Frank,
Hook your eth0 to your service provider and put one of your "real IPs" on it
so it can talk to the world. Hook your workstations behind the eth1 using
the private network address space like you mentioned - 192.168.x.x. Be sure
that the workstations are addressed in the same network space as the eth1
and that their gateway is the eth1 address. (Typically the eth1 on the
Linux box would be 192.168.0.1 and the workstation's gateway would be the
same.)
Next, setup the Linux box to do Network Address Translation with the IP
Chains configuration:
ipchains -A forward -s 192.168.0.0/16 -d 0/0 -j MASQ
That single line will turn on NAT for everything behind the eth1 with
addresses in your private network address space.
The only other thing you HAVE to do is insure forwarding is turned on.
Check the file /proc/sys/net/ipv4/ip_forward. It should contain the single
character "1". That sets IP Forwarding to on. Change it to one if it is
set to zero. And you should be off and running.
Now, you don't have ANY protections setup at this point. You have only got
the box working as a packet forwarding gateway with full Network Address
Translation. If you want to provide "firewall" protections with that box
also, you have to start implementing IP Chains rules to protect yourself.
And of course, be sure that all non-essential services are turned off on
that box.
If you need some help with that area, shoot a message to me off-list and
I'll be glad to send you some sample IP Chains rules sets. There are also
some "wizards" out on the net to help you configure a firewall rule set -
like "PMFirewall". But beware, most wizards are either too lax or too
strict. You typically have to fine tune the rules afterwards.
Good luck.
Chuck
Avoid the GATES of Hell --> Use Linux!
-----Original Message-----
From: Frank Oh [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 25, 2000 3:10 AM
To: [EMAIL PROTECTED]
Subject: Question about linux firewall
I want to setup up our department firewall as "packet filtering firewalls"
and "application proxy server" so that I could block certain network
packets and log everything what people are doing.
Here are our situation:
Internet --- OSU/router --- gateway (xxx.xxx.67.1) --- Firewall --- WS/s
(real ip addresses)
Outside (xxx.xxx.133.1)
This is how I want to set it up. Please note that I don't have any control
over our default gateway because it doesn't belong to us and we have two
subnets, 67 and 133. Since we have two subnets, I guess I need to have
three ethernet cards on the firewall machine. -- ?
Anyway, I am following the firewall-HOWTO, ipchains-HOWTO, and other
firewall books and it shows well with an example of building a firewall for
home-based system:
having private LAN;
two ethernet cards on the firewall; eth0 - real ip; eth1 - 192.168.xxx.xxx
< -- i finished up to this point
making the firewall as gateway/proxy with ipmasq; < - i don't think really
need this -- ?
firewall stuff with ipchains; < - right now studying ipchain rules
I am trying to see how everything would fit into our network. I just can't
figure out how I should make changes to our firewall. At this point, I
setup it everything up to *arrow symbol.
In the past, I posted a question whether I could build a firewall not as
gateway. It seems like most of answer that I got was yes. I guess I
understand that it's not really necessary since all our WS/s have real ip
addresses and recognize the default gateway. But still all our WS/s have to
recognize that the firewall is also a gateway, wouldn't it -- ? so that the
packet that going through can be blocked based on the ipchain rules. If
WS/s don't recognize the firewall as a gateway, then the ipchain wouldn't
work, right - ?
Said all of these, I just don't know what I need to do next.
I am struggling with this more than a month now and everything seems odd.
Any comment/suggestion would be great. Thank you very much.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
