|
I'm interested in learning about implementing VLAN tagging into iptables...
My main goal is to build a firewall using VLAN tagging and iptables on a single NIC computer.
Here's my scenario. I have 4 computers. I have no router/firewall. I want the DSL connection coming from my ISP going into a 5 port switch. The 4 computers would then connect to the switch. Then I want to configure one computer with VLAN tagging and iptables to filter out the outside traffic and act as my firewall. My plan was to configure two vlan interfaces on this one firewall computer. One for the in vlan interface(eth0.3) the other for out vlan interface(eth0.5). Then on iptables I can setup up eth0.3 to receive all outside traffic then redirect the legitimate traffic(based on my iptable rules) to the eth0.5, which would then pass on to the other 3 computers. Is iptables capable of directing traffic from eth0.3 to eth0.5. Then I would have to mark all the NICs on the 3 other computers to have VLAN eth0.5 tags? Basically a firewall. Is this possible? I think my main problem is the switch that I have cannot be configured. Wouldn't I need to configure that switch to direct all outside traffic to eth0.3? So yeah my guess is I need a managed switch with VLAN capacity. Figured it out, assuming it's a managed switch, configure switch to send all inbound traffic to vlan tag 3. Then on that firewall computer configure the NIC to be vlan tag 3. I then write iptable rules on the firewall box to drop all illegitimate packets. Direct only legitimate traffic to vlan tag 5, which will be the same vlan tag on the NICs of the other 3 computers. Wouldn't this work? I just need a switch capable of 802.1Q. |
VLAN tagging
I think you have to have a switch that supports VLAN's. So you would configure the DLS port for ID 5 untagged and the port connected to the firewall to both VLANs tagged and the other ports on ID 3 untagged. This is how I would do it. I think that's the only way unless you specify the VLAN on each pc. Another way (easier but doesn't include VLAN's) is to install another NIC in the firewall and connect that straight to the DSL.
OK. I didn't take a good enough look at your post. Sorry. Yes, you're right I guess. Like I said you need to have the DSL port untagged but set to the right VLAN and same with the other PC's. But the port for the firewall needs to be tagged for both VLAN's. Please keep us informed of your progress. |
| All times are GMT -5. The time now is 05:10 AM. |