gypsy wrote:
Rene Gallati wrote:
Hello list,
I'm having a little trouble imagining a setup I'll soon have.
I am in the process of getting a routed /28 to my homeLAN. What I want to do is to put a linux box in front of the lan to filter some of the unneeded and potential dangerous ports. Now the box has 2 nics, one for the inside one for the outside.
How should I go on to setup those NICs when a) the PCs in the net should have their official IP address from the /28 net and b) the filtering linux box should at the same time have one IP address from the same range for some services it provides
I just finished one of these.
I used proxyARP to make the external interface listen to my 5 (I have a
This is one of the options I am considering at the moment though I lean a bit more towards transparent bridge-filtering.
/29 not a /28) IPs. You will be led down the garden path if you try just proxyARP; I had to use SNAT rules. You don't (normally) need DNAT, but (for me at least) _NOTHING_ will forward without SNAT. My SNAT rules start with my first external IP and work up: .154 --to .154 then .155 to .155 then .156 to .156 then .157 to .157 and finally .152/29 to .158. .153 is my default gateway.
I have asked all over the web for assistance in routing without needing SNAT but have not been able to route such that proxyARP works without SNAT. If you figure out how to do that, I'd really appreciate it.
I believe I've done it once, in a test environment. Enabling only proxyArp on the devices in sysctl should be sufficent iff the routing table is correct for that environment. You also need the same IP address assigned to both nics otherwise you do indeed need SNAT for the return packets. But when you do that the routing table has the same net on both interfaces and you need to delete it from the upstream nic and insert a simple route that reaches the next hop device there so that it is more specific that the network /29 route. At least that is about as much as I remember, but it is some time ago and was on a kernel 2.4 (I'm using 2.6 for quite some time now)
I then built a rudimentary firewall for this computer. The only services it runs are sshd and identd. The firewall's main purpose is to protect a Win2K Server that sits on .157. All the other boxes have their own firewalls.
I need to protect several machines, some of it are windows boxes. Mostly I want to block incoming windows sharing stuff and the well known RPC ports.
The beauty of this is that it lets me HTB shape both incoming and outgoing packets without IMQ. The problem I have is that I made this "front line" computer out of spare parts and the AMD 266 is not enough CPU. When HTB starts to queue/delay, things like typing at the keyboard becomes sluggish and packet handling slows.
I have an Athlon 500 ready for this. Hopefully it manages the job even when in promiscous mode on the lan nic which is a gigE card.
Read Martin Brown's HOWTO (sorry, I've forgotten the chapter #), the LARTC HOWTO (chapter 16.2) and Dave Weiss (Weiss's setup script fails but the write up is correct) proxyARP page. You can find these with google or I'll post URLs on request.
Thanks, this is certainly one of the things I'll be testing as soon as the shiny new modems arrive here !
CU
René
_______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
