[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Internet filtering

On 26/07/10 09:39 PM, vr wrote:
On Mon, 26 Jul 2010 21:09:44 -0400, "H.S." wrote:

I am not familiar with ATT. Is your service ADSL or cable?

They call it VDSL.

Sorry, never used it. Do they give a modem for the connection?

I'm interested in more info about the two network card configuration like
you're running. I have spare parts laying around which could perform that
duty.  Can you tell me what software package you are using to control the
traffic across your network cards?  Is it GUI based?  Can you define which
protocols you want to allow?

Okay, here goes. But I would still say that for most cases, a router with an open source firmware might be more than sufficient for most purposes. The other advantage of such a router, as compared to a computer working as a router, is its low power consumption since it has to remain powered on for the traffic to flow. Besides, such routers are quite robust once configured and quite immune to defects from power failures and, moreover, there are no hard disks to worry about crashing.

My setup is the following:

tel line-->MODEM--->eth0       eth1---->SWITCH
                      |_______.wlan0--> <WLAN>

                       Router m/c

Here MODEM is my ADSL modem and "Router m/c" is my Debian box running as a router. It has three interfaces, eth0 connects to the modem via an ethernet cable, eth1 to a switch via a cable and wlan0 provides my wireless LAN access point (using hostapd with my Dlink card).

I have configured my eth0 as network device, eth1 as network device and wlan0 as They can be on any three different private subnets.

The software I use for the machine to act as a router is iptables with ip_forwarding enabled (this makes the machine as a gateway router). And the various rules (for filtering or port forwarding or blocking) are also done using iptables.

There are many applications that can be used to create the desired iptables rules. I use my own bash script. I am thinking of playing with a GUI option when I get some time. I hear Firestarter is a good choice. There is one called fwbuilder as well. A command line firewall is shorewall. Most of these tools actually make it easier to generate the iptables rules that one would otherwise need to create by hand. If you do a google search, you can find many choices for this and detailed how-to's.

Besides this, I also use dnsmasq as a dhcp server on the router machine and this allows LAN clients to connect as dhcp client. Very useful application. Other than this, I also have an OpenVPN server setup so that my home users can connect to it from outside to have secure and encrypted traffic. I must mention here that all this can usually also be done using the usual consumer router devices and an open source firmware (and sometimes even with their stock firmwares), but with much less pain than setting up your own internet gateway with a computer with iptables filtering.

If you have any further questions, feel free to ask.


Please reply to this list only. I read this list on its corresponding
newsgroup on gmane.org. Replies sent to my email address are just
filtered to a folder in my mailbox and get periodically deleted without
ever having been read.

Reply to: