LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-05-2003, 04:22 PM   #1
freelinuxcpp
Member
 
Registered: Jul 2003
Posts: 129

Rep: Reputation: 15
firewall questions


Hello everybody
i want to set a firewall for my network and need some advices about it
here is my net :
▒▒▒▒▒▒▒
▒INTERNET▒
▒▒▒▒▒▒▒║


╔=========╗
...router..
╚=========╝

║NIC#1 : public addresse
████FIREWALL████
║NIC#2 : public addresse
║_________________
║My private network│
║(public addresses)=│
║________________│

i need to be able to administrate my lan remotely (VNC or such) and set a
to set a powerful firewall at the same time to prevent any attack or abuse
from the internet , well the steps i thought about are :
1 set eth0,eth1 of the firewall with a public IP
set the default gateway for this firewall ( the router )
close all ports and block all incoming outgoing traffic (iptables)
open needed ports and authorize some IPs that i use
set this firewall as default gateway for all other machine on the lan

every advices/idea which can improuve the topic is are welcome
 
Old 11-05-2003, 08:56 PM   #2
dreamloveros
LQ Newbie
 
Registered: Nov 2003
Distribution: SUSE
Posts: 2

Rep: Reputation: 0
Just to make it clear for me, why do you need two public IP addresses at the firewall level? and other public IP addresses in your internal nework?

My understanding of a protected demillitarized zone (DMZ) is a private network with private addresses (10.1.*.* / 192.168.*) which are not routeable on the internet, and only single public IP address obtained from your ISP.

I'll try my best to help u should you clarify your goals/needs.

OS
 
Old 11-05-2003, 10:46 PM   #3
imoex2
LQ Newbie
 
Registered: Oct 2003
Posts: 3

Rep: Reputation: 0
here's how i would set my lan up
 
Old 11-05-2003, 10:47 PM   #4
imoex2
LQ Newbie
 
Registered: Oct 2003
Posts: 3

Rep: Reputation: 0
{internet}-----[firewall]---[dhcp/dns]----[switch/hub]----wk1---wk2---wk3--wk4--etc


oops
 
Old 11-06-2003, 12:00 AM   #5
JordanH
Member
 
Registered: Oct 2003
Location: Toronto, Canada
Distribution: Ubuntu, FC3, RHEL 3-4 AS Retired: SuSE 9.1 Pro, RedHat 6-9, FC1-2
Posts: 360

Rep: Reputation: 30
I don't really see a question in your post... You are proposing a straight forward, and common, setup so if you are looking for confirmation; Yes, you can setup your network that way.

Is there any particular reason you need the router and a linux firewall/router? Seems like you are pulling double duty for a system that may not require it.

You are on the right track.
Some tips...
. Incoming packets no longer traverse both INPUT and FORWARD chains; they do one OR the other.
. Make use of the stateful capabilities of IPTABLES (i.e. accept established and related connections but not new or invalid connections)
. Check for spoofed IP addresses
. In general, drop unwanted packets instead of reject them.
 
Old 11-06-2003, 01:53 AM   #6
freelinuxcpp
Member
 
Registered: Jul 2003
Posts: 129

Original Poster
Rep: Reputation: 15
well ok
i m gonna give more details
i have a lan where all machiens must have a public IP , this to be able to access them from whatever place from the internet , it's what we call : REMOTE CONTROL personaly i m using VNC , but at thye same time i need to secure this access and put a firewall to deny all malisious intention !
the probelm is to force all my machines to use the firewall as default gateway , and here i don't know realy what should i do for this , does set 2 NICs with a public IP and set the router as default gateway will do that ?
thanx for ur replys
 
Old 11-06-2003, 04:24 AM   #7
Looking_Lost
Senior Member
 
Registered: Apr 2003
Location: Eire
Distribution: Slackware 12.0, OpenSuse 10.3
Posts: 1,120

Rep: Reputation: 45
The problem I'm thinking could be the external side of the firewall will only accept traffic for the ip address on the external interface, perhaps setting up virtual interfaces on the external interface for each of the public ip's then forward any traffic to the appropriate machine in the internal network which will now have the bog standard 192.168.x.x ip addresses.

I may be talking nonsense, but that's my feeling
 
Old 11-06-2003, 12:20 PM   #8
freelinuxcpp
Member
 
Registered: Jul 2003
Posts: 129

Original Poster
Rep: Reputation: 15
i see , but what's the interest of these action , what 's the difference between doing a redirection or simply use a public IP with a direct (filtred )access !
 
Old 11-06-2003, 01:22 PM   #9
Looking_Lost
Senior Member
 
Registered: Apr 2003
Location: Eire
Distribution: Slackware 12.0, OpenSuse 10.3
Posts: 1,120

Rep: Reputation: 45
Have to admit, I don't know what you mean there by public ip direct filtered access

The way way I'm looking at it is if you are trying to connect to machine B which is behind nachine A the linux firewall (I'm ignoring the router for now) using the public address of machine B, machine A will not know to listen for machine B's IP address.

My knowledge of VNC at this moment wouldn't fill half a postage stamp so I may be in entirelly the wrong ball park here and best ignored
 
Old 11-10-2003, 02:03 AM   #10
freelinuxcpp
Member
 
Registered: Jul 2003
Posts: 129

Original Poster
Rep: Reputation: 15
Hello
i ve found a better IDEA : it's the NET bridge a machine with no ip and which filter all network trafic
very cool no ?
http://lea-linux.org/reseau/pont-filtrant.php3 (in french)
 
Old 11-10-2003, 12:23 PM   #11
Patrick Bulteel
Member
 
Registered: Nov 2003
Location: United Kingdom
Distribution: Mandrake, RedHat, Suse, Ubuntu, Debian
Posts: 37

Rep: Reputation: 15
My setup

{internet} -- [firewall/router]---[switch] --ws1, etc.

What you could do at the firewall is port forward say port 5800 to ws1 using port 5800. Then port FW 5801 to ws2 on port 5800 (yes, same VNC port on all machines), etc. This means you now have ports open and forwarding to the internal machines. If you know WHERE you'll be coming in from you can say that as long as the source is the known ip address, then traffic on ports 5800, 5801, 5802... etc will go on to the internal machines. It's a bit better than have ANY external machine see those ports as open.

This still isn't the best way to do it either. What I do is for my setup is create an SSH tunnel to the correct machine. That way I also benefit from some compression.

read this http://www.onlamp.com/pub/a/onlamp/e...11/index3.html for some ideas on how to do it. It'll work with your scenario and public IP addresses too, you'll just be connecting to the external public ip address of your firewall instead of to the inside boxes.

I'll check this thread again later. If it's still too confusing I'll write it out.
 
Old 11-11-2003, 04:35 AM   #12
freelinuxcpp
Member
 
Registered: Jul 2003
Posts: 129

Original Poster
Rep: Reputation: 15
thank you patrick !
well here i have shanged my confi a bit : (pri = private IP, pui= public ip)
[internet]
|
|(pui)
[gateway](VNC CLIENT)
|(pri)
|
|(pri)
[Router]
|(wan interface with pri)
|
|
|(wan intefrace with pri)
[router]
|
|(FIREWALL)pri
|
[Switch]
|
[machine1]-[machine2 .......](VNC SERVERS) all are private IP

well here is my netwirk setup , i have to remote control my machines trought the machine above which is connected to the internet ( double VNC the first is to open a session from the internet to the gateway ) and the second is to open from this rmote session a session to the machines in order to administrate them)
the problem is the actual position where is the firewall can't filter trafic between the machines of the lan mean between machine 1 to machine 2 ...ect , in other word if one of these machine get infected by a worm comming from a floppy or cdrom ... it ll infect the whole of the network , is there any fix fo this , i thought about making the firewall as default gateway rather than the router , but i think this wont work cause a direct connecion is existing between the machines !
any suggestions please

Last edited by freelinuxcpp; 11-11-2003 at 04:36 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Mandrake Firewall Questions apoc63 Linux - Newbie 0 01-21-2005 02:52 PM
Some questions about a rc.firewall script matruschka Linux - Security 3 08-01-2004 08:47 AM
Shorewall Firewall Questions bLaDe Linux - Security 3 08-13-2003 08:46 PM
More firewall questions! (I know you love 'em) SocialParasite Slackware 2 07-07-2003 05:17 PM
simple firewall questions jamaso Linux - Security 5 08-28-2002 12:57 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration