Firewalling: best approach?

To: debian-user@lists.debian.org
Subject: Firewalling: best approach?
From: Bradley Alexander <storm@tux.org>
Date: Wed, 08 Feb 2006 23:30:11 -0500
Message-id: <[🔎] 1139459412.4781.15.camel@localhost.localdomain>

I am trying to configure a firewall, but nailing down the configuration
is eluding me. The box is running Debian stable. I have tried with
iproute2 (I'm including a description below), but not gotten the
intended effect. I have tried the lartc list, to no avail. A friend of
mine suggested setting up a virtual server for one set of interfaces and
running the other set on the native machine. Which is the best approach
to this? Muddling through the iproute2 configuration, or the virtual
server route? If virtual server, which would be the best one? Qemu? Xen?
VMware player or server (Free as in beer, but not is in speech)? 

Basically, I have a rackmount server with six network interfaces (2
onboard and a quad card). eth0 is the internal network, eth1 is a kiosk
network, eth2 is a DMZ/wireless network. On the outbound side, eth3 is a
DSL connection and eth4 is a cablemodem connection.

What I am trying to do is route all internal traffic out the DSL
connection (eth0 to eth3), and the two dmzs, kiosk and wireless out the
cable connection (eth1 and eth2 to eth4). Thus far as I have been unable
to get this to work.

For the sake of the discussion, the internal network is 10.1.1.0/24, the
kiosk is 172.16.1.0/24 and the dmz/wireless is 192.168.1.0/24. The dsl
line is 1.2.3.4 and the cable line is 9.8.7.6.

I added the following to rt_tables:

1       internal
2       kiosk
3       dmz

then created a script

ip rule add from 10.1.1.0/24 table internal
ip route add default via 1.2.3.4 dev eth3 table internal

ip rule add from 172.16.1.0/24 table kiosk
ip route add default via 9.8.7.6 dev eth4 table kiosk

ip rule add from 192.168.1.0/24 table dmz
ip route add default via 9.8.7.6 dev eth4 table dmz

When I run this script, it does not do what I expect, especially after
running the firewall rules atop it. I thought I had it nailed, but it
wasn't working as expected, and I really couldn't test very well.

I'm hoping some kind soul on this list might have a few minutes for an
email exchange to help me get this sorted out. If so, please email me
off-list. I'm sure its probably something that I overlooked, but I'm at
a loss as to what.

Regards,
--b

Reply to:

Follow-Ups:
- Re: Firewalling: best approach?
  - From: Laurent CARON <lcaron@unix-scripts.info>
- OT: Re: Firewalling: best approach?
  - From: "M. Maas" <mark@mateo.xs4all.nl>

Prev by Date: _some_ DVDs won't play
Next by Date: Re: ls defaults...
Previous by thread: Re: _some_ DVDs won't play
Next by thread: Re: Firewalling: best approach?
Index(es):
- Date
- Thread