Re: Do I have to enable bridge if I want to make Linux box as Router (4-port NIC for local LAN and 1-port NIC for WAN)?

From: Bill Davidsen (davidsen_at_deathstar.prodigy.com)
Date: 08/04/05 

Date: Thu, 04 Aug 2005 19:36:35 GMT

GS wrote:
> Do I have to enable bridge if I want to make Linux box (PC) as Router
> (4-port NIC for local LAN and 1-port NIC for WAN)?. I have two NIC
> cards, one is 4-port NIC card which is to connect all four local PC's
> for Net connection and one port NIC connected to DSL/Cable MOdem. Do I
> have to enable Bridge?. In this case how do I have to name the ethernet
> ports, like eth0, eth1, eth2......eth4?.
>
> Also if I want to access the Router over the LAN to configure the
> Router parameters, do I have to connect one more NIC or Is there any
> alternative way is there?.

Unless you really need to do a lot of packet limiting to individual
machines, you would be well off to just use a switch and not need to
manage five NICs. You don't need or want bridge, you want each machine
to have a private IP address, like 192.168.1.xxx (xxx range 1..254).
Then you set you main machine to MASQUERADE packets from the internal
NIC(s) to the outside world, so only the correct ISP provided IP address
shows.

You want the iptables policy to reject everything in the INPUT stream,
then allow only what you really want to pass. As a start, I make the
first (most often used) rule to accept anything established or related.
Then you accept as little as possible from the internal machines, only
things like http, maybe mail (smtp) connections to your provider's
outbound mailer, etc. If you use chat or similar you need to open that,
but ONLY if you initiate it from you inside machines.

Unless you want to run servers, you want to drop everything except
established tcp and maybe udp sockets. *Maybe* you allow ping, if you
must. You have to turn on the forwarding flag in /proc/sys/net/ipv4 so
your protected machines can talk to the outside world.

Never use telnet connections, they can be sniffed and are in clear text.
Set up ssh and use that instead, change the config file (usually
/etc/ssh/sshd_config) to allow protocol two only, you will see something
like "2,1" and should replace it with just "2" because there are
weaknesses in protocol one.

To allow incoming connections, definitely use redirect so the connect
comes in on a port other than the ssh (22) port. People *will* probe all
the standard orts. If you know what IP or range of IPs you will use,
only allow connect from them.

Being secure is a fair bit of work, there are some canned solutions out
there which will do much of it for you. I hear all good things about
"Astaro Security Linux" so that's a possible, but there are others.

Needless to say, to be secure it takes a lot more work than just
plugging the wires and running. Take backups, try not to leave critical
stuff like passwords and account numbers on machines. 

-- 
bill davidsen
   SBC/Prodigy Yorktown Heights NY data center
   http://newsgroups.news.prodigy.com

Relevant Pages

  • Re: Cant connect to 2003 server from XP after bridging NICS
    ... Before I bridged the Nics I could open a share on the ... Since you have a router, you should not need ICS (routers that provide ... generally do Network Address Translation as well). ... Open Network Connections. ...
    (microsoft.public.windows.server.general)
  • Re: Newbie Home Network/ADSL Router query.
    ... The machines connect to the router via DHCP using ... > Connections' my 'Local Area Connection' is marked as firewalled. ... All ports are closed on the router by default and the ports will only open ...
    (comp.security.firewalls)
  • Re: Host Public Website on SBS 2008 Network
    ... you mention a dual WAN router. ... If I configured the server to run in the DMZ of the netgear router ... All it does is to nominate a computer within the LAN to which all incoming connections are forwarded which aren't explicitly sent elsewhere. ... The idea is that if the machines in it get hacked, they cannot then be used as platforms to attack machines in the main LAN. ...
    (microsoft.public.windows.server.sbs)
  • Re: Windows 2000 Server - Problems getting internet to clients
    ... The basic problem with a DC having two NICs is that the machines then has two IP addresses linked to its name. ... If you are not using it as a router, the two NICs would be in the same IP subnet, and that is a no-no unless they are teamed. ... DNS was probably the reason for you past problems). ...
    (microsoft.public.windows.server.networking)
  • Re: Reconfigure 1 NIC to 2 NICs
    ... Post the ipconfig results for both NICs. ... switch which is connected to a LinkSys gateway/router (WRT54G WiFi with 4 ... ethernet connections), ... but not in firewall mode but router is. ...
    (microsoft.public.windows.server.sbs)