firewall - iptables
Hello, can anyone help me with a firewall ? i`m newbie with this things, so i dont know very well...
Ok, here is my setup. I have 5 IP addresses. 70.147.94.242 to 70.147.94.246 70.147.94.241 is my gateway to the world. Elvis has 3 network cards in him. The first is connected to the Internet. It will have to carry all 5 of my IP addresses. The second card is connected to a private network. The private network is in the 192.168.2.x range. The second card has a fixed address of 192.168.2.1. The third network card is to be used as an extremely limited network. It can't talk to anything but the Internet. It CAN NOT talk to the subnet on the 2nd card. The third network card is in the 192.168.3.x range with the third NIC having a fixed IP of 192.168.2.3. The public IP addresses have the following services... 70.147.94.242 (A) Accepts NO incoming connections. It should be a tarpit to anything that tries to connect to it. (B) This is my NAT address. The subnet on 192.168.2.x (second NIC) will use this address for all outgoing traffic. 70.147.94.243 (A) Accepts HTTP and HTTPS - may support WebDav for selected addresses (B) Accepts POP3 and SMTP (C) Accepts FTP (from selected address only - port knocking perhaps) (D) Accepts Squid 70.147.94.244 Should be a tar pit 70.147.94.245 Should be a tar pit 70.147.94.246 (A) Accepts SSH (B) Accept IRC ports (4400, 6667, and 6668) 192.168.2.1 (A) SSH (B) DNS (caching only) (C) DHCP (D) FTP (E) HTTP (F) HTTPS (G) WebDav (H) NAT for the entire subnet - 70.147.94.242 is what the subnet should use for its outgoing address (I) Squid - transparent proxy although authentication is possible 192.168.2.3 (A) DNS (caching only) (B) DHCP Of course if anyone attempts to brute force any of the services (connects more than X times per second) I want their address to be blocked and any connection states that currently have to be dropped. I think that about covers it. |
the last time i've to control a network like that with iptables i used fwbuilder.
It's a nice frontend for a iptables based firewall, and when i'm looking at a network like yours, i think you can manage that with this great tool. |
I'll second the suggestion for fwbuilder. I come from a Checkpoint background, and fwbuilder is the only firewall interface I have found that I like as much (other than the FortiGate boxes that I have deployed at some clients now). Fwbuilder with iptables, and kiwisyslog viewer for color coding logs is a great combination.
|
Quote:
didn't knew that last one... gonna take a look at it! |
All times are GMT -5. The time now is 08:31 PM. |