Re: [leaf-user] Dachstein as border_router? (public ip addresses etc)

Mon, 26 Apr 2004 21:24:40 -0700

Don't know about shorewall (which you would have to configure to allow VPN traffic to pass through to that specific IP address), but what you basically want it to do is substitute for a traditional router. Effectively, you'd simply have to turn off NAT and let DNS and the public IP addresses do the rest.

I'd probably use Bering or Bering-uClibC instead of Dachstein, which I don't think is actively developed any longer. (Charles, please hit me with the correction-bat if that's wrong.)

Configuring Shorewall, on the other hand, is pretty straightforward; all you need to do is forward the ports you want to hit each device to the respective devices, and deny all (probably both ways - loc to net and net to loc) on everything else.

Going from memory, the commands would be:

ACCEPT net loc:addrPUBB TCP/UDP* PortNum

* Whichever protocol is correct.

That would be VPN. If addrPUBC is a Web and FTP server, and addrPUBD is a mailserver, then you'd do:

ACCEPT  net     loc:addrPUBC    TCP     http
ACCEPT  net     loc:addrPUBC    TCP     https
ACCEPT  net     loc:addrPUBC    TCP     ftp
ACCEPT  net     loc:addrPUBC    TCP     ftp-data

ACCEPT net loc:addrPUBD TCP smtp

(Again, please correct me if I've flubbed this.)

The routing itself, any variant of LEAF is going to be able to accomplish with ease, as it will be straight vanilla routing without even a need for connection tracking, because there's no NAT type stuff going on. Shorewall shouldn't be too tough, either, as long as you know what needs access where.


Craig Johnson wrote:
Wondering if I can get some help?

I have a static public IP from ISP for an ADSL account (call it
addrISP). We also have our own public IP range. I want to setup an LEAF
box (eg dachstein), which holds the addrISP on one NIC, and one of our
public IP addresses on another NIC. Then it will route all traffic
through to other servers on the public IP addresses. Also there is an
internal network beheind one of the other public IP addresses, with a
VPN server attached.

So, two questions:

* what is the best way/distro to setup a LEAF box as this kind of border
router? (I noticed references to border_router options on the dachstain
network.conf documentation page, but haven't been able to find any
substantial documentation about setting one up.)

* how do I also set up the LEAF box so that it can receive VPN server
requests on it's IP address (addrISP), but forward those requests to be
served by another firewall server connected to the internal lan?

Diagramatically, I guess I want something like:

[Internet]
|
eth0 (addrISP)
|
LEAF Box
|
eth1 (addrPUBA)
|
-------------------------------------
| | |
(addrPUBB) (addrPUBC) (addrPUBD)
Server 1 (VPN etc) Server 2 Server 3
(addrPRIVA)
|
internal network


Thanks!

Craig


-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg297
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html




-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to