Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I've browsed these forums for quite awhile and haven't
seen an issue similar to mine so I've decided to ask
for your expert opinions.
I'm an IT intern at a medium sized business, and the
job that I've been given is to set up a firewall using
iptables. Currently the company has a Cisco 2600
router handling the incoming T1 line and doing NAT, as
well as serving as the only firewall. In order to
increase security they decided to implement an
iptables firewall. The original configuration was set
up to put the firewall on the internal private network
(192.168.0.1/24), like so:
Their original plan was to simply place both
interfaces of the firewall on a hub, as if the
firewall were like any other node on the network, and
use the Cisco to forward all traffic to the external
interface of the firewall (192.168.0.140).
Now, this is my absolute first real-world experience
with a business network, but it seems to me like this
is a poor idea. The entire network would be exposed
to these forwarded packets.
The changes I propose are to place the firewall
directly in-line behind the router and before the
switch, and to give the firewall a public IP address
on its external interface. Then the internal
interface of the firewall would become the default
gateway for the network. The firewall would also have
to handle NAT. My setup looks like this:
Since we have a T1 with 10 public IP addresses, I
figured it would be better to use a public IP address
for the external interface of the iptables box so that
the internal network lies solely behind the trusted
internal interface. The Cisco router will basically
become a glorified T1 network card because it will
simply forward all traffic directly to the public IP
assigned to the firewall external IP address.
Do you guys think that I can make this work? I'm
pretty sure that it will, but I feel that there is
something I might be overlooking. What suggestions do
you guys have? Should I come up with a new design
entirely? Any feedback you guys have will be most
welcome. Thanks for reading.
Last edited by Arnold Poindext; 06-02-2003 at 12:48 PM.
The way the servers are grouped isn't very logical. The DNS server is on a machine with a file server on it, so I can't easily stick it outside the firewall. I think I can put a few lines of code in the iptables script to make DNS work inside the firewall though right?
Yeah, your right about being able to do that with iptables. Are they running Active Directory with Win2000? If not try to get them to get a couple of old Pentium or PII class PC's and set the DNS server up outside the firewall. That way you get them in the DMZ. Depending on how many node you got on the LAN, I think that a Pentiumn class PC with 32 to 64 MB of ram would do. To make it simple any server running and service that is accessed from the web should be outside the firewall in a DMZ. But that is getting off the subject.
internet
|
router
|
web/dns/mail
|
firewall
|
Local net
tangle are you sure about this. because i always thought that you can run a server on the inside network and do a port forwarding. you can run a web server or a mail server and so on the inside. i did it before. i never tried DNS though. but i dont see why i shouldnt be able to run it behind the firewall given that you forward all the traffic on the port to the machine running the server.
You can but that port is open when someone from the outside sends a request for that sevice. I have my network at home forward DNS requests through a firewall to my ISP's DNS server. You can do exactly what you are talking about, but it is safer to have them in a DMZ (some say it doesn't matter though).
They aren't using Windows 2000, they are too cheap to upgrade. They are using good ol' NT 4.0. I have another question though regarding DNS server being inside the firewall. We also have a transparent proxy server running (Squid), how will that affect the DNS server being forwarded? Is it possible to have them both forwarded and work properly?
I think that is your proxy is set to send DNS request to your DNS sever you should be alright. Though, I have very little (about 3 or 4 years ago) proxy experience. That one someone else would have to answer. Sorry
Thanks for your replies fellas, I really appreciate it. I have another question though. How do I make SNAT work? I'd like to translate all outgoing requests from our LAN to a single public IP address. What is the code I'd use to do this? Would this work:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
