I'd probably use Bering or Bering-uClibC instead of Dachstein, which I don't think is actively developed any longer. (Charles, please hit me with the correction-bat if that's wrong.)
Configuring Shorewall, on the other hand, is pretty straightforward; all you need to do is forward the ports you want to hit each device to the respective devices, and deny all (probably both ways - loc to net and net to loc) on everything else.
Going from memory, the commands would be:
ACCEPT net loc:addrPUBB TCP/UDP* PortNum
* Whichever protocol is correct.
That would be VPN. If addrPUBC is a Web and FTP server, and addrPUBD is a mailserver, then you'd do:
ACCEPT net loc:addrPUBC TCP http ACCEPT net loc:addrPUBC TCP https ACCEPT net loc:addrPUBC TCP ftp ACCEPT net loc:addrPUBC TCP ftp-data
ACCEPT net loc:addrPUBD TCP smtp
(Again, please correct me if I've flubbed this.)
The routing itself, any variant of LEAF is going to be able to accomplish with ease, as it will be straight vanilla routing without even a need for connection tracking, because there's no NAT type stuff going on. Shorewall shouldn't be too tough, either, as long as you know what needs access where.
Craig Johnson wrote:
Wondering if I can get some help?
I have a static public IP from ISP for an ADSL account (call it addrISP). We also have our own public IP range. I want to setup an LEAF box (eg dachstein), which holds the addrISP on one NIC, and one of our public IP addresses on another NIC. Then it will route all traffic through to other servers on the public IP addresses. Also there is an internal network beheind one of the other public IP addresses, with a VPN server attached.
So, two questions:
* what is the best way/distro to setup a LEAF box as this kind of border router? (I noticed references to border_router options on the dachstain network.conf documentation page, but haven't been able to find any substantial documentation about setting one up.)
* how do I also set up the LEAF box so that it can receive VPN server requests on it's IP address (addrISP), but forward those requests to be served by another firewall server connected to the internal lan?
Diagramatically, I guess I want something like:
[Internet]
|
eth0 (addrISP)
|
LEAF Box
|
eth1 (addrPUBA)
|
-------------------------------------
| | |
(addrPUBB) (addrPUBC) (addrPUBD)
Server 1 (VPN etc) Server 2 Server 3
(addrPRIVA)
|
internal network
Thanks!
Craig
------------------------------------------------------- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg297 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
------------------------------------------------------- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html