Linux Router with Firewall
David-Paul Niner
dpniner at dpniner.net
Sun Nov 6 02:32:31 UTC 2005
Craig White wrote:
> On Sat, 2005-11-05 at 08:25 -0600, Nathaniel Hall wrote:
>
>>Craig White wrote:
>>
>>
>>>On Fri, 2005-11-04 at 08:35 -0600, Nathaniel Hall wrote:
>>>
>>>
>>>
>>>>I know this sounds like a stupid questions, but I'm gonna ask anyway. I
>>>>would like to create a router using Fedora Core 3 (or 4) and netfilter,
>>>>but I don't want to masquerade. Am I going to have to do SNAT and DNAT
>>>>or is there any way I can do it without any kind of nat.
>>>>
>>>>
>>>
>>>----
>>>it might be easier to make suggestions if it were clearer what you had
>>>in mind.
>>>
>>>A router doesn't need to do NAT if the clients know where there are
>>>going (i.e. static routes) or it very well may be a proxy server like
>>>squid will do what you want.
>>>
>>>Craig
>>>
>>>
>>
>>I have a setup with multiple firewalls around my DMZ. The DMZ is
>>addressed with legal IP addresses and the internal network is addressed
>>with private addresses. I perform many to one NAT on the external
>>firewall and simply route (and filter) at the internal firewall. This
>>keeps me from having to figure out which internal IP address was NATed
>>to which external IP address when I am looking at access logs. The
>>internal firewall took very little setup, but it isn't netfilter. Is
>>there any way to get FC4 to do the same?
>
> ----
> Still not entirely clear but perhaps I'm not smart enough. It sounds to
> me like you are doing a double NAT with both firewalls.
>
> Thinking that your external firewall provides NAT to computers in DMZ
> and external address of your internal firewall and your internal
> firewall is providing NAT to your the private address systems on your
> LAN, then your systems on the LAN are using the internal IP of your
> internal firewall as their default gateway and that means the internal
> firewall is providing NAT.
>
> If you didn't want to do NAT through the internal firewall, you would
> have to set the default gateway to the internal side of your external
> firewall and a static route for these systems to know how to get there
> which seems to be too much of a hassle...hence doing NAT on the internal
> firewall makes sense.
>
> Craig
>
>
If you don't mind dedicating a box solely to this effort, you could try
the GPL'd version
of smoothwall, which is available here:
http://www.smoothwall.org
As I understand it, their relationship to the commercial product that
Smoothwall, Ltd.
sells is similar to the Fedora Project's relationship to RHEL: the
former is a testing
grounds for the later (although it doesn't appear to be as "open" a
process).
For what it's worth I run the commercial version on my home network and
haven't
had any issues at all. And no, no one is paying me to say this!
Good Luck,
DP
--
David-Paul Niner, RHCE
Orange Park, Florida, United States
GPG Key ID: 0x106B54E3
More information about the users
mailing list