Hi:
I have a network like this

Router1------Router2-------LAN1----- ServerX
Router1------Router2-------LAN2

Where is the right place to put a firewall?

Actually I have

Router1 : 192.168.1.1 and Public IP
Router2 : 192.168.2.1
LAN 1 192.168.1.X
LAN 2 192.168.2.X
And my server X is 192.168.1.35

I'm trying to protect Server X with IP tables, but I'm not sure of what IP must have. my firewall ... so I can protect even from internal users.
My Firewall must have an IP public and one private, because I want that outsiders can connect to serverX.

I hope you can help me
Thanks in advance.
Spookyly

You basically place firewalls where you want particular flows of data to stop. So to block/filter connections from the Internet enable the firewall on router 1. To allow data to flow freely inside your network, but restrict connections to or from ServerX configure the firewall on ServerX. To restrict connections in or out of 192.168.2.0, configure firewalling on router 2.

For your information :
You can drop connections to any network prior to reach it at ROUTING table in PREROUTING & at routing table with You can also use these other ways to drop packets:

Do you have 4 routers?
Are the two routers on the network with ServerX NAT routers? You could put the Server in between the two routers on one of the interfaces and have the second interface plugged into lan1's switch. For the DMZ interface, make sure that the firewall closes down all ports that internet users are supposed to use.

Well, It's more clear now, but still I'm very confused.... let me explain de case:

For Router1 I have one IP and 5 more I want that serverX be accesible to the internet with one IP private so my other users (from de LAN1, LAN2, LAN3, LAN4,etc) can connect, and my users from the outside can connect to serverX, using one public ip...

What I did is:
My Firewall has 2 NIC
eth0: public IP
eth1: private one doing nat (192.168.8.1)
so the logic thing it's that my serverX be 192.168.8.35... righ?...
but for the moment I can't change the address of serverX.... It's possible without changing the address protect serverX? and this could be accesible from the internet with th public IP?
If it's there anything wrong please let me know....
Thanks in advance...
Spookyly

In my opinion, it would be better having 2 nics on Server X. This makes it easier setting up the serverx firewall then having one nic with 2 ip addresses. Ideally, the server would be in the DMZ, i.e. between two routers, and you would use a separate server for internal lan users. If your internet side is normal internet users, even better would be to have it hosted by a third party so that internet users aren't going to your outside router at all.

In the second and last option I mentioned, the server would have as little as possible installed. Only the services needed are provided. This leaves fewer targets to attack and may even mean a leaner faster machine.

Otherwise, having the server with 2 nic cards, make sure that one has a different network address or subnet address then the other. Even if both are private IP's. The SuSE firewall2 program is set up so that you put a NIC into a zone. Either inside zone, outside zone, or DMZ. Then determine the rules for each zone. For server X, the outer router would be connected to the outside zone NIC of server X and the inside zone would be connected to the switch with the inside router. The disadvantage to doing this is that if ServerX where compromised, it would provide a bypass of your 2nd router. That is why I mentioned that having a bastion host just for the internet service and a separate server for the LAN users.

There are a number of books on securing Linux. I would also recommend the book "Firewalls and Internet Security: RepelLing the Wily Hacker" ISBN: 0-201-63466-x.

I hope I haven't made this too complicated to understand or made too many omissions. Security is an on going process and not something that is simply switched on.

I'm very grateful for the answers...
I read this wonderfull manual
http://iptables-tutorial.frozentux.net/
Thanks