HPE GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- Re: What is the best solution for...?
Operating System - Linux
1832089
Members
2997
Online
110038
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-15-2001 10:56 AM
09-15-2001 10:56 AM
What is the best solution for...?
Hi folks...
I need to implement a TCP/UDP filter in my network, where all hosts will be 'masked' (all hosts with private IP) and a 'software gateway' (like IPTables, IPFilter, IPChains...) will offer a Internet access for these private hosts. This gateway could be a host with 2 interfaces (one in 192.168.1.0 network and the other, 200.123.123.0 (a valid network for Internet)) that would filter all TCP/UDP packages (like IRC, STREAMS, FTP, HTTP, SSH, ...) and allow or deny these packages. I want to implement it using Linux 2.4 that I already configured with 2 interfaces (one in 192.168.1.0 and the other, 200.123.123.0 (a valid network for Internet)). I had thought about implementing this in my router, but it doesn't offer me resources for this. So, what is the best solution for this?
1 REPLY 1
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-16-2001 02:08 AM
09-16-2001 02:08 AM
Re: What is the best solution for...?
Hi,
First, just to be sure that I've understood your question : you have users in a private network (192.168.xxx.yyy) that need access to Internet services (http/ftp/irc/...) through a network infrastructure (firewall/proxy/router).
The first thing that I can say : avoid using IPTables/IPChains for implementing the entire solution. The reason for that : IPTables/IPChains are good packet filters, but should be reserved for those developing firewalling solutions.
As a system and network admin, you would spend too much time implementing IPTables/IPChains rules and maintaining them. However, if you still want to edit your packet filtering rules by yourself, have a look to the excellent O'reilly book : "Building Internet Firewalls" by Chapman & Zwicky.
In my opinion, the best architecture is to be built over proxy software. There exist lot of proxies for internet services like FTP/HTTP/IRC/SSH...
Therefore, it is generally a good idea to have different material for the "proxy" functionality and the packet filtering. For a proxy server, you can use a Linux machine with only one NIC and appropriate software. For the advanced router that acts as a packet filter, it depends on the bandwith needed. For 30-50 users, you can use a Linux server with two 10/100 ethernet NIC. Otherwise, it is better to buy a CISCO or equivalent.
Your packet filtering rules can be as simple as "allow the outgoing and incoming traffic from/to the proxy server, deny all other packets". Of course, you need masquerading for the Internet traffic.
If you want additional security, you can put the proxy server(s) on a separate sub-network that is physically inaccessible to the users, in order to prevent someone to change its IP address and gain access to the outside world without using the relevant proxy.
To summarize, what I would suggest is :
-> Use a router with at least 3 NICs.
The first one on the subnet 192.168.0.0, reserved for proxy servers and administration machines.
The second one on the subnet 192.168.1.0, reserved for end users.
The third one is on the Internet, with an address like 200.123.123.xxx.
-> On the 192.168.0.0 subnet, implement proxy server(s) with appropriate software. For example, you can use "squid" (http://www.squid-cache.org) for http/https/ftp, have a look at http://freshmeat.net for the other services. An excellent proxy solution is provided with TIS Firewall Toolkit (www.tis.com), but you have to read their licence agreement and follow instructions included to be able to download the source code. The only lack is the caching feature, but you can use the appropriate patch to cascade it with Squid.
-> On the end-user machines, use client software that support proxying.
-> On the router, keep this advise in mind : the more simple the packet filtering/masquerading rules, the better efficiency and security.
The rules can be as simple as :
* from/to 192.168.0.0 to/from 192.168.168.1.0 : allow under some conditions.
* from/to 192.168.0.0 to/from anything other than 192.168.xxx.yyy (the Internet) : allow under some conditions.
* deny any other packet.
To know how to implement this, read the excellent book :
"Building Internet Firewalls", 2nd Edition, by D. Brent Chapman & Elizabeth D. Zwicky, published by O'Reilly.
Good luck.
Kodjo
First, just to be sure that I've understood your question : you have users in a private network (192.168.xxx.yyy) that need access to Internet services (http/ftp/irc/...) through a network infrastructure (firewall/proxy/router).
The first thing that I can say : avoid using IPTables/IPChains for implementing the entire solution. The reason for that : IPTables/IPChains are good packet filters, but should be reserved for those developing firewalling solutions.
As a system and network admin, you would spend too much time implementing IPTables/IPChains rules and maintaining them. However, if you still want to edit your packet filtering rules by yourself, have a look to the excellent O'reilly book : "Building Internet Firewalls" by Chapman & Zwicky.
In my opinion, the best architecture is to be built over proxy software. There exist lot of proxies for internet services like FTP/HTTP/IRC/SSH...
Therefore, it is generally a good idea to have different material for the "proxy" functionality and the packet filtering. For a proxy server, you can use a Linux machine with only one NIC and appropriate software. For the advanced router that acts as a packet filter, it depends on the bandwith needed. For 30-50 users, you can use a Linux server with two 10/100 ethernet NIC. Otherwise, it is better to buy a CISCO or equivalent.
Your packet filtering rules can be as simple as "allow the outgoing and incoming traffic from/to the proxy server, deny all other packets". Of course, you need masquerading for the Internet traffic.
If you want additional security, you can put the proxy server(s) on a separate sub-network that is physically inaccessible to the users, in order to prevent someone to change its IP address and gain access to the outside world without using the relevant proxy.
To summarize, what I would suggest is :
-> Use a router with at least 3 NICs.
The first one on the subnet 192.168.0.0, reserved for proxy servers and administration machines.
The second one on the subnet 192.168.1.0, reserved for end users.
The third one is on the Internet, with an address like 200.123.123.xxx.
-> On the 192.168.0.0 subnet, implement proxy server(s) with appropriate software. For example, you can use "squid" (http://www.squid-cache.org) for http/https/ftp, have a look at http://freshmeat.net for the other services. An excellent proxy solution is provided with TIS Firewall Toolkit (www.tis.com), but you have to read their licence agreement and follow instructions included to be able to download the source code. The only lack is the caching feature, but you can use the appropriate patch to cascade it with Squid.
-> On the end-user machines, use client software that support proxying.
-> On the router, keep this advise in mind : the more simple the packet filtering/masquerading rules, the better efficiency and security.
The rules can be as simple as :
* from/to 192.168.0.0 to/from 192.168.168.1.0 : allow under some conditions.
* from/to 192.168.0.0 to/from anything other than 192.168.xxx.yyy (the Internet) : allow under some conditions.
* deny any other packet.
To know how to implement this, read the excellent book :
"Building Internet Firewalls", 2nd Edition, by D. Brent Chapman & Elizabeth D. Zwicky, published by O'Reilly.
Good luck.
Kodjo
Learn and explain...
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Events and news
Customer resources
© Copyright 2025 Hewlett Packard Enterprise Development LP