(no subject)

(no subject)

[William Beattie]

Hello,

I have a fairly complicated network which I have to maintain connectivity
with 20 different customers over private line or frame relay and 14 remote
offices using frame relay.  Most of the customers use 10.x.x.x or
192.168.x.x subnets.  In order to not conflict with the customer networks I
am using all public IP addresses locally and at my remotes. (Ya, Ya, I know)

Now I have a mandate from our corporate IT to migrate/RE-IP my entire
network to 10.x.x.x.  

Right away with the 10.x.x.x subnets I have been assigned for this office I
immediately conflict with at least one customer circuit.

IPTABLES looks like the way to go but I need some helpful suggestions.  

I need to do source and destination nat because we connect to machines on
their side and they connect to machines on our side.  

I need to restrict incoming internet traffic on this firewall to basically 5
IP addresses or so and restrict outgoing internet access to a list of sites
for my general population and full internet ports 80, 443, 20:21, 23 for a
select group.


I am looking for suggestions, sample scripts and anything else you have.

I know RTFM, I did and it just doesn't look like the out of the box
configuration will do.

Please send files or attachments to wbeattie@fnis.com




Sincerely,

William Beattie -- Network Engineer
Microsoft Certified Systems Engineer

FNIS Real Estate Tax Service, Monrovia, CA
(626) 351-5060 ext 214  Fax: 626-351-6181
Cell Phone (626) 625-4973 DC # 124*27588*1
Text Message 6266254973@messaging.nextel.com

MSN IM: williambeattie@msn.com

PS Please only send me PLAIN TEXT EMAIL

..migrate 35 big firms, some remote, to a 10/8 net or several smaller, was Re: (no subject)

[Arnt Karlsen]

On Mon, 10 Mar 2003 14:33:26 -0800, 
"William Beattie" <williambeattie@msn.com> wrote in message 
<000401c2e755$11080590$5efffacc@fntax.com>:

> Hello,
> 
> I have a fairly complicated network which I have to maintain
> connectivity with 20 different customers over private line or frame
> relay and 14 remote offices using frame relay.  Most of the customers
> use 10.x.x.x or 192.168.x.x subnets.  In order to not conflict with
> the customer networks I am using all public IP addresses locally and
> at my remotes. (Ya, Ya, I know)
> 
> Now I have a mandate from our corporate IT to migrate/RE-IP my entire
> network to 10.x.x.x.  

..with net-nazi power, I hope?

> Right away with the 10.x.x.x subnets I have been assigned for this
> office I immediately conflict with at least one customer circuit.

..grab some 10.x.y/24 nets and use those to link _everything_ else,
you'll wanna use one as the backbone link net.
  
If you can, try to separate all the site's public servers, into 
dmz's away from each sites lan, you may also want to tunnell 
conflicting traffic, and it is also possible to throttle traffic.

> IPTABLES looks like the way to go but I need some helpful suggestions.
> 
> 
> I need to do source and destination nat because we connect to machines
> on their side and they connect to machines on our side.  
> 
> I need to restrict incoming internet traffic on this firewall to
> basically 5 IP addresses or so and restrict outgoing internet access
> to a list of sites for my general population and full internet ports
> 80, 443, 20:21, 23 for a select group.

..here, check http://tldp.org/HOWTO/Adv-Routing-HOWTO/ to 
learn throttling, tunneling: 
http://www.tldp.org/HOWTO/HOWTO-INDEX/networking.html#NETVPN
and general iptables usage:
http://iptables-tutorial.frozentux.net/chunkyhtml/
( or, we could agree on a good price. ;-) )

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.