how to setup a ipchains firewall after a hardware cisco router
 

hai friends,

i want to setup a ipchains firewall after a
cisco router which doesnot has a inbuilt firewall with it. i will
try to explain the situation

the cisco router has a wan interface and a lan
interface and from the lan interface we get some 14 public lan
ips.

i want to have a setup in which i want to connect one of the two interfaces of my linux box with the routers public
lan interface and from second interface of linux box the 14
public lan ips should come.

can anybody please suggest me the idea. actually
i had setup a netguard firewall in the above fashion . can i setup
ipchains in the in the same fashion.

if anybody wants more details i can send u the setup of
netguard firewall

thanks in advance
harish

Easy...

First you need to decide the type of firewall, this depends on the ip address types you use, IPN or EPN "Internal private network addresses like 192.198 , 10. ,172.16 " or you have EPN external public network addresses allocated by internic.

Also the speed of the connection is important as to the speed of the Linux box. “i.e a Nat firewall needs a fast processor if over a 512kb or greater connection”

If you use IPN numbers then you'll need to have a NAT firewall, if not then simply a source routed firewall.
You can use ipchains or iptables to do this.

Then you need to know the names of your interface cards on the Linux box and the relationship they have to the physical network.

Then you build a solid rule set for ipchains or iptables to use. Only routing the correct protocols to the correct ports with flood and spoof filtering.

If you want to learn about ipchains or iptables then start with these sites, then once you get into problem contact us.

http://www.redhat.com/support/resour...llservice.html
http://www.boingworld.com/workshops/...bles-tutorial/
http://dsl081-050-241.dsl-isp.net/ip...ns-stuff.shtml

/Raz :jawa:

regarding using proxyARP for the above problem
 

hello raz

i used proxyARP to solve the above
problem and was successfuly. but i was forced to
waste one of the public lan ip address . i followed the method given in sjdjweis.com for
using proxyARP to set a firewall after hardware
router

can u suggest me a way by which
there is not wastage of even a single ip address.

15 i followed the method given in sjdjweis.com

If the Cisco router is just a router, it will have to talk to a real external IP address that's in the routing table.

So you would use 2 assigned ip address. 1 for the router 1 for firewall.

If you have a DMZ then these addresses should also be real like your DNS and Proxy server.

Then everything after the firewall can be NAT and use internal ip addresses.

I don't know proxyARP.

If you only have 1 real address assigned to you, then your router wall have to do the NAT functions for the whole network.

/Raz