Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello everybody
i want to set a firewall for my network and need some advices about it
here is my net :
▒▒▒▒▒▒▒
▒INTERNET▒
▒▒▒▒▒▒▒║
║
║
╔=========╗
...router..
╚=========╝
║
║NIC#1 : public addresse
████FIREWALL████
║NIC#2 : public addresse
║_________________
║My private network│
║(public addresses)=│
║________________│
i need to be able to administrate my lan remotely (VNC or such) and set a
to set a powerful firewall at the same time to prevent any attack or abuse
from the internet , well the steps i thought about are :
1 set eth0,eth1 of the firewall with a public IP
set the default gateway for this firewall ( the router )
close all ports and block all incoming outgoing traffic (iptables)
open needed ports and authorize some IPs that i use
set this firewall as default gateway for all other machine on the lan
every advices/idea which can improuve the topic is are welcome
Just to make it clear for me, why do you need two public IP addresses at the firewall level? and other public IP addresses in your internal nework?
My understanding of a protected demillitarized zone (DMZ) is a private network with private addresses (10.1.*.* / 192.168.*) which are not routeable on the internet, and only single public IP address obtained from your ISP.
I'll try my best to help u should you clarify your goals/needs.
I don't really see a question in your post... You are proposing a straight forward, and common, setup so if you are looking for confirmation; Yes, you can setup your network that way.
Is there any particular reason you need the router and a linux firewall/router? Seems like you are pulling double duty for a system that may not require it.
You are on the right track.
Some tips...
. Incoming packets no longer traverse both INPUT and FORWARD chains; they do one OR the other.
. Make use of the stateful capabilities of IPTABLES (i.e. accept established and related connections but not new or invalid connections)
. Check for spoofed IP addresses
. In general, drop unwanted packets instead of reject them.
well ok
i m gonna give more details
i have a lan where all machiens must have a public IP , this to be able to access them from whatever place from the internet , it's what we call : REMOTE CONTROL personaly i m using VNC , but at thye same time i need to secure this access and put a firewall to deny all malisious intention !
the probelm is to force all my machines to use the firewall as default gateway , and here i don't know realy what should i do for this , does set 2 NICs with a public IP and set the router as default gateway will do that ?
thanx for ur replys
The problem I'm thinking could be the external side of the firewall will only accept traffic for the ip address on the external interface, perhaps setting up virtual interfaces on the external interface for each of the public ip's then forward any traffic to the appropriate machine in the internal network which will now have the bog standard 192.168.x.x ip addresses.
i see , but what's the interest of these action , what 's the difference between doing a redirection or simply use a public IP with a direct (filtred )access !
Have to admit, I don't know what you mean there by public ip direct filtered access
The way way I'm looking at it is if you are trying to connect to machine B which is behind nachine A the linux firewall (I'm ignoring the router for now) using the public address of machine B, machine A will not know to listen for machine B's IP address.
My knowledge of VNC at this moment wouldn't fill half a postage stamp so I may be in entirelly the wrong ball park here and best ignored
{internet} -- [firewall/router]---[switch] --ws1, etc.
What you could do at the firewall is port forward say port 5800 to ws1 using port 5800. Then port FW 5801 to ws2 on port 5800 (yes, same VNC port on all machines), etc. This means you now have ports open and forwarding to the internal machines. If you know WHERE you'll be coming in from you can say that as long as the source is the known ip address, then traffic on ports 5800, 5801, 5802... etc will go on to the internal machines. It's a bit better than have ANY external machine see those ports as open.
This still isn't the best way to do it either. What I do is for my setup is create an SSH tunnel to the correct machine. That way I also benefit from some compression.
read this http://www.onlamp.com/pub/a/onlamp/e...11/index3.html for some ideas on how to do it. It'll work with your scenario and public IP addresses too, you'll just be connecting to the external public ip address of your firewall instead of to the inside boxes.
I'll check this thread again later. If it's still too confusing I'll write it out.
thank you patrick !
well here i have shanged my confi a bit : (pri = private IP, pui= public ip)
[internet]
|
|(pui)
[gateway](VNC CLIENT)
|(pri)
|
|(pri)
[Router]
|(wan interface with pri)
|
|
|(wan intefrace with pri)
[router]
|
|(FIREWALL)pri
|
[Switch]
|
[machine1]-[machine2 .......](VNC SERVERS) all are private IP
well here is my netwirk setup , i have to remote control my machines trought the machine above which is connected to the internet ( double VNC the first is to open a session from the internet to the gateway ) and the second is to open from this rmote session a session to the machines in order to administrate them)
the problem is the actual position where is the firewall can't filter trafic between the machines of the lan mean between machine 1 to machine 2 ...ect , in other word if one of these machine get infected by a worm comming from a floppy or cdrom ... it ll infect the whole of the network , is there any fix fo this , i thought about making the firewall as default gateway rather than the router , but i think this wont work cause a direct connecion is existing between the machines !
any suggestions please
Last edited by freelinuxcpp; 11-11-2003 at 04:36 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.