Question/Advise:
I am setting up webserver on a cable connection.... which only has one IP.
Currently I have a linksys router running DHCP.
The server is configured with 2 net cards eth0 is the untrusted with ports 80 & 443 open
eth1 has all my other services bound to it 21, 22, 3306, 10000 etc.

Because I am not experienced with fire-walling and box hardening (I have done some of the basics to ensure security) I was planning on port forwarding from the linksys router to the server... obviously forwarding only ports 80 and 443 to the eth0 address (192.168.1.x).

This works fine but I did not have any packet filtering in place which is not good.

I found this great script at freshmeat_dot_net/projects/iptables-firewall/ that is easy to setup and implement.... /arno-iptables-firewall.tgz

Problem is that I can't have the two nics on the same subnet because the eth1 (trusted device) subnet is accept everything which effectively removes the firewall from eth0 ? Is there a work around?

Am I making this unnecessary complicated by leaving the linksys in place or should I nat through the webserver appliance and eliminate the linksys? I have very little experience with IpTables and am relying on the script above and the use of the Webmin interface for IPtables.

Your thoughts would be well received and greatly appreciated.
___________________
eth0 Link encap:Ethernet HWaddr 00:A0:C9:99D:EE
inet addr:192.168.1.x Bcast:192.168.1.254 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

eth1 Link encap:Ethernet HWaddr 00:01:53:81:B6:39
inet addr:192.168.1.x Bcast:192.168.1.254 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1

are you running a linux firewall? or linksys. Is the Linux box acting as a firewall behind the router?

never mind I see. Here is a good script. It's self explantory, just enable the stuff you need. It leaves eth1 (the interior interface) open for all outbound traffic, while blocking anything inbound. The script looks intimadating, however just read in the intro. Just enable "true"to the protocols you want forwarded back.(or type in the ip address of the server the packets are forwarded to). It will block portscans and other stuff Since your using iptables, ensure you change the path to iptables to the default redhat (/sbin/iptables):

Okay, it's to long to post here. I will post it on my website later. Here is the URL www.bentleyslounge.com/linux/iptables.txt

Any help is appreciated....

The whole task has taken up more time then I expected and am now looking for a light at the end of the tunnel.

try the link, it's up

Thank you...
This appears to be a good script.
But I am unsure if it addresses my problem unless I make my web appliance my nat as well. Currently my setup is [linksys with nat] to [server] ... with port forwarding from the linksys to a local ip address on the server.

or remove the second nic and run all my services from the single eth0?

that would be best, use the linksys to nat to your web server. If your tyring to get double the protection I could see configuring Eth0 to use your linksys as a gateway.

This way you have the linksys-----Iptables firewall. In between the two would be a DMZ were you could put webservers and stuff. It is a better idea to put your web servers and any other servers being accessed from the internet into a different subnet than your clients, however if hardware is limited, you could use the script to NAT to the inside interface. Install apache on that Linux box and configure Apache to listen to traffic eth1. Or configure apache to listen to Eth0 and port forward from the linksys router to the Eth0 and have your clients use Eth1 as a gateway for your inside clients. Possibilities are endless

Is it possible to setup tow subnets on the linksys?