Re: Internet filtering
On 26/07/10 09:39 PM, vr wrote:
On Mon, 26 Jul 2010 21:09:44 -0400, "H.S." wrote:
I am not familiar with ATT. Is your service ADSL or cable?
They call it VDSL.
Sorry, never used it. Do they give a modem for the connection?
I'm interested in more info about the two network card configuration like
you're running. I have spare parts laying around which could perform that
duty. Can you tell me what software package you are using to control the
traffic across your network cards? Is it GUI based? Can you define which
protocols you want to allow?
Okay, here goes. But I would still say that for most cases, a router
with an open source firmware might be more than sufficient for most
purposes. The other advantage of such a router, as compared to a
computer working as a router, is its low power consumption since it has
to remain powered on for the traffic to flow. Besides, such routers are
quite robust once configured and quite immune to defects from power
failures and, moreover, there are no hard disks to worry about crashing.
My setup is the following:
;-------.
tel line-->MODEM--->eth0 eth1---->SWITCH
|_______.wlan0--> <WLAN>
Router m/c
Here MODEM is my ADSL modem and "Router m/c" is my Debian box running as
a router. It has three interfaces, eth0 connects to the modem via an
ethernet cable, eth1 to a switch via a cable and wlan0 provides my
wireless LAN access point (using hostapd with my Dlink card).
I have configured my eth0 as 192.168.0.0/24 network device, eth1 as
192.168.1.0/24 network device and wlan0 as 192.168.5.0/24. They can be
on any three different private subnets.
The software I use for the machine to act as a router is iptables with
ip_forwarding enabled (this makes the machine as a gateway router). And
the various rules (for filtering or port forwarding or blocking) are
also done using iptables.
There are many applications that can be used to create the desired
iptables rules. I use my own bash script. I am thinking of playing with
a GUI option when I get some time. I hear Firestarter is a good choice.
There is one called fwbuilder as well. A command line firewall is
shorewall. Most of these tools actually make it easier to generate the
iptables rules that one would otherwise need to create by hand. If you
do a google search, you can find many choices for this and detailed
how-to's.
Besides this, I also use dnsmasq as a dhcp server on the router machine
and this allows LAN clients to connect as dhcp client. Very useful
application. Other than this, I also have an OpenVPN server setup so
that my home users can connect to it from outside to have secure and
encrypted traffic. I must mention here that all this can usually also be
done using the usual consumer router devices and an open source firmware
(and sometimes even with their stock firmwares), but with much less pain
than setting up your own internet gateway with a computer with iptables
filtering.
If you have any further questions, feel free to ask.
Regards.
--
Please reply to this list only. I read this list on its corresponding
newsgroup on gmane.org. Replies sent to my email address are just
filtered to a folder in my mailbox and get periodically deleted without
ever having been read.
Reply to: