Rene Gallati wrote: > > Hello list, > > I'm having a little trouble imagining a setup I'll soon have. > > I am in the process of getting a routed /28 to my homeLAN. What I want > to do is to put a linux box in front of the lan to filter some of the > unneeded and potential dangerous ports. Now the box has 2 nics, one for > the inside one for the outside. > > How should I go on to setup those NICs when > a) the PCs in the net should have their official IP address from the /28 net > and > b) the filtering linux box should at the same time have one IP address > from the same range for some services it provides I just finished one of these. I used proxyARP to make the external interface listen to my 5 (I have a /29 not a /28) IPs. You will be led down the garden path if you try just proxyARP; I had to use SNAT rules. You don't (normally) need DNAT, but (for me at least) _NOTHING_ will forward without SNAT. My SNAT rules start with my first external IP and work up: .154 --to .154 then .155 to .155 then .156 to .156 then .157 to .157 and finally .152/29 to .158. .153 is my default gateway. I have asked all over the web for assistance in routing without needing SNAT but have not been able to route such that proxyARP works without SNAT. If you figure out how to do that, I'd really appreciate it. I then built a rudimentary firewall for this computer. The only services it runs are sshd and identd. The firewall's main purpose is to protect a Win2K Server that sits on .157. All the other boxes have their own firewalls. The beauty of this is that it lets me HTB shape both incoming and outgoing packets without IMQ. The problem I have is that I made this "front line" computer out of spare parts and the AMD 266 is not enough CPU. When HTB starts to queue/delay, things like typing at the keyboard becomes sluggish and packet handling slows. Read Martin Brown's HOWTO (sorry, I've forgotten the chapter #), the LARTC HOWTO (chapter 16.2) and Dave Weiss (Weiss's setup script fails but the write up is correct) proxyARP page. You can find these with google or I'll post URLs on request. gypsy _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
