[NTLUG:Discuss] pass all packets between two nics

severian@pobox.com severian at pobox.com
Wed Jun 4 12:58:11 CDT 2003 

In response to the welcome remarks of Rob Apodaca at 06:28 AM 6/4/03 -0400:
>On Wed, 04 Jun 2003 03:08:48 -0500
>severian at pobox.com wrote:
>
> > Howdy,
> >    I set up a SuSE 8.2 box that will be a VPN server, I hope.  I want to
> > prove to myself that having this box in the path between their internet
> > connection and the rest of the office will not cause any problems.  I 
> think
> > I should start by connecting one nic to the Cisco router and the second 
> nic
> > to the office switch that the router currently goes to.  I need to have my
> > new machine pass everyhing between the two nics.  This leads me to several
> > questions.
>Let me see if I understand your proposed setup:
>
>Internet --- Cisco Router --- Suse Router --- LAN
>
>Is this correct?
    Yes, this is what I intend.



> >    1.  Is there a name for what I want the computer to do with the two
> > nics?  I ask because I have been searching for details on how to do this
> > without success.  If there is some term I should search on, maybe my luck
> > would be better.
>It seems you want the Suse box to route IP traffice between the cisco router
>and the LAN. I would start with the search term 'linux router'.  But, it is
>really quite simple to do once the multiple interfaces are installed. Simple
>type:
>$ echo 1 > /proc/sys/net/ipv4/ip_forward
>This tells the machine to forward any incoming packets which are destined for
>another network to try to forward them on to an appropriate network. It looks
>in its route tables to do this. Type 'route' to see your current route tables
>However, this does require a kernel with routing enabled...I don't know if
>stock Suse Kernels have it or not.
    Well, that makes sense.  I'll read up on routing.


> >    2. I was going to start by leaving ethereal running for a few days
> > monitoring one of the nics.  From reading the ethereal manual, I see this
> > is not the normal way people run ethereal.  The manual suggests plugging
> > the monitored nic into a hub(not a switch) that carries traffic you 
> want to
> > monitor and I can see why this is the normal case.  My machine will 
> need to
> > be in the middle to unencrypt and pass traffic to the internal network 
> from
> > the insecure internet.  Is there a problem with what I propose?
>The maching does not need to sit between the cisco and the LAN to do this.

   If you mean the machine does not need to be in the network path to run 
ethereal, I understand that.  This is only as a tes to see what affect it 
has on the network.  When I switch this to a VPN server from just an 
ethereal montor, I pictured the machine as needing to be in the path.  See 
below for more details.
   If you mean it does not be in the path to decrypt the VPN traffic, then 
that may be good news.  I thought I would need that, but I hoped I would 
not.  I think I spell this out below.


> >    3.  SuSE does not include the autologin package.  Is this just because
> > it is nrmally a security risk or is there something odd abut SuSE that
> > causes problems for autologin?  In the case of power failures, I need to
> > have this machine restart so the customer can still use the net.
> > Your comments will be welcomed,
>Why would you need the autologin feature? In the case of power failure, you
>could use a battery backup.
   I thought about adding a UPS, but I don't know that a UPS would be as 
good as just making the machine start up right.  If I depend on a UPS and a 
power outage occured on the weekend and lasted longer than the UPS, I'd 
still have a problem.
   Maybe I don't need autoologin.  Another message suggested creating 
startup scipts to get the programs I need running.  I'm going to try that out.

>After reading your questions, I'm not sure I understand what it is exactly you
>are trying to do. You mention VPN, does that mean you intend to allow remote
>computers or networks access to your LAN? If so, you can accomplish that
>without the Suse box needing two nics. You will need to determine which type
>of VPN you will want to run. Then, forward the applicable port(s) to from your
>cisco router to your Suse box and set up route tables accordingly.
>
>Maybe if you provide some more specifics about your network topology we can
>help some more. If in fact you are trying to setup a VPN between two LAN's or
>PC's or whatever, this is not an uncommon thing to do with Linux... you just
>need to figure out which method you want to use.
   I'll try to lay this out.  The reason I am doing this is to allow 3 
different users to be able to control 2 different Windows(ugh, but I can't 
change this) machines at the office from their home machines.  I'll be 
using something like VNC, but I need security since it will be passing over 
the internet to get from their homes to the office.  The Cisco router is a 
closed box to me that I can't directly configure.  It is owned by the 
ISP.  I can call them and ask them to forward ports.  But, part of the 
reason for addinfg my router is to have more direct control and be able to 
adjust things myself
   I am getting a few static IPs to set up the VPNs.  I see two ways I 
could do this.
   A.  Set up both machine that will be remote controlled as VPN servers 
with their own static IP address.  In this case, I still need the extra 
machine because I need to add a firewall to stop nasty stuff from getting 
to the two office machines.  Each machine would also run VNCserver
   B.  Set up the Linux box as a router and as the only VPN server.  The 
users would connect to this machine from home on different ports depending 
on which machine they wanted to control.  The Linux box would forward to 
the appropriate machine where the VNC server software would be running.

   Now, I pictured this as having the SuSE Linux box be in line with the 
other machine.  Something like this:
    Internet -- Cisco -- SuSE -- Company LAN
   I also thought about something like this
     Internet -- Cisco -- Company LAN
                       |---SuSE --- |
   What I mean by this is that the SuSE Linux box would just be connected 
to the company LAN like any machine, but have a static IP address.  The VPN 
server would run here.  If a connection cane in for that machine, the VPN 
traffic would be decrypted and then just fed back into the comany 
LAN.  This has the advantage of not interfering with any traffic that is 
not VPN.  But, I don't know if it will work.  I have a book on order called 
"Building Linux Virtual Private Networks" that I hope will clear some of 
this up.

>Cheers,
>-Rob

More information about the Discuss mailing list