I'd check out http://www.linux-firewall-tools.com/
It has a good guide on setting up a LAN, firewalling, and various basic network security issues. It also has an automatic firewall generation tool, but it's better to use the firewall it generates as a guide to writing your own rather than just plugging it in and trying to use it (which resulted in days of headaches for me before I rewrote the thing from scratch), and I don't think the tool can handle three network interfaces (although you can run it twice, and then merge the outputs into a single script). Anyway, you're going to be using the computer as a router, basically. Networks B and C are going to be plugged only into the Linux box, and not into each other at any other point, right? If that's the case, then you will of course need to turn on IP forwarding, you'll need to set up the gateway machine to masquerade traffic between Networks A and B and networks A and C, and you'll need to set the gateway on Network A to the gateway of your ISP. You do not need to set a gateway for networks B or C on the gateway machine itself, because there's nowhere else for it to go on those networks! Make sure you set the netmask correctly, though (for Network C you could set it to 1.1.1.0/27 to give you a range of 1.1.1.0 to 1.1.1.32, or to 1.1.1.0/26 to give you a range of 1.1.1.0 to 1.1.1.64... take your pick.) On your network B machines, you'll want to specify the network B IP address of the gateway machine as the gateway, and on the network C address, you'll want to specify the network C IP address of the gateway machines as the gateway. For the firewall itself, if you need it up quickly, I'd run the tool at linux-firewall-tools.com twice, one for each network, and then carefully edit them into one script, also setting rules for communication between the two local subnets. If you really want to get into it, read the TrinityOS documentation. I don't have an URL handy, but you can find it. If you can, print it out, especially if you can print it on somebody else's printer (it's about 600 pages or so in landscape mode...). It's a brilliant network security document for Linux. Just very long.... and dry..... Anyway, the firewall sequence should go something like this: 1. Load modules. 2. Flush the firewall. 3. Set default rules: input DENY, output and forward REJECT is the most popular setup, but it's also one of the hardest to get working correctly. 3. Allow unlimited traffic on the loopback interface. 4. Allow unlimited input/output with each of the local networks. 5. Masquerade traffic between the local interfaces and the Internet. (I don't know if you want the two networks communicating with each other, but you don't need masqing with that, just allow input/output between the two networks. 6. Allow specific services between the local world and the Internet. See the linux-firewall-tools firewall for examples of this. Everything else is rejected or dropped. This is a pain having to explicitly allow everything, but it's the most secure way. Also early in the process there's other fun stuff you typically do... i.e. block out packets from the Internet with invalid source addresses (i.e. your own IP address, class A, B, or C addresses, broadcasts, etc.), there's also a number of things in /proc you typically have your firewall fiddle with for various forms of spoofing and DOS protection. E-mail me if you want a copy of my firewall: it's based loosely on the Linux-firewall-tools firewall but was rewritten so that it actually works for me -- you have one more network, so you'd have to duplicate most parts of it for the other network, but it should be a start. On Fri, Jul 07, 2000 at 12:30:23PM +0200, Koala wrote: > No, not really.... > > Network A (Internet) > Network B (10.10.10.1/24) > Network C (1.1.1.1/24) > > Currently, the normal internal (Network B) work stations use one default > gateway. > Lets say it is 10.10.10.1, and the IP Addresses of the work stations would be > in > the class 10.10.10.1/24. Network C is a small group of 5 protected computers, > lost > on a HUB. Their IP Addresses are 1.1.1.1/24 . My idea, was, to have Network C > going > through a default gateway of 1.1.1.1 (Debian with ipchains) where the second > interface card goes to the normal network B (10.10.10.1) Therefore, Netwrok C > can > see Network B, but Network B can´t access Network C. So, the ipchains box for > network C would have two ethernet cards with the following configuration : > > Network B eth0 10.10.10.42 gw 10.10.10.1 > Network C eth1 1.1.1.1 gw 10.10.10.42 > > The IP 10.10.10.1 would correspond to the ipchains box of network B. I hope > this > clears something up :) > > Unfortunatly I don´t have a way of words, so I kind of explain myself in a > bad way? > Thanks for you time and patience.... > > Much Rspect ! > > Koala > > Marco Giardini wrote: > > > On Fri, Jul 07, 2000 at 12:03:16PM +0200, Mr.Koala wrote: > > > Hi List, > > > > > > I was wondering if someone could point to a vast area about ipchains. I > > > am trying to mount a debian box with ipchains and two network cards. The > > > two network cards part is going fine I think, as I am also getting help > > > to install an NE2000 as eth1. Anyway, staying on the point, the basis is > > > to connect a secure internal/internal network (Network C), to the normal > > > internal network (Network B). Network B is actually connected to the > > if you have 3 networks (DMZ, internet and a LAN) you probably need 3 > > eth cards. Or have i lost something??? > > > > .oesse. > > > > > > Koala > > > > > > > > > -- > > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > > -- > > ------------------------------------------------------------------ > > Marco Giardini > > TecnoGi spa Tel. +39 0321 885422 > > Strada per Gravellona Fax +39 0321 885333 > > Borgolavezzaro (NO) http://www.tecnogi.com > > Key fingerprint = B5 B4 AA 91 89 50 43 8F B1 6B C6 8C 34 79 5A 7F > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > -- Craig McPherson Network Admin Baptist Student Union Fayetteville, Arkansas
