# [solved] - Test lab - need some thoughts [solved]

## Varminter

Hey all,

  I'm building a lab / test environment at my office to check firewalls and VPN tunnels before sending them out to client sites.  Here's a rough network diagram:

PC1 <10.10.10.xxx> Firewall1 <65.182.254.xxx> Gentoo <Client Public IP subnet> Firewall2 <Client LAN IP> PC2

  So, what is going to be the best way for me to set up the Gentoo box in the middle to act as a bridge / router?  I need the "public" IP of Firewall1 and Firewall2 to be able to talk to one another without being on the same sub-net.  Kind of like the rest of us going to sites on the interweb.  The gentoo box has the built in ethernet and dual PCI ethernet cards.  I'm keeping the built in ethernet pointed to the office LAN, and the two PCI cards are for the testing.

  I tried generic port forwarding with IPTables, but that didn't appear to work.  Bridging appears to use just one IP address and a "Null" on the other  (192.168.0.x / 0.0.0.0).  I've not tried NAT or DNS Masqing yet but I might before the day is done.

Here's the iptables script that I took and modified from the IPTables wiki / forum thread:

```
#!/bin/bash

IPTABLES='/sbin/iptables'

# Set interface values

CSRT_LAN='eth0'

CSRT_LAB='enp1s4'

CLIENT='enp1s5'

# enable ip forwarding in the kernel

/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

# flush rules and delete chains

$IPTABLES -F

$IPTABLES -X

# enable masquerading to allow LAN internet access

$IPTABLES -t nat -A POSTROUTING -o $CSRT_LAN -j MASQUERADE

# forward LAN traffic from $CSRT_LAB to Internet interface $CSRT_LAN

$IPTABLES -A FORWARD -i $CSRT_LAB -o $CLIENT -m state --state NEW,ESTABLISHED -j ACCEPT

# forward LAN traffic from $CLIENT to Internet interace $CSRT_LAN

$IPTABLES -A FORWARD -i $CLIENT -o $CSRT_LAB -m state --state NEW,ESTABLISHED -j ACCEPT

#echo -e "       - Allowing access to the SSH server"

$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT

#echo -e "       - Allowing access to the HTTP server"

$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT

# block out all other Internet access on $CSRT_LAN

$IPTABLES -A INPUT -i $CSRT_LAN -m state --state NEW,INVALID -j DROP

$IPTABLES -A FORWARD -i $CSRT_LAN -m state --state NEW,INVALID -j DROP
```

I know I can get rid of the HTTP access line, and using the SSH is fine since that's how I'm getting into the box at the moment.

Here's the /etc/conf.d/net.  I'd like to be able to just have to modify at the worst this file for doing the changes from client to client

```
# Built in NIC

config_eth2="192.168.76.51 broadcast 192.168.76.255 netmask 255.255.255.0"

routes_eth2="default via 192.168.76.46"

# CSRT Side

config_enp1s4="65.182.245.1 broadcast 65.182.245.255 netmask 255.255.255.0"

routes_enp1s4="65.182.245.0 via 65.182.245.1"

# Client side - CHANGE THIS AREA ONLY!!!!!!

config_enp1s5="40.150.98.148 broadcast 75.150.98.151 netmask 255.255.255.252"

routes_enp1s5="40.150.98.149 via 40.150.98.148"
```

And actually this brings up a side note.  Bogons.  I know these IPs that I'm using for the testing are not being used on the web, I've tried looking them up (nslookup) and found nothing.  But if I try to use the client's actual IP address range 

```
# Client side - CHANGE THIS AREA ONLY!!!!!!

config_enp1s5="75.150.98.148 broadcast 40.150.98.151 netmask 255.255.255.252"

routes_enp1s5="75.150.98.149 via 75.150.98.148"
```

I get this with the routing tables:

```
netstat -r

Kernel IP routing table

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface

default         pfsense.csrtit. 0.0.0.0         UG        0 0          0 eth2

75-150-98-148-n *               255.255.255.252 U         0 0          0 enp1s5

75-150-98-149-n 75-150-98-148-n 255.255.255.255 UGH       0 0          0 enp1s5

loopback        localhost       255.0.0.0       UG        0 0          0 lo

192.168.76.0    *               255.255.255.0   U         0 0          0 eth2

```

Any thoughts on that too?

Thanks in advance from a networking novice!

--

RichLast edited by Varminter on Tue Feb 11, 2014 5:33 pm; edited 2 times in total

----------

## 666threesixes666

ip tables was one of those packages i deemed too crazy for me to learn...  you remind me that nftables should be supported by my kernel.  quagga & bird do ospf rip and bgp afaik.....

its probably not working because you need to setup routes.  see if it works with iptables turned off....  if not then you probably need a route set.

https://wiki.gentoo.org/wiki/Static_Routing

----------

## Varminter

edit:  Updated the iptables script with the latest settings.  These now route from LAB <-> CLIENT when the IPs match, otherwise it routes all traffice out LAN to the real internet.

Got it fixed.  The firewalls I'm working on are pfSense, and there was no check box for reply to ping on WAN.  I took the time this morning to ping the my Global Research Team (a.k.a. Google) and found I needed to create a simple firewall rule on the WAN side, and everything worked.  That and I was using an invalid IP for the subnet for $CLIENT_WAN since it is a 255.255.255.252 netmask.  Anyways, here's the configs that I'm using.  The nice thing is I've got what I wanted, a bridging environment that I only have to change 1 file for:  /etc/conf.d/net.

/etc/conf.d/net:

```
# Built in NIC - CSRT LAN

config_eth0="192.168.76.51 broadcast 192.168.76.255 netmask 255.255.255.0"

routes_eth0="default via 192.168.76.46"

# CSRT Lab Side

config_enp1s4="65.182.245.1 broadcast 65.182.245.255 netmask 255.255.255.0"

routes_enp1s4="65.182.245.0 via 65.182.245.1"

# Client side - CHANGE THIS AREA ONLY!!!!!!

config_enp1s5="75.150.98.150 broadcast 75.150.98.151 netmask 255.255.255.252"

routes_enp1s5="75.150.98.0 via 75.150.98.150"
```

$HOME/ip_script.sh: A iptables script that did my initial settings for IPTables.

```
#! /bin/bash

IPTABLES='/sbin/iptables'

#Define interfaces

CSRT_LAN_IF='eth0'

CSRT_LAB_IF='enp1s4'

CLIENT_WAN_IF='enp1s5'

#Get Interface IPs

CSRT_LAN_IP=`ip -4 addr show dev $CSRT_LAN_IF | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//'`

CSRT_LAB_IP=`ip -4 addr show dev $CSRT_LAB_IF | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//'`

CLIENT_WAN_IP=`ip -4 addr show dev $CLIENT_WAN_IF | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//'`

#Get Interface networks

CSRT_LAN_NET=`ip route list proto kernel | grep $CSRT_LAN_IF | grep -v default |  sed 's! .*$!!'`

CSRT_LAB_NET=`ip route list proto kernel | grep $CSRT_LAB_IF | grep -v default |  sed 's! .*$!!'`

CLIENT_WAN_NET=`ip route list proto kernel | grep $CLIENT_WAN_IF | grep -v default |  sed 's! .*$!!'`

# Flush old rules and chains

echo "Flushing old rules and chains"

$IPTABLES -F

$IPTABLES -t nat -F

$IPTABLES -X

# Auto-accept some stuff

echo -e " - Allowing $CSRT_LAN_IF access"

$IPTABLES -I INPUT 1 -i $CSRT_LAN_IF -j ACCEPT

echo -e " - Allowing $CSRT_LAB_IF access"

$IPTABLES -I INPUT 1 -i $CSRT_LAB_IF -j ACCEPT

echo -e " - Allowing $CLIENT_WAN_IF access"

$IPTABLES -I INPUT 1 -i $CLIENT_WAN_IF -j ACCEPT

# ================ Table 'filter', automatic rules

# accept established sessions

$IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# ================ Table 'nat',  rule set NAT

#

# Rule 0 (NAT)

#

echo "NAT Rules";

echo " - NAT 0 - Out on $CSRT_LAN_IF if from $CSRT_LAB_NET and destination is not $CLIENT_WAN_NET"

$IPTABLES -t nat -A POSTROUTING -o $CSRT_LAN_IF -s $CSRT_LAB_NET  -j SNAT --to-source $CSRT_LAN_IP

#

# Rule 1 (NAT)

#

echo " - NAT 1 - Out on $CSRT_LAN_IF if from $CLIENT_WAN_NET and destination is not $CSRT_LAB_NET"

$IPTABLES -t nat -A POSTROUTING -o $CSRT_LAN_IF -s $CLIENT_WAN_NET  -j SNAT --to-source $CSRT_LAN_IP

# ================ Table 'filter', rule set Policy

#

# Rule 0 ($CSRT_LAN_IF)

#

echo "Routing Rules";

echo " - Rule 0 - Allow anything out to the $CSRT_LAN_NET from this server $CSRT_LAN_IP"

$IPTABLES -A INPUT -i $CSRT_LAN_IF -s $CSRT_LAN_IP -m state --state NEW,ESTABLISHED -j ACCEPT

$IPTABLES -A OUTPUT -o $CSRT_LAN_IF -m state --state NEW,ESTABLISHED  -j ACCEPT

#

# Rule 1 ($CSRT_LAN_IF)

#

echo " - Rule 1 - allow SSH access to this server"

$IPTABLES -A INPUT -i $CSRT_LAN_IF  -p tcp -m tcp  -s $CSRT_LAN_NET   -d $CSRT_LAN_IP   --dport 22  -m state --state NEW  -j ACCEPT

$IPTABLES -A OUTPUT -o $CSRT_LAN_IF  -p tcp -m tcp  -s $CSRT_LAN_NET   -d $CSRT_LAN_IP   --dport 22  -m state --state NEW  -j ACCEPT

#

# Rule 2 (global)

#

echo " - Rule 2 - Forward anything from $CSRT_LAB_NET on $CSRT_LAB_IF for $CLIENT_WAN_NET out $CLIENT_WAN_IF"

$IPTABLES -A FORWARD -i $CSRT_LAB_IF -s $CSRT_LAB_NET -o $CLIENT_WAN_IF -d $CLIENT_WAN_NET -m state --state NEW,ESTABLISHED -j ACCEPT

#

# Rule 3 (global)

#

echo " - Rule 3 - Forward anything from $CLIENT_WAN_NET on $CLIENT_WAN_IF for $CSRT_LAB_NET out $CSRT_LAB_IF"

$IPTABLES -A FORWARD -i $CLIENT_WAN_IF -s $CLIENT_WAN_NET -d $CSRT_LAB_NET -o $CSRT_LAB_IF -m state --state NEW,ESTABLISHED -j ACCEPT

#

# Rule 4 (global)

#

echo " - Rule 4 - Forward anything from $CSRT_LAB_NET on $CLIENT_LAB_IF for !$CLIENT_WAN_NET out $CSRT_LAN_IF"

#$IPTABLES -A FORWARD -i $CSRT_LAB_IF -s $CSRT_LAB_NET -d $CSRT_LAN_NET -o $CSRT_LAN_IF -m state --state NEW,ESTABLISHED -j ACCEPT

$IPTABLES -A FORWARD -i $CSRT_LAB_IF -s $CSRT_LAB_NET -o $CSRT_LAN_IF -m state --state NEW,ESTABLISHED -j ACCEPT

#

# Rule 5 (global)

#

#$IPTABLES -A FORWARD  -s $CLIENT_WAN_NET   -d $CSRT_LAB_NET   -m state --state NEW  -j ACCEPT

echo " - Rule 5 - Forward anything from $CLIENT_WAN_NET on $CLIENT_LAB_IF for !$CSRT_LAB_NET out $CSRT_LAN_IF"

$IPTABLES -A FORWARD -i $CLIENT_WAN_IF -s $CLIENT_WAN_NET -o $CSRT_LAN_IF -m state --state NEW,ESTABLISHED -j ACCEPT

#

# Rule 6 (global)

#

echo " - Rule 6 - deny all unsolicited $CSRT_LAN_NET access to either $CSRT_LAB_NET or $CLIENT_WAN_NET"

$IPTABLES -N RULE_6

$IPTABLES -A OUTPUT -j RULE_6

$IPTABLES -A INPUT -j RULE_6

$IPTABLES -A FORWARD -j RULE_6

#$IPTABLES -A RULE_6 -j LOG  --log-level info --log-prefix "RULE 5 -- DENY "

$IPTABLES -A RULE_6 -j REJECT

echo "...done."

exit 0
```

--

Rich

----------

