Re: basic firewall question
--- Nathan Barham <nathan@sleepygeek.com> wrote:
> Ognen Duzlevski wrote:
> > Hi,
> >
> > << ... >>
> >
> > Thanks,
> > Ognen
> >
> >
>
> Ognen,
>
> You could do it like this:
>
> < ... >
>
> ( I don't know offhand what (or if) the limit is for the number of
> aliases allowed per interface, but I think I recall doing three
I would guess 256 or 256 ^ 2 on 32 bit systems and even grater with a 64.
With any linux *arbitrary* limit changing it should be simple and straight
forward.
> successfully. Also note that though eth0:1 will show up with ifconfig,
> AFAIK iptables will only refer to that interface as eth0.)
>
"eth0" != "eth0:1", however all traffic dose go throught eth0.
>From IPTABLES(8):
If the interface name ends in a "+", then any interface which begins with
this name will match.
>
> OK, now you want to get the incoming www traffic that is headed for
> 66.224.54.117 through your firewall to your www server and back out.
> The iptables rules would go something like this:
>
> # VARIABLES
> IPTABLES=/sbin/iptables # Path to iptables
> EXT_IP="66.224.54.118" # eth0 IP
> EXT_IF="eth0" # External interface
> DMZ_IF="eth1" # DMZ interface
> DMZ_IP="192.168.1.1" # eth1
> WWW_IP="66.224.54.117" # Virtual external www IP
> DMZ_WWW_IP="192.168.1.2" # WWW server in DMZ
>
> < ... >
I honestly didn't read the part I cliped here.
>
> Of course your firewall will likely also have a third interface for your
>
Giving a seperat(eth2) for users is a good choice. It makes routing to
the nated servers esier. It also increses your servers throuput and
clients responce(ping) time.
The wondershaper will allways be a good idea, even if your lucky enuff to
have 1.54Mbps.
> private LAN. If so, and you want the machines on your LAN to use the
> services provided in your DMZ, you will probably need to find a way for
> them to resolve www.x.edu to 192.168.1.2 (instead of your public www IP)
>
There are large threads on this list about this topic.
> and then provide access through your firewall for them as well.
>
> You might want to look into Shorewall or other iptables frontends to
> help you out if you don't like writing your own rule sets.
>
There are many small threads about this topic.
> Hope that helps.
>
> -Nathan
>
__________________________________
Do you Yahoo!?
Take Yahoo! Mail with you! Get it on your mobile phone.
http://mobile.yahoo.com/maildemo
Reply to: