Burner, Wed, Mar 05, 2003 at 05:20:37PM +0100: > Hi > > My boos just asked me to build a Linux firewall to protect our servers, we > have about 20 servers, all configured with only the public (internet) IP, and > connected through a switch directly to our IPS's router. > I've only build firewalls for small lan networks using NAT with > iptables/ipchains. >
A bridging firewall might be a good idea in this situation. A bridge is transparent to the network so you won't have to reconfigure any of the machines behind the firewall. You'll need to patch your kernel to get the desired functionality, patches are available at http://bridge.sf.net. You want bridge-nf-0.0.7-against-2.4.19.diff . Very useful docs are also linked to from the same site. Also, you can configure bridges in /etc/network/interfaces, which makes it really easy to get going. > I've read some iptables and iproute2 howtos, but i realy do not know where to > begin, i dont even know if the hardware will be sufficient. P3/800 128Mb ram > and two good NIC's. Might want to increase RAM if you want to run a NIDS like snort. > > We don't need any advanced routing like bandwith balancing etc. I just need > to block most ports from public access and allow the servers (win) to update > from the internet. > > I would like to keep the public IP addresses on the servers if possible. > > Maybe i should configure the linux router with all the external IP's on one > NIC, and give the protected servers local IP addresses. then NAT the public > IP/ports to the servers using iptables, this is a way to do it, but is it i > good way? > > I would be happy to recive any hints from someone who has done anything like > this before. I run a bridging firewall across two T1's with a PIII 930 MHz/256 MB RAM machines running snort and it works great. The best thing about the bridge is that it makes configuration of machines behind the firewall straitforward. g
pgppaERPvQZFX.pgp
Description: PGP signature