hi everyone. i try so many time t

[aymanbar]

hi everyone.
i try so many time to solve this problem but get nothing until now, i hope some one can help.
i have 2 lan in 2 location , connected by leasd line "tdm". each location is using windowns NT 4 as NOS, and i established trust relationship between the 2 domain, so people can share file, and so one.
i build firewall " by using iptables" and add squid to work as traspernt proxy, the point now , i want the other location to have internet service through me ,
ok let me drow map for the situation i have now,

isp
|
|leasdline line
|_________
|_router_|
|____________
|__firewall_|
|
|____________ ___________
|__switch____|------|_router___|------to the other location
| 192.168.11.0/24
|
|-my local Area Network 192.168.10.0/24

what i want to achive is
isp
|
|
|________
|__router|
|
|____________ ____________
|__firewall |-----|_router ___|-----to the other location
|
|________
|_switch_|

i want to applay the new topology ,to get and a chive this point:
#keep the trust relationship in place, " so the people still share file...etc"
#give the 2 site internet service that is clean and save
#can manage the bandwidth that each location can get.
thank you for your help
best regard

 

[lvennard]

I have 5 ethernet cards in my firewall. one for the outside (eth0) the rest for internal lans. I also have my linux box running as a router.

Two of your three goals can be kept here. keeping the trusted relationship and safe internet connectivity for both sites. however, I CANNOT help with bandwidth control (sorry).

Below is my ipchains firewall. make sure you notice my eth1/eth2/eth3/eth4 config lines. All four of these interfaces have no ACL's on them to each other, just to the outside intface which gives you the trusted relationship.

You might want to modify the eth0 config lines for yourself, this will give you safe internet.

Read up on IPCHAINS if you want, most folks are now using IPTABLES nowadays.

This script runs at boot time.

#!/bin/sh
#
# Ipchains Firewall
#
/sbin/ipchains -F
/sbin/ipchains -X
/sbin/ipchains -P input REJECT
/sbin/ipchains -P output REJECT
/sbin/ipchains -P forward REJECT

# Dynamic IP Hack for outside interface
EXTIP=`/sbin/ifconfig eth0 | grep 'inet addr' | awk -F: '{ print $2 } ' | awk '{
print $1 }'`
EXTNM=`/sbin/ifconfig eth0 | grep 'inet addr' | awk -F: '{ print $4 } ' | awk '{
print $1 }'`
EXTBC=`/sbin/ifconfig eth0 | grep 'inet addr' | awk -F: '{ print $3 } ' | awk '{
print $1 }'`

# Allow All Inside interfaces to the Firewall
/sbin/ipchains -A input -i lo -j ACCEPT
/sbin/ipchains -A output -i lo -j ACCEPT
/sbin/ipchains -A input -i eth1 -j ACCEPT
/sbin/ipchains -A output -i eth1 -j ACCEPT
/sbin/ipchains -A input -i eth2 -j ACCEPT
/sbin/ipchains -A output -i eth2 -j ACCEPT
/sbin/ipchains -A input -i eth3 -j ACCEPT
/sbin/ipchains -A output -i eth3 -j ACCEPT
/sbin/ipchains -A input -i eth4 -j ACCEPT
/sbin/ipchains -A output -i eth4 -j ACCEPT

#Refuse Bogus Broadcasts
/sbin/ipchains -A input -i eth0 -s 255.255.255.255 -j DENY
/sbin/ipchains -A input -i eth0 -d 0.0.0.0 -j DENY

/sbin/ipchains -A output -p tcp -i eth0 -j ACCEPT
/sbin/ipchains -A output -p udp -i eth0 -j ACCEPT
/sbin/ipchains -A output -p icmp -i eth0 -j ACCEPT

# Allow everything to go out
/sbin/ipchains -A input -i eth0 -d $EXTIP 1024:65535 ! -y -p tcp -j ACCEPT
/sbin/ipchains -A forward -p tcp -j MASQ
#
/sbin/ipchains -A input -i eth0 -d $EXTIP 1024:65535 -p udp -j ACCEPT
/sbin/ipchains -A forward -p udp -j MASQ
#
/sbin/ipchains -A input -i eth0 -p icmp -j ACCEPT
/sbin/ipchains -A forward -p icmp -j MASQ

# Web Server on Firewall
/sbin/ipchains -A input -d $EXTIP 80 -p tcp -i eth0 -j ACCEPT

# SSH Server on Firewall
/sbin/ipchains -A input -d $EXTIP 22 -p tcp -i eth0 -j ACCEPT

 

[zeland]

Try installing the shaper package for bandwidth control. I personally haven't used it YET (though planing to once I find the time to muck around with my router).

From what I read, you'll have to setup your bandwidth allocations in the shaper config file then use the device shp0 instead of eth0 in your iptables. Make sure you alias the right device to shp0.