Hi Benjamin,
There are two ways to approach this if you want to use the linux box as a
firewall rather than the router with ACLs as someone suggested (I prefer
the linux box because I think iptables is more flexible and better
doucmented than various router OS acl's and I prefer working in the
familiar UNIX environment -- the ACL solutions does have some technical
advantages though). Both ways require you to have access to and be able
to configure your router.
First, you can break your class C into multiple subnets. Create a 4
network subnet (.0-.3) and put your router on .1 and your firewall (on one
ethernet card on .2). Then you have to alias your second ethernet to
multiple different addresses to act as a gateway for all the different
networks it will support (4-7, 8-15, 16-31, 32-63, 63-127, 128-255). The
reason you have to do this has to do with the legal ways of subnetting a
network (along binary boundries). I've done this but it is horribly ugly
as you have to configure hosts on each network to have a different gateway
(which means your workstations will have different configurations). I can
elucidate this solution further but I would not recommend this solution.
The second, more elegant, and more secure solution is to use a virtual
network between the router and the firewall. Thus the inward facing
router NIC would have addres 10.0.0.1 and the outward facing firewall NIC
would have address 10.0.0.2. Configure default trafic on the firewall to
be routed to 10.0.0.1 (its gateway) and configure inbound (to your class
C) traffic on the router to go to 10.0.0.2 on the fireawll. The inward
facing NIC on your firewall can just take the first address in your class
C and all the other workstations can just use addresses afterward. This
way you don't have to subnet and lose addresses in your class C and your
firewall is outwardly inaccessible since its on a fake address. This
means that misconfigurations will likeley lead to no access what so ever
rather than too much (which is probably a good).
If either of these solutions interests you let me know and I can elucidate
(I've actually setup both). I might even put up some documentation
online.
Regards,
Sheer
On Tue, 27 Nov 2001, Benjamin Stocker wrote:
>
> Hy all,
>
> I maintain a small Hosting center with 6 webservers, fax, pop3-mail.
> etc. I only have one C Subnet! I would like to protect my servers with a
> iptables firewall. Unfortunately, it seems to be odd to put the fw AND
> the servers in the same subnet.
>
> It seems to be possible to install two NIC's in the firewall and point
> one of them to the Net, the other to the webservers, but both configured
> for the same subnet. But that configuration seems to be rare and I
> cannot find documentation about it.
>
> What's your opinion?
> Many thanks, Benjamin
>
>
> ------------------------------------------------------------------------
> To unsubscribe email security-discuss-request@linuxsecurity.com
> with "unsubscribe" in the subject of the message.
>
------------------------------------------------------------------------
To unsubscribe email security-discuss-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
