Most stable firewall distro

Most stable firewall distro

[Miguel Laborde]

Hello all,
	I have a question here for those of you who use iptables heavily in a
production environment. Right now I am about to replace a older Mandrake
(release 7.2) with an updated linux firewall however before I go ahead and
do that, I'm interested in knowing what you people consider the most stable
distribution for a linux firewall.
	I realize that the underlying OS and iptables software is common across all
distributions however some distributions apply patches which others don't,
and as result might be better suitable as a firewall.


	Thanks for your time,
				Miguel

Re: Most stable firewall distro

[riffraff]

---------- Original Message ----------------------------------
From: "Miguel Laborde" <miguel.laborde@canada.com>
Date: Wed, 3 Jul 2002 18:22:38 -0400

>Hello all,
>	I have a question here for those of you who use iptables heavily in a
>production environment. Right now I am about to replace a older Mandrake
>(release 7.2) with an updated linux firewall however before I go ahead and
>do that, I'm interested in knowing what you people consider the most stable
>distribution for a linux firewall.
>	I realize that the underlying OS and iptables software is common across all
>distributions however some distributions apply patches which others don't,
>and as result might be better suitable as a firewall.
>
>
>	Thanks for your time,
>				Miguel
>
>
>
>
I just used redhat 7.0 (I think, it's been a while), and removed everything that was completely unnecessary, then compiled a whole new kernel (I had to; I'm using the bridge-netfilter patch).  So, it isn't much of a redhat anymore, just uses redhat paths and rpm.

Re: Most stable firewall distro

[Antony Stone]

On Wednesday 03 July 2002 11:23 pm, riffraff wrote:

> ---------- Original Message ----------------------------------
> From: "Miguel Laborde" <miguel.laborde@canada.com>
> Date: Wed, 3 Jul 2002 18:22:38 -0400
>
> >Hello all,
> >	I have a question here for those of you who use iptables heavily in a
> >production environment. Right now I am about to replace a older Mandrake
> >(release 7.2) with an updated linux firewall however before I go ahead and
> >do that, I'm interested in knowing what you people consider the most
> > stable distribution for a linux firewall.
> >	I realize that the underlying OS and iptables software is common across
> > all distributions however some distributions apply patches which others
> > don't, and as result might be better suitable as a firewall.
> >
> >
> >	Thanks for your time,
> >				Miguel
>
> I just used redhat 7.0 (I think, it's been a while), and removed everything
> that was completely unnecessary, then compiled a whole new kernel (I had
> to; I'm using the bridge-netfilter patch).  So, it isn't much of a redhat
> anymore, just uses redhat paths and rpm.

I agree with this approach.   A firewall shouldn't really be any recognisable 
distro, because distros basically differ in all the add-ons they include 
around the kernel, nearly all of which you should not have on a firewall.

And, as suggested above, you really ought to compile your own kernel for a 
firewall, too, so it contains what you want and doesn't contain what you 
don't want, therefore you start from ftp://ftp.kernel.org and 'make config' 
(or whichever variation of that you prefer).

The 'distro' I would really like to see people use for firewalls is Linux 
From Scratch, because this is expressly designed to contain only the tools 
you choose for a specific job, and not a whole bunch that someone else 
thought might come in handy one day.....

Not the easiest thing to play with though, admittedly.

http://www.linuxfromscratch.org

 

Antony.

RE: Most stable firewall distro

[Ed Street]

Hello,

The correct choice to go with would be debian.  You can do a minimal
install from a business card cd and have everything you need.  For those
of you that's interested contact me off list for the details and the
script/iso file (approx 41 megs)

Ed

-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org] On Behalf Of Antony Stone
Sent: Wednesday, July 03, 2002 6:34 PM
To: netfilter@lists.samba.org
Subject: Re: Most stable firewall distro

On Wednesday 03 July 2002 11:23 pm, riffraff wrote:

> ---------- Original Message ----------------------------------
> From: "Miguel Laborde" <miguel.laborde@canada.com>
> Date: Wed, 3 Jul 2002 18:22:38 -0400
>
> >Hello all,
> >	I have a question here for those of you who use iptables heavily
in a
> >production environment. Right now I am about to replace a older
Mandrake
> >(release 7.2) with an updated linux firewall however before I go
ahead and
> >do that, I'm interested in knowing what you people consider the most
> > stable distribution for a linux firewall.
> >	I realize that the underlying OS and iptables software is common
across
> > all distributions however some distributions apply patches which
others
> > don't, and as result might be better suitable as a firewall.
> >
> >
> >	Thanks for your time,
> >				Miguel
>
> I just used redhat 7.0 (I think, it's been a while), and removed
everything
> that was completely unnecessary, then compiled a whole new kernel (I
had
> to; I'm using the bridge-netfilter patch).  So, it isn't much of a
redhat
> anymore, just uses redhat paths and rpm.

I agree with this approach.   A firewall shouldn't really be any
recognisable 
distro, because distros basically differ in all the add-ons they include

around the kernel, nearly all of which you should not have on a
firewall.

And, as suggested above, you really ought to compile your own kernel for
a 
firewall, too, so it contains what you want and doesn't contain what you

don't want, therefore you start from ftp://ftp.kernel.org and 'make
config' 
(or whichever variation of that you prefer).

The 'distro' I would really like to see people use for firewalls is
Linux 
From Scratch, because this is expressly designed to contain only the
tools 
you choose for a specific job, and not a whole bunch that someone else 
thought might come in handy one day.....

Not the easiest thing to play with though, admittedly.

http://www.linuxfromscratch.org

 

Antony.

RE: Most stable firewall distro

[Steve Fink]

Anthony,

	For use of iptables on a mini-firewall distro ( fits on a diskette or
two ). I would have to recommend Bering, available at
http://leaf.sourceforge.net.

Best,

Steve



-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org]On Behalf Of Antony Stone
Sent: Wednesday, July 03, 2002 4:34 PM
To: netfilter@lists.samba.org
Subject: Re: Most stable firewall distro


On Wednesday 03 July 2002 11:23 pm, riffraff wrote:

> ---------- Original Message ----------------------------------
> From: "Miguel Laborde" <miguel.laborde@canada.com>
> Date: Wed, 3 Jul 2002 18:22:38 -0400
>
> >Hello all,
> >	I have a question here for those of you who use iptables heavily in a
> >production environment. Right now I am about to replace a older Mandrake
> >(release 7.2) with an updated linux firewall however before I go ahead
and
> >do that, I'm interested in knowing what you people consider the most
> > stable distribution for a linux firewall.
> >	I realize that the underlying OS and iptables software is common across
> > all distributions however some distributions apply patches which others
> > don't, and as result might be better suitable as a firewall.
> >
> >
> >	Thanks for your time,
> >				Miguel
>
> I just used redhat 7.0 (I think, it's been a while), and removed
everything
> that was completely unnecessary, then compiled a whole new kernel (I had
> to; I'm using the bridge-netfilter patch).  So, it isn't much of a redhat
> anymore, just uses redhat paths and rpm.

I agree with this approach.   A firewall shouldn't really be any
recognisable
distro, because distros basically differ in all the add-ons they include
around the kernel, nearly all of which you should not have on a firewall.

And, as suggested above, you really ought to compile your own kernel for a
firewall, too, so it contains what you want and doesn't contain what you
don't want, therefore you start from ftp://ftp.kernel.org and 'make config'
(or whichever variation of that you prefer).

The 'distro' I would really like to see people use for firewalls is Linux
From Scratch, because this is expressly designed to contain only the tools
you choose for a specific job, and not a whole bunch that someone else
thought might come in handy one day.....

Not the easiest thing to play with though, admittedly.

http://www.linuxfromscratch.org



Antony.

RE: Most stable firewall distro

[George Vieira]

Yes Bering is a good distro and very up to date but I rewrote the smoothwall
script as it not only took ~83KB of diskspace, it also was too confusing for
me.. call me lazy to read.... ;)
I just deleted their confs files and rewrote the /etc/init.d/smoothwall
scripts and resaved them back to the floppy.

Works wonders but 1.68MB is very limited especially if you want IPSEC then
it's very hard to get it to fit. I just got 1-3KB left on the floppy after
removing alot of stuff..

But in the end it's worth it as long as you make backups of your floppy.
Verbatim disks apparently are good with this 1.68MB setup and holds for
years...

thanks,
George Vieira
Systems Manager
Citadel Computer Systems P/L
http://www.citadelcomputer.com.au



-----Original Message-----
From: Steve Fink [mailto:stevef@netvantix.com]
Sent: Thursday, 04 July 2002 9:17 AM
To: 'Antony Stone'; netfilter@lists.samba.org
Subject: RE: Most stable firewall distro


Anthony,

	For use of iptables on a mini-firewall distro ( fits on a diskette
or
two ). I would have to recommend Bering, available at
http://leaf.sourceforge.net.

Best,

Steve



-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org]On Behalf Of Antony Stone
Sent: Wednesday, July 03, 2002 4:34 PM
To: netfilter@lists.samba.org
Subject: Re: Most stable firewall distro


On Wednesday 03 July 2002 11:23 pm, riffraff wrote:

> ---------- Original Message ----------------------------------
> From: "Miguel Laborde" <miguel.laborde@canada.com>
> Date: Wed, 3 Jul 2002 18:22:38 -0400
>
> >Hello all,
> >	I have a question here for those of you who use iptables heavily in
a
> >production environment. Right now I am about to replace a older Mandrake
> >(release 7.2) with an updated linux firewall however before I go ahead
and
> >do that, I'm interested in knowing what you people consider the most
> > stable distribution for a linux firewall.
> >	I realize that the underlying OS and iptables software is common
across
> > all distributions however some distributions apply patches which others
> > don't, and as result might be better suitable as a firewall.
> >
> >
> >	Thanks for your time,
> >				Miguel
>
> I just used redhat 7.0 (I think, it's been a while), and removed
everything
> that was completely unnecessary, then compiled a whole new kernel (I had
> to; I'm using the bridge-netfilter patch).  So, it isn't much of a redhat
> anymore, just uses redhat paths and rpm.

I agree with this approach.   A firewall shouldn't really be any
recognisable
distro, because distros basically differ in all the add-ons they include
around the kernel, nearly all of which you should not have on a firewall.

And, as suggested above, you really ought to compile your own kernel for a
firewall, too, so it contains what you want and doesn't contain what you
don't want, therefore you start from ftp://ftp.kernel.org and 'make config'
(or whichever variation of that you prefer).

The 'distro' I would really like to see people use for firewalls is Linux
From Scratch, because this is expressly designed to contain only the tools
you choose for a specific job, and not a whole bunch that someone else
thought might come in handy one day.....

Not the easiest thing to play with though, admittedly.

http://www.linuxfromscratch.org



Antony.

Re: Most stable firewall distro

[leolistas]

   I have several firewalls ( some with heavy traffic ) running over 
redhat 7.2 and 7.3. In both cases, I used to recompile the whole kernel to 
the newest ( 2.4.18 - even in rh73, which already cames with 2.4.18 ). In 
my custom kernel compilation, i apply some patchs from iptables patch-o-
matic to enable some modules like psd, string, iplimit, and others. I also 
need to uninstall RPM iptables and recompile iptables from sources ( 
1.2.6a ), so those kernel compiled modules can be used.

   Of course, custom installation is done and all unnecessary packages ( 
KDE and stuff ) are not installed. I need to install some devel packages 
so I can compile things with no problems. My rh installations uses about 
650Mb.

   Well, hope this helps you ...... I really have no problems with redhat 
and I'd recommend it.

   Sincerily,
   Leonardo Rodrigues


Citando Miguel Laborde <miguel.laborde@canada.com>:

> Hello all,
> 	I have a question here for those of you who use iptables heavily 
in a
> production environment. Right now I am about to replace a older Mandrake
> (release 7.2) with an updated linux firewall however before I go ahead
> and
> do that, I'm interested in knowing what you people consider the most
> stable
> distribution for a linux firewall.
> 	I realize that the underlying OS and iptables software is common 
across
> all
> distributions however some distributions apply patches which others
> don't,
> and as result might be better suitable as a firewall.
>

RE: Most stable firewall distro

[leolistas]

   Altough I know floppy distro works absolutely well, in general i dont 
like to use them. As you mentioned, they are 100% limited and nothing can 
be done, specially if you need disk writings. I just cant imagine a 
firewall with no logging at all !!! Using a squid proxy would save about 
15% on your www bandwidth ( depends on each case, but 10-15% is generally 
ok ).

   And, the most important, IDE disks are as cheap as they are fast .....

   So, if you need a firewall for your home ( connect 2-3 machines through 
adsl ), I'd recommend a floppy firewall. For ANY other firewall machine i 
would strongly recommend a full firewall installation based on the distro 
you're used to work. I personally would recommend redhat, as I told in 
last message. But if you're used to SuSe, GREAT, use it ! Slack ? Use it ! 
Debian ? Use it ! No matter which distro you'll use if you really know 
what you're doing.

   Sincerily,
   Leonardo Rodrigues


Citando George Vieira <GeorgeV@citadelcomputer.com.au>:

> Works wonders but 1.68MB is very limited especially if you want IPSEC
> then
> it's very hard to get it to fit. I just got 1-3KB left on the floppy
> after
> removing alot of stuff..

RE: Most stable firewall distro

[George Vieira]

There is a good reason they made the floppy distros..

1. If it's hacked for any reason, they can't write to it and if they do then
a reboot clears it.
2. It's redundant to some extend, move the floppy to a new machine and turn
it on. Bang, new firewall..
3. There ARE logs, they are in a virtual ram drive..
4. You can load the IDE drivers on boot and store /var and whatever you like
there.. but this opens up hackable write problem  and only IF it gets
compromised...

So it's not all that bad after all.. I've had 2 crashes in the past on my
firewalls. One being HDD failure and second was CPU over cook and in both
cases they stuff my data and needed a new rebuild..

Lesson Learnt: floppy drive setup would've been an easy recovery....

This of course probably won't suit many people but alot easier some others
for their own solutions...

thanks,
George Vieira
Systems Manager
Citadel Computer Systems P/L
http://www.citadelcomputer.com.au



-----Original Message-----
From: leolistas@solucoesip.net [mailto:leolistas@solucoesip.net]
Sent: Thursday, 04 July 2002 10:56 AM
To: netfilter@lists.samba.org
Subject: RE: Most stable firewall distro




   Altough I know floppy distro works absolutely well, in general i dont 
like to use them. As you mentioned, they are 100% limited and nothing can 
be done, specially if you need disk writings. I just cant imagine a 
firewall with no logging at all !!! Using a squid proxy would save about 
15% on your www bandwidth ( depends on each case, but 10-15% is generally 
ok ).

   And, the most important, IDE disks are as cheap as they are fast .....

   So, if you need a firewall for your home ( connect 2-3 machines through 
adsl ), I'd recommend a floppy firewall. For ANY other firewall machine i 
would strongly recommend a full firewall installation based on the distro 
you're used to work. I personally would recommend redhat, as I told in 
last message. But if you're used to SuSe, GREAT, use it ! Slack ? Use it ! 
Debian ? Use it ! No matter which distro you'll use if you really know 
what you're doing.

   Sincerily,
   Leonardo Rodrigues


Citando George Vieira <GeorgeV@citadelcomputer.com.au>:

> Works wonders but 1.68MB is very limited especially if you want IPSEC
> then
> it's very hard to get it to fit. I just got 1-3KB left on the floppy
> after
> removing alot of stuff..

RE: Most stable firewall distro

[Ed Street]

Hello,

If your worried about the box getting hacked then use Selinux or
grsecurity.  You can literally give out root access and the user can't
do squat.  You can exploit services and only that service will be
harmed.  A simple reboot or service restart will fix the issue (until it
happens again)

Ed

-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org] On Behalf Of George Vieira
Sent: Wednesday, July 03, 2002 8:59 PM
To: 'leolistas@solucoesip.net'
Cc: netfilter@lists.samba.org
Subject: RE: Most stable firewall distro

There is a good reason they made the floppy distros..

1. If it's hacked for any reason, they can't write to it and if they do
then
a reboot clears it.
2. It's redundant to some extend, move the floppy to a new machine and
turn
it on. Bang, new firewall..
3. There ARE logs, they are in a virtual ram drive..
4. You can load the IDE drivers on boot and store /var and whatever you
like
there.. but this opens up hackable write problem  and only IF it gets
compromised...

So it's not all that bad after all.. I've had 2 crashes in the past on
my
firewalls. One being HDD failure and second was CPU over cook and in
both
cases they stuff my data and needed a new rebuild..

Lesson Learnt: floppy drive setup would've been an easy recovery....

This of course probably won't suit many people but alot easier some
others
for their own solutions...

thanks,
George Vieira
Systems Manager
Citadel Computer Systems P/L
http://www.citadelcomputer.com.au



-----Original Message-----
From: leolistas@solucoesip.net [mailto:leolistas@solucoesip.net]
Sent: Thursday, 04 July 2002 10:56 AM
To: netfilter@lists.samba.org
Subject: RE: Most stable firewall distro




   Altough I know floppy distro works absolutely well, in general i dont

like to use them. As you mentioned, they are 100% limited and nothing
can 
be done, specially if you need disk writings. I just cant imagine a 
firewall with no logging at all !!! Using a squid proxy would save about

15% on your www bandwidth ( depends on each case, but 10-15% is
generally 
ok ).

   And, the most important, IDE disks are as cheap as they are fast
.....

   So, if you need a firewall for your home ( connect 2-3 machines
through 
adsl ), I'd recommend a floppy firewall. For ANY other firewall machine
i 
would strongly recommend a full firewall installation based on the
distro 
you're used to work. I personally would recommend redhat, as I told in 
last message. But if you're used to SuSe, GREAT, use it ! Slack ? Use it
! 
Debian ? Use it ! No matter which distro you'll use if you really know 
what you're doing.

   Sincerily,
   Leonardo Rodrigues


Citando George Vieira <GeorgeV@citadelcomputer.com.au>:

> Works wonders but 1.68MB is very limited especially if you want IPSEC
> then
> it's very hard to get it to fit. I just got 1-3KB left on the floppy
> after
> removing alot of stuff..

RE: Most stable firewall distro

[George Vieira]

Not that I've had any security problems under Linux ;) *whole bunch of
people search my IP and start attacking ;P )

thanks,
George Vieira
Systems Manager
Citadel Computer Systems P/L
http://www.citadelcomputer.com.au



-----Original Message-----
From: Ed Street [mailto:blacknet@simplyaquatics.com]
Sent: Thursday, 04 July 2002 11:07 AM
Cc: netfilter@lists.samba.org
Subject: RE: Most stable firewall distro


Hello,

If your worried about the box getting hacked then use Selinux or
grsecurity.  You can literally give out root access and the user can't
do squat.  You can exploit services and only that service will be
harmed.  A simple reboot or service restart will fix the issue (until it
happens again)

Ed

-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org] On Behalf Of George Vieira
Sent: Wednesday, July 03, 2002 8:59 PM
To: 'leolistas@solucoesip.net'
Cc: netfilter@lists.samba.org
Subject: RE: Most stable firewall distro

There is a good reason they made the floppy distros..

1. If it's hacked for any reason, they can't write to it and if they do
then
a reboot clears it.
2. It's redundant to some extend, move the floppy to a new machine and
turn
it on. Bang, new firewall..
3. There ARE logs, they are in a virtual ram drive..
4. You can load the IDE drivers on boot and store /var and whatever you
like
there.. but this opens up hackable write problem  and only IF it gets
compromised...

So it's not all that bad after all.. I've had 2 crashes in the past on
my
firewalls. One being HDD failure and second was CPU over cook and in
both
cases they stuff my data and needed a new rebuild..

Lesson Learnt: floppy drive setup would've been an easy recovery....

This of course probably won't suit many people but alot easier some
others
for their own solutions...

thanks,
George Vieira
Systems Manager
Citadel Computer Systems P/L
http://www.citadelcomputer.com.au



-----Original Message-----
From: leolistas@solucoesip.net [mailto:leolistas@solucoesip.net]
Sent: Thursday, 04 July 2002 10:56 AM
To: netfilter@lists.samba.org
Subject: RE: Most stable firewall distro




   Altough I know floppy distro works absolutely well, in general i dont

like to use them. As you mentioned, they are 100% limited and nothing
can 
be done, specially if you need disk writings. I just cant imagine a 
firewall with no logging at all !!! Using a squid proxy would save about

15% on your www bandwidth ( depends on each case, but 10-15% is
generally 
ok ).

   And, the most important, IDE disks are as cheap as they are fast
.....

   So, if you need a firewall for your home ( connect 2-3 machines
through 
adsl ), I'd recommend a floppy firewall. For ANY other firewall machine
i 
would strongly recommend a full firewall installation based on the
distro 
you're used to work. I personally would recommend redhat, as I told in 
last message. But if you're used to SuSe, GREAT, use it ! Slack ? Use it
! 
Debian ? Use it ! No matter which distro you'll use if you really know 
what you're doing.

   Sincerily,
   Leonardo Rodrigues


Citando George Vieira <GeorgeV@citadelcomputer.com.au>:

> Works wonders but 1.68MB is very limited especially if you want IPSEC
> then
> it's very hard to get it to fit. I just got 1-3KB left on the floppy
> after
> removing alot of stuff..

Re: Most stable firewall distro

[Patrick Schaaf]

> 	I have a question here for those of you who use iptables heavily in a
> production environment. Right now I am about to replace a older Mandrake
> (release 7.2) with an updated linux firewall however before I go ahead and
> do that, I'm interested in knowing what you people consider the most stable
> distribution for a linux firewall.

Easy: all of them.

> 	I realize that the underlying OS and iptables software is common across all
> distributions however some distributions apply patches which others don't,
> and as result might be better suitable as a firewall.

No. Some distros package one or the other precanned firewall script.
You should be sceptical of all of them, and write your own, in my
opinion.

I don't know of any distribution that patched iptables itself with
stuff not available through CVS/patch-o-matic anyway.

If you are interested in security aspects besides the firewalling code,
please ask the appropriate fora.

best regards
  Patrick

Re: Most stable firewall distro

[George Georgalis]

On Wed, Jul 03, 2002 at 09:56:08PM -0300, leolistas@solucoesip.net wrote:
>
>
>   Altough I know floppy distro works absolutely well, in general i dont 
>like to use them. As you mentioned, they are 100% limited and nothing can 
>be done, specially if you need disk writings. I just cant imagine a 
>firewall with no logging at all !!! Using a squid proxy would save about 
>15% on your www bandwidth ( depends on each case, but 10-15% is generally 
>ok ).
>
>   And, the most important, IDE disks are as cheap as they are fast .....

If anything is 100% limited, may as well say everything is 100% limited.
I use bering (floppy distro) _because_ there is no IDE drive to generate
heat, use electricity or break. Since I'm throwing the oldest box around
up as a firewall, I'm like the fact that that their is minimal load on
the powersupply. 

I've got ssh, iptables, weblet (an http server for status, logs
etc). You can put everything on a cdrom if you want more. It does log,
you could use weblet to download your logs, I'm using ssh, but could
be using NFS instead. It's easy to add another floppy, I think all the
other packages would fit on it.

I don't see running squid on an LRP, if you need that, put it on a lan host, 
or use a regular distro... :) 

// George

BTW - those new IDE disks are not very fast with older controllers or
cpu.



-- 
GEORGE GEORGALIS, System Admin/Architect    cell: 347-451-8229 
Security Services, Web, Mail,            mailto:george@galis.org 
File, Print, DB and DNS Servers.       http://www.galis.org/george 

MSM Mesanger through a iptables firewall.

[Stephan Viljoen]

Hi there , some of my clients is having problems to send files to each other
with MSN. The problem
seems to be that I'm running 2 firewalls behind each other.

PC 1 can't send a file to PC 2 but PC 2 can send a file to PC 1. PC 3 and PC
1 can send files
to each other.  Now all the pcs can serve the web , ftp , chat , blah blah
blah. I'm not blocking any ports what
so ever , so it's just masq. and normal packet forwarding.

Here's all the information.

Help will be apreciated.

PC 1 :
IP : 10.0.0.10 , Gateway : 10.0.0.1

Firewall 1:
eth0 : 193.220.24.230 : uplink  , Gateway : 193.220.24.193
eth1 : 10.0.0.1/16

echo "   enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
$IPTABLES -F
$IPTABLES -X
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 10.0.0.1/16 -o eth0 -j MASQUERADE
$IPTABLES -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A FORWARD -i eth1 -o eth0 -j ACCEPT

Firewall 2:
eth0 : 193.220.24.8
eth1 : 193.220.24.193
eth2 : 192.168.1.1

$IPTABLES -F
$IPTABLES -X
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A FORWARD -i eth1 -o eth0 -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -s 192.168.1.1/24 -o $EXTIF -j MASQUERADE
$IPTABLES -A FORWARD -i eth0 -o eth2 -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A FORWARD -i eth2 -o eth0 -j ACCEPT

PC 2 :
IP : 193.220.24.242 , Gateway : 193.220.24.193

PC3 :
IP : 192.168.1.10 , Gateway : 192.168.1.1

Re: MSM Mesanger through a iptables firewall.

[Antony Stone]

On Thursday 04 July 2002 3:06 pm, Stephan Viljoen wrote:

> Firewall 2:
> eth0 : 193.220.24.8
> eth1 : 193.220.24.193
> eth2 : 192.168.1.1

What are the netmasks on eth0 and eth1 ?

What's the routing table on this machine ?

 

Antony.

Re: MSN Mesanger through a iptables firewall.

[Antony Stone]

On Thursday 04 July 2002 3:06 pm, Stephan Viljoen wrote:

> Firewall 1:
> eth0 : 193.220.24.230 : uplink  , Gateway : 193.220.24.193
> eth1 : 10.0.0.1/16
>
> echo "   enabling forwarding.."
> echo "1" > /proc/sys/net/ipv4/ip_forward
> $IPTABLES -F
> $IPTABLES -X
> $IPTABLES -P FORWARD ACCEPT
> $IPTABLES -t nat -A POSTROUTING -s 10.0.0.1/16 -o eth0 -j MASQUERADE
> $IPTABLES -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED
> -j ACCEPT
> $IPTABLES -A FORWARD -i eth1 -o eth0 -j ACCEPT

I don't see the point of you having these two FORWARDing rules when the 
default policy on this chain is ACCEPT ?   It's just an open router.

> Firewall 2:
> eth0 : 193.220.24.8
> eth1 : 193.220.24.193
> eth2 : 192.168.1.1
>
> $IPTABLES -F
> $IPTABLES -X
> $IPTABLES -P FORWARD ACCEPT
> $IPTABLES -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED
> -j ACCEPT
> $IPTABLES -A FORWARD -i eth1 -o eth0 -j ACCEPT
>
> $IPTABLES -t nat -A POSTROUTING -s 192.168.1.1/24 -o $EXTIF -j MASQUERADE
> $IPTABLES -A FORWARD -i eth0 -o eth2 -m state --state ESTABLISHED,RELATED
> -j ACCEPT
> $IPTABLES -A FORWARD -i eth2 -o eth0 -j ACCEPT

Again, there's no point in having any of these four FORWARDing rules when the 
default policy is ACCEPT.   This firewall is also simply an open router.

 

Antony.