Re: Making a router from a Linux machine

From: Bill Unruh (unruh_at_string.physics.ubc.ca)
Date: 02/28/05 

Date: 28 Feb 2005 21:38:18 GMT

First make sure that the two networks can talk to each other. Switch off
all firewall, make sure that your central machine is the default gateway on
both sides, and see if they can talk to each other. YOu need to get this
working first.

Once you have that working then you can get the firewall working. I use
shorewall, a wrapper for iptables.

I do not think tht there is any reason why you should be using masquarading
in this context. There is no reason I could imagine why you should.
Just leave them with their separate networks and addresses, and set up the
routing table appropriately.

iceman_to_the_max@yahoo.com writes:

>I have a Debian Linux on one machine which has 2 Ethernet cards. I want
>to make this machine to be my firewall. eth0 is connected to one small
>network of about 15 computers, while eth1 is connected to another
>"network" of 1 computer. I want to make my Linux machine filter
>everything I want and let everything I need. However, many days working
>with iptables just didn't help - I still don't have a solution. My
>current solution is to use a simple Ethernet bridging, which is a
>"goodbye to firewall". I have tried everything reasonable from the
>iptables documentation provided. I also searched the Internet,
>including these Groups. I used to make it work good in one direction,
>but not vice-versa. I also am concerned if the iptables is enough,
>since many things work on the lower level (ARP, RARP, DNS and many
>other protocols use the OSI Layer 2 or TCP/IP network layer to provide
>their services).

>Since I have tried "everything" and it didn't work, the only reasonable
>answer to this might be a complete configuration. If anyone has a
>sample configuration which is analogous to the above, please post here
>or send me a complete process of how to do this. I think no further
>explanation would be necessary of the given solution, the only thing I
>want is it to work. Maybe this is too much to ask, but that seems the
>only solution.

>Shortly, I need no masquerading, but I need to translate all eth0
>addresses to eth1 and vice versa. I still want my firewall to be
>functional as a workstation or a server and a part of any network,
>preferrably one of eth0.

Relevant Pages

  • Re: Feedback solicited - best way to harden a mail/web server?
    ... Was the system protected by a properly configured firewall? ... it's not a bad "starting point" and it can generate an IPtables rule ... > nor is there a web or ftp server; aside from that I haven't tried to secure ... Before I'll install some nifty application ...
    (comp.os.linux.security)
  • Re: EMERGENCY - need to secure my server against an ongoing SPAMMER
    ... computer with a broadband connection. ... that IP range will prevent that spammer from wasting your systems ... This approach eventually makes your firewall machine so busy it has ... A better approach is to use IPTables to deny ALL inbound attempts to ...
    (Fedora)
  • linux - iptable firewall DNS question
    ... When my firewall is active, i am unable to use name solving features from my ... iptables -P INPUT ACCEPT ... # $ipnet -> adresse ip de l'interface connectée à internet ... echo ACCES AU FIREWALL DEPUIS LOCAL ...
    (comp.security.firewalls)
  • Re: firestarter start failure?
    ... It writes to iptables firewall rules, and then is done, ... unless gui is open. ... Do I have to start Firestarter after I have rebooted? ... When Firestarter is installed from a package, the firewall ...
    (Ubuntu)
  • Clearing up some security "jargon"
    ... The kernel supplies the iptables service, which is by default, ... There is no need to "turn on" a firewall. ... Consider the package "ufw", a tool that some people say can ... Consider Firestarter. ...
    (Ubuntu)