[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: basic firewall question

--- Nathan Barham <nathan@sleepygeek.com> wrote:
> Ognen Duzlevski wrote:
> > Hi,
> > 
> > << ... >>
> > 
> > Thanks,
> > Ognen
> > 
> > 
> Ognen,
> You could do it like this:
> < ... >
> ( I don't know offhand what (or if) the limit is for the number of 
> aliases allowed per interface, but I think I recall doing three 
I would guess 256 or 256 ^ 2 on 32 bit systems and even grater with a 64. 
With any linux *arbitrary* limit changing it should be simple and straight

> successfully.  Also note that though eth0:1 will show up with ifconfig, 
> AFAIK iptables will only refer to that interface as eth0.)
"eth0" != "eth0:1", however all traffic dose go throught eth0. 
>From IPTABLES(8):
If the interface name ends in a "+", then any interface which begins with
this name will match.

> OK, now you want to get the incoming www traffic that is headed for 
> through your firewall to your www server and back out. 
> The iptables rules would go something like this:
> IPTABLES=/sbin/iptables         # Path to iptables
> EXT_IP=""          # eth0 IP
> EXT_IF="eth0"                   # External interface
> DMZ_IF="eth1"                   # DMZ interface
> DMZ_IP=""           # eth1
> WWW_IP=""          # Virtual external www IP
> DMZ_WWW_IP=""       # WWW server in DMZ
> < ... >
I honestly didn't read the part I cliped here.

> Of course your firewall will likely also have a third interface for your
Giving a seperat(eth2) for users is a good choice.  It makes routing to
the nated servers esier.  It also increses your servers throuput and
clients responce(ping) time.

The wondershaper will allways be a good idea, even if your lucky enuff to
have 1.54Mbps.

> private LAN.  If so, and you want the machines on your LAN to use the 
> services provided in your DMZ, you will probably need to find a way for 
> them to resolve www.x.edu to (instead of your public www IP)
There are large threads on this list about this topic.

> and then provide access through your firewall for them as well.
> You might want to look into Shorewall or other iptables frontends to 
> help you out if you don't like writing your own rule sets.
There are many small threads about this topic.

> Hope that helps.
> -Nathan

Do you Yahoo!?
Take Yahoo! Mail with you! Get it on your mobile phone.

Reply to: