Paul Mc Auley wrote:
>> I'm trying to get my head around setting up a toy firewall using ipchains
> and I have a few questions... if I have a subnet 10.1.2.0/24 and I wish to
> put a box in front of a given subnet of those, but I still wish the
> firewalled hosts to appear to be distinct.
>> Does this take deep magic? One thought I had was to set up multiple aliases
> on the external interface and do port forwarding, but I'm not too sure...
If I read you right, you want to firewall a section of a Class A private
network from another part of the same network? That's easy!
Just physically seperate the sections of the network and put your
firewall in as the router. If you're remaining only within the private
network, the hosts will appear as before just with the firewall rules
affecting how they can be accessed.
It's only if you need to connect to the Internet through the firewall
that you'll have to think about IP Masquerading but even here, your
hosts will appear as before on the local net and will be masqueraded
only on the Internet connection.
The usual reason I've seen for wanting a host behind a firewall to be
visible outside it is to run servers like http, ftp, telnet etc. You
can route specific ports to the relevant machine(s) using port
forwarding but a specific port can be routed to *only one* machine. All
the info is there in the Firewall-HOWTO, the IPChains-HOWTO and the
IP-Masq-HOWTO from the LDP at www.linuxdoc.org .
It's generally considered safer to put public server machines on the
Internet side of a firewall and treat them as "dirty". Of course, you
need public IP addresses for each server in that case.
That help at all?
ph +353 1 8326146
conor.daly at oceanfree.net
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!