From: Mike <1100100@gmail.com>
To: Martijn Lievaart <m@rtij.nl>
Cc: netfilter@lists.netfilter.org
Subject: Re: One Nic; Multiple Subnets
Date: Tue, 28 Dec 2004 12:35:30 -0500 [thread overview]
Message-ID: <8ca42282041228093539addaa1@mail.gmail.com> (raw)
In-Reply-To: <16365.213.236.112.75.1104237335.squirrel@213.236.112.75>
Martijn,
Thanks for your help.
I've definitely decided to go down the "2-nic" path and make life simpler.
Now of course I'm wondering if I should buy some better equipment to
run a strong ethereal/snort combo. on the routerbox. I'm way overdue
on intrusion detection and network usage.
Any suggestions on the level of hardware required to run ethereal and
snort on a routerbox.
Best regards.
Mike
On Tue, 28 Dec 2004 13:35:35 +0100 (CET), Martijn Lievaart <m@rtij.nl> wrote:
> Mike said:
> > Jason,
> > Thanks for the reply.
> > Sounds like a second nic. is really what's needed here.
> > John Sullivan suggested it could be done using iptables in combination
> > with iproute2; but I'm not sure I could manage it well. I'm
> > challenged enough by iptables, itself.
> >
> > I'm thinkin' new mobo/cpu/ram combo. for $150 from newegg.com :-)
>
> YES! make it as simple as possible. Do it like this:
>
> * Add another nic, eth2 (I assume you want the new mobo because you cannot
> add another nic to the current setup, right? Otherwise, just add another
> nic and you're set).
> * Give the new nic 192.168.2.1/24, add all new hosts on this second subnet.
> * Make sure the nets can only access the Internet, not eachother.
> (from memory, may not be 100% correct)
> -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A FORWARD -i eth1 -o eth0 -j ACCEPT
> -A FORWARD -i eth2 -o eth0 -j ACCEPT
> -A FORWARD -m limit --limit "10/s" -j LOG --log-prefix "Invalid forward: "
> -A FORWARD -j DROP
>
> Obviously, you also have to add the relevant MASQ, INPUT and OUTPUT rules,
> but those should not be wildly different from what you have now.
>
> HTH,
> M4
>
>
next prev parent reply other threads:[~2004-12-28 17:35 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-12-24 18:30 Drop packets with low IP Time to Live field value Jorge Agrelo
2004-12-24 18:56 ` Jason Opperisano
2004-12-25 2:08 ` Chris Brenton
2004-12-27 15:25 ` Nick Drage
2004-12-27 16:38 ` One Nic; Multiple Subnets Mike
2004-12-27 16:52 ` Jason Opperisano
2004-12-27 17:57 ` Mike
[not found] ` <16365.213.236.112.75.1104237335.squirrel@213.236.112.75>
2004-12-28 17:35 ` Mike [this message]
2004-12-27 17:01 ` John A. Sullivan III
2004-12-27 17:43 ` Mike
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8ca42282041228093539addaa1@mail.gmail.com \
--to=1100100@gmail.com \
--cc=m@rtij.nl \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.