Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I am somewhat new to networking. I want/need a hardware firewall and i've decided to build my own according to the guidelines of the "Linux Router Project", or maybe just a fullout Linux box.
If any of you have any experience with this, I know I need one NIC for the WAN, and additional for the LAN. But what do I do about 1 or two machines I will be using as webservers. How do I fit in a DMZ? Would I simply add a third NIC card?
Linux comes with iptables firewall set and you can turn your Linux box into a router/firewall in one. I use redhat 7.3 on a 866 mhz , 512 megs of Ram and it works great. are you using DSL(PPPoE)? if so, all you need is one nic, your PPPoE uses the virtual ppp0 and your LAN uses the eth0. You can setup ipforwarding to have both interfaces take to each other. I will leave with an example , iptables.
echo "1" > /proc/sys/net/ipv4/ip_dynaddrecho 2 /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400
> /proc/sys/net/ipv4/tcp_keepalive_timeecho 0
> /proc/sys/net/ipv4/tcp_window_scalingecho 0 > /proc/sys/net/ipv4/tcp_sack
modprobe ip_conntrack
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ipt_MASQUERADE
modprobe ip_conntrack_ftp
modprobe ipt_owner
modprobe ip_conntrack_irc
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A FORWARD -j ACCEPTiptables -t nat -A PREROUTING -i ppp0 -s 192.168.0.0/16 -j DROP
iptables -t nat -A PREROUTING -i ppp0 -s 10.0.0.0/8 -j DROP
iptables -t nat -A PREROUTING -i ppp0 -s 172.16.0.0/12 -j DROPiptables -A INPUT -i eth1 -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i ppp0 -p udp --dport 1024: -j ACCEPT
iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
iptables -A INPUT -i ppp0 -p udp --sport 67 --dport 68 -j ACCEPT
iptables -A INPUT -i ppp0 -p udp -s 208.188.197.4 --sport 53 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -i ppp0 -p udp -s 206.148.122.8 --sport 53 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -i ppp0 -p udp -s 206.148.122.2 --sport 53 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp -s 206.48.122.98 --sport pop3 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp ! --syn -j ACCEPT
iptables -A INPUT -i ppp0 -p icmp -j DROP
iptables -P INPUT DROPiptables -N deny-web-sites-in
iptables -I FORWARD -i eth0 -j deny-web-sites-in
iptables -A deny-web-sites-in -d www.doubleclick.com -j DROP
iptables -A deny-web-sites-in -d md1.doubleclick.com -j DROP
iptables -A deny-web-sites-in -d windowsupdate.microsoft.com -j DROP
iptables -A deny-web-sites-in -d windowsupdate.microsoft.nsatc.net -j DROPiptables -N deny-web-sites-out
iptables -I FORWARD -o eth0 -j deny-web-sites-out
iptables -A deny-web-sites-out -s www.doubleclick.com -j DROP
iptables -A deny-web-sites-out -s md1.doubleclick.com -j DROP
iptables -A deny-web-sites-out -s windowsupdate.microsoft.com -j DROP
iptables -A deny-web-sites-out -s windowsupdate.microsoft.nsatc.net -j DROP
0 
Try FreeSCO for starters.
http://www.freescosoft.com/cgi-bin/ib3-freesco/ikonboard.cgi?s=3ce1f2b56a3dffff;act=SF;f=4
http://chinese-watercolor.com/LRP/
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
