Linux gateway between Internet and W2K network planned. 1

[DeeBeee]

I want to set up a Linux based gateway to the internet for a W2K peer network that currently has no servers (hey, it used to be a W98 peer network: we're moving in the right direction
The future will have a Linux based Web Server with email redirection to a W2K network server. The Web Server and Network server will be ported through a firewall which will be between them and the gateway.
Security is important in the internet gateway (for now) as all users gain access through it.
What can be done to affect this first step. Mandrake 7.2 Complete CDs and download available.

Thanks in advance,
dB

 

[ifincham]

Hi,

At the simplest level you will want to setup ip masquerading using iptables (from kernel 2.4.0 onwards) or ipchains (2.2.x series kernels). I'm not sure whether Mandrake 7.2 (8.0 is the latest) has the new 2.4 series kernel but, if it does, I would use that kernel and iptables.

In addition, you can (optionally) install the squid proxy server to do web page cacheing. This may have a performance benefit but is not actually needed to share the internet gateway. If you do add squid you'll end up with something functionally similar to MS/proxy server.

For iptables you will need a script containing commands like the following :

# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# load relevant modules
/sbin/modprobe iptable_nat iptable_nat_ftp ip_conntrack ip_conntrack_ftp
# set-up masquerading..
/sbin/iptables -t nat -A POSTROUTING -i eth0 -s 172.16.0.0/16 -o eth1 -j MASQUERADE

The above would send all lan traffic on eth0 with an ip address of 172.16.x.x out to the eth1 interface using network address translation. Obviously you would change 'eth0' 'eth1' and 172.16.0.0/16' to your local lan interface, internet interface, and ip address range respectively. Thats all there is to it although you can get much more sophisticated if you want in terms of filtering. A good place to put these commands would be in the /etc/rc.d/rc.local script, incidentally.

(If you have trouble with the modules just do :

/sbin/insmod /lib/modules/2.4.5/kernel/net/ipv4/netfilter/*

setting 2.4.5 to your kernel version if different)

Some useful reading :

http://netfilter.samba.org/unreliable-guides

and

http://www.securityportal.com/articles/netfilter20010219.printerfriendly.html

for iptables. Also

http://www.squid-cache.org/

for the Squid proxy server.

If you need to use ipchains rather than iptables I'll try and find the syntax..

Regards, Iain

 

[DeeBeee]

Thank you, Iain.
I just began loading Linux onto the gateway and will keep you informed of the results.
The filtering will follow a sucessful iptables method. I'll study the masquerading option to make sure our otherwise protected domain won't become public through proxy emulation.
Thanks again for the details.

Best regards,
dB

 

[123mark]

check out

http://www.smoothwall.org

it takes 10 mins and has an nmap rating of over 4 million.