Dual PVC connection

From: David Johnson (david_at_johnsondata.com.au)
Date: 04/12/04 

Date: 12 Apr 2004 07:21:39 -0700

Fellow networking travellers

We are setting up a new internet connection and missing some important
steps for best security model. The ISP involved seems a bit green at
this as well.

What we have is a dual PVC coming into a ADSL router/modem. One PVC
(1) will be an internet connection. The second PVC (2) will be a
private GRE connection to a branch office. The router/modem brand has
been specified by the ISP as only one supported (Open Networks). It
only has one WAN input (the dual PVC) and one LAN output.

The (1) connection is a standard public IP address.
The (2) conneciton is a private IP address 192.168.150.x

As this particular router/modem has only "OK" firewall capability, we
wish to add an additional firewall (Snapgear Linux appliance) between
it and the head office network.

These requirement of (1) NAT and (2) routing are configurable by
themselves
(1)
iptables -t nat -I POSTROUTING -o $INTERNET_IF -s 192.168.x.212 -j
SNAT --to-source 203.185.x.x
iptables -A ExtAcc -d 192.168.x.212 -j ACCEPT
iptables -t nat -A PREROUTING -i $INTERNET_IF -p tcp --dport 80 -d
203.185.x.x -j DNAT --to-destination 192.168.x.212
etc is easy for (1) allowing public ports into internal servers. eg
web server access.

(2)
cp /etc/1 /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
to route the private branch office subnet into the head office subnet

Is it possible to combine the 2 of them and still maintain a secure
firewall?

Thanks. David

Relevant Pages

  • Re: WIN2000 to WINXP
    ... "Change settings of this connection. ... Click the Internet connection that you use, ... On the Advanced tab, under Internet Connection Firewall, clear the ... > networking actions through the other system. ...
    (microsoft.public.windowsxp.newusers)
  • Re: cant run scripts on web pages
    ... What kind of Internet connection are you using? ... Have you scanned for viruses with an updated Anti Virus program? ...
    (microsoft.public.windowsxp.security_admin)
  • Re: 72.14.207.104
    ... > remembers the connection and passes it through. ... > closed the browser before the response came back you would get this sort ... While not saying your should ignore that issue, an iptables firewall by ... I would say I have at best an intermediate level capability with iptables. ...
    (comp.os.linux.security)
  • X & Gnome crashes the system with iptables
    ... kernel 2.4.21, ... I spent a lot of time to write rules for iptables to obtain a good firewall. ... # Support for connection tracking ... packets are denied until ...
    (comp.os.linux.x)
  • X & Gnome crashes the system with iptables
    ... kernel 2.4.21, ... I spent a lot of time to write rules for iptables to obtain a good firewall. ... # Support for connection tracking ... packets are denied until ...
    (comp.os.linux.setup)