the firewalling)
the firewall will need to have ip forwarding enabled. suitable ipfwadm 
or ipchains rules will have to be put in place to control access as per 
polciy.  10.x intranet hosts can gain access to internet through a 
suitable masquerading rule. in fact, a broad rule can be used to allow 
all hosts on the 10.x intranet to completely access internet (all these 
accesses will appear to come from the firewall internet ip 
202.54.64.101).  however, this access will be one-way, meaning, users in 
the intranet can access the internet, but not vice-versa; connections 
can be made from the intranet to the internet, but not vice-versa 
(though data can flow in both directions). in users language, this will 
mean one can do web browsing, but not web hosting; one can send mail out 
directly but not receive. one can ftp - well, not actually. ftp needs 
two connections, one opened by the server and one by the client. clients 
in the internet cannot use an intranet ftp server. even clients in the 
intranet cannot use an internet ftp server since the server cannot open 
up the connection to the client.  only if the ftp client and ftp server 
support the passive feature can ftp work through the firewall.
consult the firewall howto which has a good explanation of how to set up 
ipfwadm or ipchains; the howto also has pointers to other documentation 
on ipfwadm and ipchains.

and finally, i present the last step of the routing, the intranet hosts.

(3) intranet hosts
----------------
(a) pure intranet hosts with 10.x addresses only; the routing for these 
should have 
10.x pointing to eth0; the address for the example host is 10.1.1.100. 
the routing should have

202.54.64.96/28 pointing to eth0
default pointing to 10.1.1.1, the internal interface of the firewall

the commands to do this are

ifconfig eth0 10.1.1.100/x

route add -net 10.1.1.0 netmask x dev eth0
route add -net 202.54.64.96 netmask 255.255.255.240 dev eth0
route add default gateway 10.1.1.1

however, this leaves the router inaccessible since it is beyond the 
firewall and not on the intranet.  same is true of the external 
interface 202.54.64.101 on the firewall. to be able to access the router 
from this host, a host route has to be added.

route add -host 202.54.64.97 gateway 10.1.1.1

of course, access to the router from this intranet host will be 
controlled by the firewalling rules. a similar host route has to be 
added if one wants to access the firewall external interface (route add 
-host 202.54.64.101 gateway 10.1.1.1); remember, the firewall machine 
itself can be conveniently accessed using the 10.1.1.1 address. access 
to the external interface may be needed, for example, for some mail 
purposes.

as an alternate arrangement, a 10.x address can be assigned to each of 
the internet hosts on the intranet (not only the firewall), making them 
visible on the intranet directly. this will need ip aliasing support on 
all the internet hosts (the hosts with the 202 series ip addresses). in 
that case, the first route shown above (10.x pointing to eth0) will open 
up this access and all the routing entries except the default entry 
become superfluous.  i believe this is a better arrangement since 
generic 10.x hosts need not know anything about the existence of the 202 
hosts at all. in a sense, the presence and access to internet is 
transparent to users on 10.x machines. they need not know anything about 
routing and simply use the appropriate 10.x gateway(s) to access 
internet services.  the corresponding routing for the internet hosts is 
shown at the bottom of the next section.
 
(b) internet hosts on the intranet i.e., hosts with 202 series ip 
addresses; example, 202.54.64.102; eth0 can be configured with this ip 
address. the routing is as follows.

10.x pointing to eth0
202.54.64.96/28 pointing to eth0
202.54.64.97 pointing to 10.1.1.1
default pointing to 202.54.64.97

the commands to do this are

ifconfig eth0 202.54.64.102/28

route add -net 10.1.1.0 netmask x dev eth0
route add -net 202.54.64.96 netmask 255.255.255.240 dev eth0
route add -host 202.54.64.97 gateway 10.1.1.1 
route add default gateway 202.54.64.97

as in case 3-a, the external interface of the firewall is not accesible 
directly at this stage. if this access is needed, one needs to add a 
route for that pointing to the internal interface of the firewall as was 
done in case 3-2 (route add -host 202.54.64.101 gateway 10.1.1.1).

the above is applicable if the internet hosts on the intranet are not 
given the local 10.x series addresses through aliasing. if one chooses 
the alternate arrangement of giving a 10.x address also to these hosts, 
we have the following.

ifconfig eth0 202.54.64.102/28
ifconfig eth0:0 10.1.1.30/x

route add -net 10.1.1.0 netmask x dev eth0:0
route add -net 202.54.64.96 netmask 255.255.255.240 dev eth0
route add -host 202.54.64.97 gateway 10.1.1.1 
route add default gateway 202.54.64.97

if, for some reason, it is preferred to give 10.1.1.30 as the eth0 
address and 202.54.64.102 as the additional (aliased) address eth0:0, 
eth0 and eth0:0 will have to be interchanged in the above to get

ifconfig eth0 10.1.1.30/x
ifconfig eth0:0 202.54.64.102/28

route add -net 10.1.1.0 netmask x dev eth0
route add -net 202.54.64.96 netmask 255.255.255.240 dev eth0:0
route add -host 202.54.64.97 gateway 10.1.1.1 
route add default gateway 202.54.64.97

that completes the solution; there are other ways of acheiving this, but 
this one will work.

footnote: (1) this type of single point firewalling is generally not 
necessary in the indian context. since the router at the vsnl end will 
only route packets to the 202.54.64.96/28 subnet (these being the only 
'valid' internet ip addresses), the 10.x hosts are absolutely safe from 
direct attack from the internet. since only 202.54.64.96/28 hosts are 
visible on the internet, one of the hosts in this set will have to be 
broken into before any of the 10.x hosts can be attacked. the only thing 
gained by putting two ethernet cards on 202.54.64.101 is that this ONE 
host (not just any one of the 202.54.64.96/28 subnet) will have to be 
broken into before any other host can be attacked.  one could argue that 
maintaining one secure host is easier than maintaining 13; however, with 
a reasonably fast leased link, a simple pc as the single firewall may 
result in a bottleneck; this can lead to inability to utilize the 
bandwidth available on the leased line. a dedicated firewall box or 
atleast, a linux router type box may be in order.  however, this type of 
firewalling is usually called for only if all (or many) of the hosts 
behind the firewall have externally visible ip addresses since it can 
protect weakly configured hosts (say, user configured/administered 
windows type machines). for example, if annauniv had the address space 
of 202.54.64.x/24 (256 ip addresses) or lower than /24  - say /23 or /22 
or whatever - (more than 256 ip addresses), they could assign 
202.54.whatever type ip addresses to ALL hosts on their campus network. 
then, ALL these hosts would be directly on the internet and would be 
fair game for direct attack from anywhere in the world.  this is a 
typical corporate setup in the west and hence the need for double 
ethernet card firewall at the point(s) of entry.  the limited 
availability of ip addresses in india (and the world in general, i 
suppose) means that even 2mbps leased line customers get far fewer 
addresses than the the number of machines they have; this leads to a 
standard indian setup of intranets based entirely on reserved ips (and 
thus automatically isolated from the internet) and only a relative 
handful of the hosts on the intranet having direct access to the 
internet.  the western type firewall is probably inappropriate for use 
in this type of situation. one can reasonably  assume that the limited 
'valid' ip addresses would be in demand and would only be dished out 
only to well managed/configured/administered server class machines, 
which would be reasonably difficult to break into (unlike a user 
administered windows type machine). moral of this story: if you want to 
market this type of firewall solution in india, and if your potential 
client is wise enough to seek my counsel (!), your price be real cheap 
or there goes your sale.

(2) introduction to firewalls: there are basically two types of 
firewalls - the forwarding/filtering type and the proxying type.  the 
forwarding/filtering type has two ethernet cards, one connected to the 
internet and the second to the intranet. the first is the outside of the 
firewall and the second, the inside. ipforwarding is enabled on the 
firewall selectively to control what traffic can get through. ipfw, 
ipfwadm and ipchains are software packages that can be used to provide 
this control function. in the proxy type firewall, the intranet hosts 
are blocked from the internet (and vice versa) by the router connecting 
the network to internet; select hosts have access to the internet and 
these serve as proxies for the others. i.e., an intranet host needing an 
internet service forwards the request to an internet enabled host; this 
host then performs the service and returns the results to the 
originating host. the squid web proxy is a well known example for this 
type of transaction. a browser makes a request to the squid proxy, which 
fetches the information from the internet and presents the resulting web 
pages to the browser. in general, one proxy program is required for each 
of the services that needs to be provided. the socks package can be 
used to get around this problem of one program for each service. it is a
generic package and can be used to proxy multiple services; it basically
passes along a generic request for service that it receives but with
itself as the requester; the returned results are passed back
appropriately. with the proxy approach, the user application has to be
redirected to obtain service from the appropriate proxy server and not
directly. in a browser, this may simply mean turning on an option to use a
proxy and entering the proxy address. however, for most other
applications, a recompile may be called for, especially if the service is
through socks (this is known as sockifying an application). for windows
users, there is the well known trumpet winsock package which provides the
socks functionality. there is also another tool that is useful - the tis
fwtk (firewall tool kit). this is a generic proxying type package and
provides good control over what services are provided through the proxy
and to whom. read the firewall howto for further information.

---
Visit our home page at: www.chennailug.org
Send e-mail to 'ilugc-request@xxxxxxxxxxxxxxxxxx' with 'unsubscribe' 
in either the subject or the body to unsubscribe from this list.
Follow-Ups:
- Re: full solution to the anna univ routing problem (long)
  - From: M K Saravanan
Prev by Subject: Re: Debian 2.2 , potato is released --- the Joel 'Espy' Klecker release
Next by Subject: Re: full solution to the anna univ routing problem (long)
Previous by thread: Re: Meeting for August?
Next by thread: Re: full solution to the anna univ routing problem (long)
Index(es):
- Subject
- Thread