how to setup a ipchains firewall after a hardware cisco router
hai friends,
i want to setup a ipchains firewall after a cisco router which doesnot has a inbuilt firewall with it. i will try to explain the situation the cisco router has a wan interface and a lan interface and from the lan interface we get some 14 public lan ips. i want to have a setup in which i want to connect one of the two interfaces of my linux box with the routers public lan interface and from second interface of linux box the 14 public lan ips should come. can anybody please suggest me the idea. actually i had setup a netguard firewall in the above fashion . can i setup ipchains in the in the same fashion. if anybody wants more details i can send u the setup of netguard firewall thanks in advance harish |
Easy...
First you need to decide the type of firewall, this depends on the ip address types you use, IPN or EPN "Internal private network addresses like 192.198 , 10. ,172.16 " or you have EPN external public network addresses allocated by internic. Also the speed of the connection is important as to the speed of the Linux box. “i.e a Nat firewall needs a fast processor if over a 512kb or greater connection” If you use IPN numbers then you'll need to have a NAT firewall, if not then simply a source routed firewall. You can use ipchains or iptables to do this. Then you need to know the names of your interface cards on the Linux box and the relationship they have to the physical network. Then you build a solid rule set for ipchains or iptables to use. Only routing the correct protocols to the correct ports with flood and spoof filtering. If you want to learn about ipchains or iptables then start with these sites, then once you get into problem contact us. http://www.redhat.com/support/resour...llservice.html http://www.boingworld.com/workshops/...bles-tutorial/ http://dsl081-050-241.dsl-isp.net/ip...ns-stuff.shtml /Raz :jawa: |
regarding using proxyARP for the above problem
hello raz
i used proxyARP to solve the above problem and was successfuly. but i was forced to waste one of the public lan ip address . i followed the method given in sjdjweis.com for using proxyARP to set a firewall after hardware router can u suggest me a way by which there is not wastage of even a single ip address. 15 i followed the method given in sjdjweis.com |
If the Cisco router is just a router, it will have to talk to a real external IP address that's in the routing table.
So you would use 2 assigned ip address. 1 for the router 1 for firewall. If you have a DMZ then these addresses should also be real like your DNS and Proxy server. Then everything after the firewall can be NAT and use internal ip addresses. I don't know proxyARP. If you only have 1 real address assigned to you, then your router wall have to do the NAT functions for the whole network. /Raz |
All times are GMT -5. The time now is 12:47 PM. |