Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Absolutely. Aside from purchasing a router for the task, you can use a linux PC for the function. You really only need 2 NICs, 1 connected to the outside (internet), and 1 connected to an internal LAN subnet (for example, 192.168.0.X), or you could have several NICs connecting to separate subnets if you want to compartment your LAN traffic. A linux kernel running iptables will do the trick - you can set up your own script, use others' as examples, or use a firewall program that sets up the iptables scripts for you, to name a few options. I use firestarter, which has been around for quite awhile, seems to no longer be under development, but still serves the purpose fine for me. Using iptables, you can do all of the nat, port forwarding, etc. that you need. Linux also has some very sophisticated traffic control functionality for being able to optimize your bandwidth among several different functions (such as low latency traffic, fast web access, fast throughput simultaneously).
If I only need two NICs, it means I have to bind multiple IP addresses to the card facing the Internet. I remember reading about this a long time ago, but I've never tried it. Something like: eth0:0, eth0:1, eth0:2, eth0:3. I'll look into that.
I'm not following the need to bind multiple IP addresses to the card facing the internet. Do you have more than one IP address assigned to you? In a typical home setup, your ISP assigns you a single IP address to your cable modem, DSL modem, etc. This is the address you bind to the NIC facing the modem. You bind an IP address associated with your local subnet, such as 192.168.0.X, to the NIC facing your LAN. The firewall via iptables can handle all of the nat, forwarding, etc. to interface between the two networks.
If you have more than one public IP address assigned to you, then I believe you need to get into a less simplified setup with multiple address binding as you mentioned.
For higher security, people suggest putting linux servers behind a firewall.
By itself, that will not even be adequate security, so I am a bit mystified by the meaning of 'higher security'.
I'm thinking of how this can be accomplished.
Quote:
I have 4 machines, each running the usual web services: httpd, smtp, imap, mysql, ftp, mail, etc.
Are you thinking of a DMZ. If not, why not?
Quote:
Can this be done, or do I need a special router to handle this task?
Special router? If you can define clearly and in detail what you want to achieve and are prepared to work at it, it can probably be done without a special router. If you aren't, it probably won't really be achievable with or without a special router. Although you may be happy in not knowing that it hasn't been achieved.
By itself, that will not even be adequate security, so I am a bit mystified by the meaning of 'higher security'.
What it means is that servers behind an adequately managed dedicated firewall will be able to enjoy the mitigation of certain vulnerabilities in ways which servers without dedicated firewalls wouldn't be able to (ceteris paribus). It also means that their administrator(s) will have more options and greater control when responding to security incidents. Firewalls play an integral role in just about any multi-layered security approach, so I'm not sure why you'd be mystified by any of this.
Quote:
Originally Posted by fw12
If I only need two NICs, it means I have to bind multiple IP addresses to the card facing the Internet. I remember reading about this a long time ago, but I've never tried it. Something like: eth0:0, eth0:1, eth0:2, eth0:3. I'll look into that.
If you can afford to buy one NIC for each server that would be optimal. This will let you isolate the servers from each other at the physical level, which you wouldn't be able to do with host-based firewalls (since you'd be plugging them all into the same switch). As for the multiple IPs, that's called IP aliasing and as jeff_k hinted, it's only really an option for you if you've got more than one public IP address. Do you? People that don't will typically end up settling for plain old port forwarding with a shared IP.
EDIT: I just noticed that you explicitly stated:
Quote:
Originally Posted by fw12
Each NIC would have an Internet IP assigned to it.
So it would seem that you do indeed have four dedicated public IPs. In that case, I would recommend that you use five NICs. Assign the four public IPs to one of them (the Internet-facing one), and then do port forwarding to the servers on each of the other four NICs. Of course, each server should have its own host-based firewall too.
What it means is that servers behind an adequately managed dedicated firewall will be able to enjoy the mitigation of certain vulnerabilities in ways which servers without dedicated firewalls wouldn't be able to (ceteris paribus). It also means that their administrator(s) will have more options and greater control when responding to security incidents. Firewalls play an integral role in just about any multi-layered security approach, so I'm not sure why you'd be mystified by any of this.
The critical word here is 'higher'. Higher than 'none' certainly, but if you were to start off from a position in which you had adequate security, which would not just be a perimeter firewall, and this was taken to be the limit of your security measures, it would be sensible to consider the reduction in security as a lowering, so I find it difficult to know enough detail about what exactly the OP is suggesting and how to evaluate whether this level of security is 'higher' or 'lower'.
If the suggestion is just that a perimeter firewall will, by itself, make the system secure, then that is incorrect.
OTOH, the OP may be suggesting that a perimeter firewall may be a worthwhile addition to some other set of measures. As it stands, this might be fine, but without extra knowledge of what those other measures actually are, it seems impossible to comment on whether it would be an adequate set of measures for any particular situation.
I had hoped that the OP would explain the deliberately mysterious comments about what exactly was meant in some detail.
Yes, it is clear that firewalls have a role to play in security (duh!), but it is the possible interpretation of what else the OP is considering and what the context of this question (what do these servers do? are they providing publicly accessible services? what services? are there risks from the local network?) that means that it is almost impossible to give anything other than a very generic response to the original post and the inference that it would be valid to compare the security of a situation with a firewall to something completely undefined seems strange.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
