On Mon, Apr 4, 2011 at 11:14 AM, Pandu Poluan <[email protected]> wrote:
> Heh, to each their own poison, I guess :-) > > But Diego is right: For most use-cases, Shorewall or Arno's would be > enough. > > So it all depends on one's needs. > > Arno's ? what does it mean ? Thanks Kaushal > On Mon, Apr 4, 2011 at 12:24, Diego Xirinachs <[email protected]> wrote: > > I think what Pandu suggested is great but way to advanced for some people > > (including me), I would say shorewall can fulfill most people needs, and > > what they say its true (shorewall, iptables made easy). I use it and have > > had no problems at all with it. For me, just shorewall + squid does the > job, > > I mantain 2 offices, 1 with + clients and the other one with 56, in both > I > > have the same setup and works very well. > > Pandu's approach is great but like he said, you need to know iptables > more > > than you know your wife. > > cheers and hope it helped > > > > 2011/4/3 Pandu Poluan <[email protected]> > >> > >> Hello Kaushal. > >> > >> I've been using Ubuntu Server as a gateway and firewall since the last > >> LTS before 10.04 LTS. Currently, my company's Internet gateway is > >> 10.04.02 LTS, handling 4 Internet Connections (2Mbps, 2Mbps, 10Mbps, > >> 1Mbps), outgoing *and* incoming. > >> > >> You'll need to be familiar with iptables. And by familiar, I mean > >> *really* familiar. I'd say I know iptables better than I know my wife > >> :) ... well, just kidding. Sort of. > >> > >> You'll also need to become familiar with iproute2 if you need > >> Policy-Based Routing (e.g., routing based on source instead of > >> destination). And you will want to learn fwmark-based routing. > >> > >> If you want to throttle connections, you also have to familiarize > >> yourself with tc. Or use tcng for a (much) friendlier way to configure > >> tc. > >> > >> You will want to tune the box's networking parameters. In particular, > >> various timeouts and buffer sizes. Oh, and use HTCP rather than CUBIC. > >> > >> Finally, when you've gone the highly-customized system route like I > >> did, you can't rely on simple iptables management like > >> iptables-persistent. Even Shorewall or Arno's can't fulfill my needs. > >> I have to create my own 'harness' to run everything, e.g.: > >> + Custom startup scripts to ensure ipset's sets get loaded before > >> iptables' rules > >> + Custom startup scripts to populate the routing table > >> + Custom scripts to save the state of the firewall/gateway when a > >> change has been made (so that the next startup will properly restore > >> the state) > >> > >> I am currently in the progress of making Python-based scripts to help > >> in my firewall/gateway maintenance. But it's still in 'Deep Alpha' > >> state, so I can't share it with you yet. > >> > >> Feel free to contact me privately if you want to see how I set things > >> up. I'll share my scripts and configs. > >> > >> Rgds, > >> > >> > >> On 2011-04-04, Kaushal Shriyan <[email protected]> wrote: > >> > Hi, > >> > > >> > I have planned to use 10.04 LTS for setting up Internet Gateway in my > >> > office. What should be the hardware configuration and what all > >> > recommended > >> > applications are needed ? > > > -- > Pandu E Poluan > ~ IT Optimizer ~ > Visit my Blog: http://pepoluan.posterous.com >
-- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
