/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
CMVV wrote:
> Hello people,
> I'm a newbie but I need to implement a firewall in my system I need to do it
> cheap and reliable so I'll do it with Linux.
> Description of the existent system:
>
> - two ISDN BRI (my ISP works with dynamic addressing)
> In the IP Masq Howto I didn't understand how it work with dynamic address!
the following should work across address changes without problems:
echo 1 > /proc/sys/net/ipv4/ip_forward
ipchains -P forward DENY
ipchains -A forward -i $extif -j MASQ
where $extif is the device name of your external interface
if you need a firewall as well, it's not that simple because you'll
have to allow the dhcp traffic in your firewall rules and you'll
probably need to reload your firewall/masq rules whenever the address
changes. man pump for details on getting things to happen whenever the
address changes (i.e. put firewall reload commands in
/etc/dhcpc/dhcpcd-${extif}.exe).
> - one ISDN Router with 2 ISDN in (Zyxel Prestige 480)
> I also use it for remote users access by ISDN line.
> It implements NAT (so, why Masq? Because I don't understand very well how
> security is implemented with what they call rules.).
if what you need is a firewall, then it's worth learning about.
if all you need is masquerading then you might get away with not
learning about it :) look up (book) building internet firewalls,
(web) trinityos, bastille, (downloads) go to places like freshmeat.net
and look for firewall/masq/nat administration scripts. they may be
helpful.
> Ip address 200.0.0.80 (should I've to change it to 192.168.X.X?)
> - one box with 2 NICs (what IPs should I give to the external and internal
> NIC?)
> RH Linux with kernel 2.2.12
> Pentium 166, 64 RAM, 4Gb
> Is that a good idea to put it "in the middle" of the router and the LAN?
> - my LAN with 70 clients with dynamic address (DHCP) 200.0.0.X, netmask
> 255.255.255.0
a diagram of the network would help. is that a real/public ip address
or a made up one for internal use? if it's for internal use then you
should change it. then again, since you're masquerading anyway, you
don't need to change them (but you should anyway).
raf
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
