On Thu, 11 Apr 2002, Mike Egglestone wrote: > Thanks for the tips! > So just to understand: > > Say the Cisco router is > x.x.x.254 > > I would set eth0 on the debian box to > x.x.x.253 (same side as Cisco) > and set eth1 on the debian box to > x.x.x.252 (local side) > > Then set everything behind the debian box to > x.x.x.251 or lower? > > I would set the gateway for everything behind the debian > box to > x.x.x.252 ? > > I would set IP forwarding via /etc/network/options > Then use iptables (woody with kernel 2.4) to set the filters etc. > > This sound ok?
This is by and large what has been working fine here at my institute for more than two years. > I'm not too familiar with proxy-arp, so this isn't essential? > Would proxy-arp be like intercepting workstation packets desinted > to the cisco gateway to go thru the debian box instead? Yes. Proxy-arp comes in handy if you just want to touch absolutely nothing on the clients and transparently plug the firewall between them and the router. Another solution for even more complete transparency is to use a firewalling bridge, see http://bridge.sourceforge.net for more resources on that. The latter solution is probably the best, as it even allows to set up two identical machines side by side, and they will automagically agree that one actually does bridging while the other sits in standby, ready to take over with virtually no downtime should the first one fail (hardware problems hurt...). But this extra flexibility comes at a cost: you have to patch the kernel, learn to use some more user space tools to handle the bridging part, probably use both iptables and ebtables (you find patches and user space tools at the URL above), the former to handle IP, the latter to handle firewalling of network protocols other than IP. The (simpler) working solution I have here is just based on proxy-arp+iptables. > I would probably have a dhcp server setup to assign the > workstaions their IP's and set their gateway to that of > the Debian's eth1. (x.x.x.252) which means that you can easily handle the configuration of the clients and don't need proxy-arp. Have fun Giacomo -- _________________________________________________________________ Giacomo Mulas <[EMAIL PROTECTED], [EMAIL PROTECTED]> _________________________________________________________________ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 248 Fax : +39 070 71180 222 _________________________________________________________________ "When the storms are raging around you, stay right where you are" (Freddy Mercury) _________________________________________________________________ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
