-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Scott Sent: Monday, September 22, 2008 10:57 AM To: Greater NH Linux User Group Subject: Re: iptables
On Mon, Sep 22, 2008 at 10:06 AM, Labitt, Bruce <[EMAIL PROTECTED]> wrote: > I am trying to configure my firewall at work. I need to have an > internal trusted network (my number-cruncher) and everything else. The > trusted network is on eth0, and the other is on eth1. In general, I would do this by: A1. Having a dedicated switch for the cluster. [Labitt, Bruce] got it A2. Having a single gateway connected to A1 and the corporate LAN. [Labitt, Bruce] That is what I need A3. Configuring a separate IP network on A1. [Labitt, Bruce] Got that A4. Using NAT on the A2 gateway to route between A3 and the corporate LAN's IP net. [Labitt, Bruce] Need that The A2 gateway could be a general-purpose computer running Linux, or one of those SOHO gateway boxes (from LinkSys, D-Link, NetGear, etc.). [Labitt, Bruce] I'm using my linux box. Advantages and disadvantages to both. GP computers tend to be more flexible, and you might already have one. SOHO boxes are smaller, use less power, and your router won't go down when the GP PC needs to be rebooted. For A3, unless corporate wants me to use an address space they assign, I would use something from the RFC-1918 private address space. Specifically, I would subnet a part of 192.168.0.0/16, 10.0.0.0/8, or 172.16.0.0/12 as a /24. For example, I'm partial to 10.0.0.0/24 (it makes typing easier). If corporate is already using RFC-1918 in their networks, I'd pick something outside of their plan, to avoid conflicts. If you're not sure, pick something odd, like 172.16.42.0/24. Or get an assignment from corporate. [Labitt, Bruce] I have a private network picked. Most likely, your distribution already has a mechanism in place to configure iptables. Are you still using running Sci Linux 5, or have you changed to something else by now? [Labitt, Bruce] Not yet. I really want to at least be able to boot my blade before I break stuff. > Ben, do you remember this? No, but my GMail account does. :) That let me dig up the archived thread: http://thread.gmane.org/gmane.org.user-groups.linux.gnhlug/13370 [Labitt, Bruce] Yeah, I found that. I want the niggling details of how to set up the eth0 to basically pass everything and the eth1 to have the general firewall stuff. And some sort of pass-thru from one network to the other. That thread didn't get into the low-level details of which iptables commands to run, though. [Labitt, Bruce] That's what I found :( -- Ben _______________________________________________ [Labitt, Bruce] In the previous discussion (long, long, ago) there were some issues of me having a dhcp server for eth1. This has been resolved by our group (and my project) moving (sold) to another company. My new IT guy thinks what I am working on is cool - and wants to help :) _______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/