# DSL Network Topography w/ Gateway & Firewall

## guerrilla_thought

I want to get DSL, but the problem is how do I transition my current setup to work with it. I probably want a hub, right? I don't want one of my internal computers to touch the internet. It needs to go to my SELinux Firewall/Gateay computer before it hits the net.  (Note: Both of my boxes are run Linux and they will always be running some kind of UNIX)

The idea is to make the Gateway/Firewall also a router. It should route all traffick on my network utilizing the hub. To do this I will have to bind two IP addresses to the ethernet card on my GW/FW. 

Theoretically, my local IP addresses (192.168.0.1 and 192.168.0.2 or whatever) will not be able to communicate with the public (dynamic I beleive) IP that I will get with DSL. 

Please note I probably cannot afford a real router, but I may buy a linksys switch or something from a friend. Maybe I can borrow someones router until I can afford my own (very limited income). Please also note that the Gateway/Firewall computer IS NOT capable of taking another ethernet card. It's motherboard is full.  Thank you.

heres how it goes:

```

Sonic.net 56k PPP ->>

-> SELinux Gateway & Firewall w/ NAT ->

-> My End User Computer

```

following this outwards we get this:

```

My End User Computer ->

-> SELinux Gateway & Firewall w/ NAT ->

->> Sonic.net 56k PPP

```

You can obviously see why  I like this setup. 

I want to keep a similar setup but my GW/FW doesnt have two NIC cards, only one ethernet card. 

So, if I have DSL, the connection would go directly to the GW/FW and it ends there because I can't hop it to the My EU Comp.

Now, with the idea of using a hub, the most important thing is that my End User Computer never ever touches the internet directly. That means from my End User Computer it should be absolutly impossible to access the internet directly through the hub to the  DSL to the internet. (Obvoisly) This also means NO TRAFFICK CAN TOUCH MY HUB WITHOUT GOING THROUGH MY Gateway/Firewall/Whateveryouwanacallit.

So this is my idea... and I am probably wrong but lemi give it a shot...

```

Sonic.net ->> Ethernet DSL ->

 -> Into Main Hub Port :>

{ Hub }

:>Out Hub Port One -> 

->SELinux Gateway & Firewall ->

-> Back In Hub Port One :> 

{ Hub }

:> Out Hub Port Two -> 

-> End User Computer

```

traversing this backwards we  get the folllowing:

```

End User Computer ->

-> In Hub Port Two :>

{ Hub }

-> Out Hub Port One:>

-> SELinux Gateway & Firewall ->

:> Back In Hub Port One ->

{ Hub }

:> Out Main Hub Port ->

-> DSL ->> Sonic.net

```

Okay my ASCII drawing isnt working for this, lemi explain in English:

First the traffick comes in through the DSL and to a hub. The traffick from the hub goes to the SELinux Gateway & Firewall. Using NAT/IP Forwarding the traffick is then sent to the End User Computer.  GOING OUTWARD >> The traffick is sent to the hub and from the hub it goest back to the SELinux Gateway & Firewall and then from the GW/Fireall it is sent out trhough the DSL to the net. 

So, heres a thought. If two computers are talking to eachother on local IP addresss (GW/FW having 192.168.0.1 and EUC having 192.168.0.2) then is it possible it should work that the GW/FW also accept the IP given to it from the DSL as a second IP, is this impossible? The idea is that ifconfig tells me that I have eth0 which is gonna have a inet address of <WHATDSLASSIGNS,etc> and eth1 with an inet address of 192.168.0.1.

Now, wether or not this works I have a second idea... Using the "route" software tool I could possibly do this.....

on my End User computer I would do something like "route add default gw 192.168.0.1" (my GW/FW IP address) 

on the Gateway/Firewall computer I do something like this "route add default(?) gw <DSL IP>" and addition to that also do something like this "route add 192.168.0.2"

this means that my route table should look like this:

```

__Gateway/Firewall/Whateveryouwanacallit___

ROUTE 1 = IP Assigned by DSL

ROUTE 2 = 192.168.2 = End User Compter Internal Network IP

----------

## guerrilla_thought

i found a fix for this

Hey man THANKS SO MUCH syn! 

I got it working, well a test version anyway.

so this is what i got

I do this on the iMac----

```

pppd call sonic 

ifconfig eth0 192.168.0.1 broadcast <bc> netmask <nm>

```

this brings up the ppp0 interface which has a dynamic IP assigned to it

and gives my my normal LAN IP

```

ifconfig eth0:1 192.168.0.3 broadcast <bc> netmask <nm>

```

^^ this is the fun part, binding a second IP to the same NIC card.

on the DELL I do this----

```

ifconfig eth0 192.168.0.2 broadcast, etc etc

route add default gw 192.168.0.1

ifconfig eth0:1 192.168.0.4 broadcast,netmask,blah,blah

```

this uses the iMac as a gateway, via NAT, ip forwarding.. and yah thats a whole nother chapter...and  once again the fun part it binds a second IP to the NIC card. 

so there we go...

hey so say we're on the imac...

ping its dynamic IP, check

ping its 192.168.0.1 LAN IP, check

ping its 192.168.0.3 LAN IP, check, yay!

ping DELLs 192.168.0.2, LAN IP, duh check

ping DELLs 192.168.0.4, IP, now.. this is cool....  :Smile: 

okay so were back on the DELL

do all the same shit, and guess what we get the same results

we can ping 192.168.0.3, thats eth0:1 on the imac if you forgot already

hey we can even ettercap it, and it gets all of them (excluding ppp and local loopback, etc)

so what good does this do me?

well, i could play around with and do some fun things...

like hey lets make a 192.168.0.5 on eth0:2

so on and so on... maybe this could be useful for some honeypottng, add all kinds of eth0:'s with different IP's.. who knows.....

Wow.. I just added eth0:3 eth0:4 eth0:5 ... it goes pretty high people.... 

sorry if i sound like a n00b here, but this is cool shit. someone will find this useful...

so anyway... for DSL

check it out: imagine a 3 or more port hub

trafick goes into the hub to the iMac and hits its ethernet card at eth0 which has the DSL IP.. then stuff goes on inside the iMac blah blah.. the traffick is then forwareded from "eth0:1" 192.168.0.1 through the HUB to 192.168.0.2 on which is just regular eth0 on the DELL. 

outboud traffick from the DELL goes out of eth0 from 192.168.0.2 thru the HUB to 192.168.0.1 which is "eth0:1" on the iMac... then the traffick goes out thru the DSL to the internet via the dynamic IP on eth0.

there are other things going on here besides ifconfig. Routing is important too

the DELL will not be allowed to connect to the DSL IP. This will first be implemented by editing the route table with the "route" program. And secondly both computers will have firewalls, so they will block that kind of communication. 

I realize this is not the best way of doing things, but its absolutly free and really fun to do. 

Yah, and the plan is the DSL computer will not get compromised. It's going to be running the Gentoo-Hardened-SELinux suite, including hardened-gcc, an IDS, massive logs. Not to mention it's a PowerPC system meaning it will not accept x86 binaries, which is actually a (minor)great thing in this situation.

Have I said this before? Oh well, this is fun shit!  :Smile: 

--guerrilla_thought

----------

## To

I gotta be honest I've read the first post and now the secound post, and still doesn't understand what you needed in the first place. Letme see if I can understand you have a box that connects to your ISP and you want to use it to nat/foward the internal traffic?

Tó

----------

## guerrilla_thought

I created this picture to help people understand this better.

http://sonic.net/~someone/images/routers2.jpg

What it boils down to is I want one computer to go thru another to connec to the internet they both have one ethernet card each. 

Yah I know, it was hard to wrap my own brain around it at first, but I'm fairly confident that this situation will work.

----------

