Very Computer

by **peripatetic9..** » Wed, 10 Jan 2001 11:17:34

I was considering trying to set up a firewall using Linux's ipchains, to
produce a firewall with three separate Network segments: an external one, an
internal one, and a DMZ. As far as I can work out, this is possible using the
-i switch in IP chains.

If anyone has tried this before, and thinks I am wasting my time, please let
me know. I can't find any information about this on the internet, so perhaps
that is for a good reason. :-)

If anyone has tried this sucessfully, do you have any tips on how to organise
the chains, and the rules within the chains.

Sent via Deja.com
http://www.deja.com/

by **Ralph Spitzn** » Thu, 11 Jan 2001 01:35:50

>I was considering trying to set up a firewall using Linux's ipchains, to
>produce a firewall with three separate Network segments: an external one, an
>internal one, and a DMZ. As far as I can work out, this is possible using the
>-i switch in IP chains.

Looks something like:
-A input -s 192.168.0.0/255.255.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DENY -l
-A input -s 192.168.1.0/255.255.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DENY -l

Deny packets on eth0 which claim to be from the internal/DMZ net.
If you have a DMZ with 'real' IP's you have to replace that 192 stuff
with your IP/Netmask and change the MASQ to FORWARD below.

-A forward -s 192.168.0.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ
-A forward -s 0.0.0.0/0.0.0.0 -d 192.168.0.0/255.255.255.0 -j MASQ
-A forward -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ
-A forward -s 0.0.0.0/0.0.0.0 -d 192.168.1.0/255.255.255.0 -j MASQ

Forward everything else.

Works reasonably well here, any comment welcome, though.

-rasp

--
But, trust me on the sunscreen....

by **R.A. van Geleuke** » Thu, 11 Jan 2001 14:31:50

Find the IPCHAINS-HOWTO (my version comes with RedHat 6.2). Contains a full
example of exactly the setup you're trying to build, but I haven't tried it
(yet)....

Roald.

Quote:> I was considering trying to set up a firewall using Linux's ipchains, to
> produce a firewall with three separate Network segments: an external one,
an
> internal one, and a DMZ. As far as I can work out, this is possible using
the
> -i switch in IP chains.

> If anyone has tried this before, and thinks I am wasting my time, please
let
> me know. I can't find any information about this on the internet, so
perhaps
> that is for a good reason. :-)

> If anyone has tried this sucessfully, do you have any tips on how to
organise
> the chains, and the rules within the chains.

> Sent via Deja.com
> http://www.deja.com/

by **Raphael Manki** » Thu, 11 Jan 2001 04:09:12

: I was considering trying to set up a firewall using Linux's ipchains, to
: produce a firewall with three separate Network segments: an external one, an
: internal one, and a DMZ. As far as I can work out, this is possible using the
: -i switch in IP chains.

[snip]
: If anyone has tried this sucessfully, do you have any tips on how to organise
: the chains, and the rules within the chains.

The trick to keeping your sanity while doing this is to organise all
your packets onto chains according to where they came from and where
they are going. Probably the only output chain rules you will need will
be on the chains destined for the firewall itself: nothing should be
sending packets to the firewall, only through the firewall.

--
--
Science is rapidly filling our homes with
devices smarter than we are. - Anon

Raphael Mankin

----------------------------------

Very Computer

Firewall using ipchains + 3 NICs

Firewall using ipchains + 3 NICs

Firewall using ipchains + 3 NICs

Firewall using ipchains + 3 NICs

Firewall using ipchains + 3 NICs