May be a silly question but I thought I would throw this into the forum for a bit of a discussion. Pro's Cons etc

If you set up a host with two network cards and configure it as a router and use iptables to do some firewalling, can the same host be used as a file/print server?

Should it? and if not why not?

The set up which I am toying with involves the host not having a direct internet feed. The incoming side of the router/firewall/file server (NIC 1) would be another LAN which itself had a router connected to the Internet i.e. the host would create a firewalled subnet but would allow its nodes to access the internet via the outer LAN. An Office within another Office.

How difficult would this be to set up?

Any suggestions on what configuration is necessary will be gratefully received and churned over for their suitability and I will let you know how I get on!
;)

Cheers

If you setup a firewall, why would you want your files exposed?

A firewall can be run just using a bootable CD and IPTables. There aee some discussions about using a firewall as a proxy (SQUID) server, but again I question why you would want anyone to know where you've been and where you're going.

My own firewall is just that.. I have set it up to act as a router so in my network it's setup something like this:

DNS, Proxy, Samba, F/P server, NTP, DHCP is 192.168.100.2

Gateway is 192.168.100.253 (Which is my Green side on the firewall).

My firewall has as it's seconf NIC an address of 10.25.100.253 (Red side) with the Gateway set to 10.25.100.254 which is my Linksys router.

The connections from my inetrnal Lan to my firewall all go through an 8-port switch that is connected to my Green side...

I control all acess via iptables using sc.firewall.

I recommend Smoothwall (http://www.smoothwall.org/) I have used it successfully now for a long time and it is a no-fuss kinda setup, great for those who don't have time to work with networking AND other things (I like to learn one thing at a time)

Smoothwall is awesome from what i have heard. I've read up on it and now i'm just waiting 'til i find an old computer that i can use for it. :)

I must apologize for the fireall I quoted as using. Typos typos typos....:)

The firewall that I am using is rc.firewall and it can be found at http://projectfiles.com/firewall/

Again, sorry for the confusion.

I did find it quite easy to configure and maintain.

Originally posted by egurski
If you setup a firewall, why would you want your files exposed?

A firewall can be run just using a bootable CD and IPTables. There aee some discussions about using a firewall as a proxy (SQUID) server, but again I question why you would want anyone to know where you've been and where you're going.

My own firewall is just that.. I have set it up to act as a router so in my network it's setup something like this:

DNS, Proxy, Samba, F/P server, NTP, DHCP is 192.168.100.2

[snip only for saving bandwidth the info cut is good.]

I control all acess via iptables using sc.firewall.

This sound a lot like what I am trying to setup but with lots of minor changes which have added up as to make things not work. So, I have a lot of questions (Qs). One differance the internet connection (Red side) is a dynamic pppoe connection. I am using rp-pppoe to connect, but it is not configured the way that I want with booting and restarting after KDE running with NTP, iptables, routing, and dyndsy.org updating. I have learn part of the these setups but don't seem to get them to work for all of these Qs.

When I say setup, I am wanting to know which files must be edited and what statement must be run, added, changed or removed. as to get this to work and be secure with things like iptables. I have seen some dated How-to's I have yet to see info that stated what is needed for current versions, like FC1 or iptables. (Still add them to your replys for other readers as to learn this stuff and to remind me but do tell how it differs by version changes as to fix my problems.)
My Qs are lot so, copy the section that you want to answer, and make a new thread for you want to write about and please show how the part works with the relivent other Qs. Thanks.

Hardware setups: (all computer have modem (as far as working order I do not know. ))

P3-450: to be the computer that I use as a pc. Currently has all of Fedora Core 1 installed (currently having some problems with a KDE update from RH8.0). It has 2 NIC cards, CD-RW and most uer software like OO. I have been updating the time from this machine from the internet after connecting and using RH 8.0's clock, program not working. Now that I am using FC I hope to set this up better. All packages for FC1 installed, would like to which packages and server programs do I NOT need? Will continue to have normal harddrive boot not CD. Will be able to read log file, exicute program and other things of Ppro-150. No internet exicutables or SUers from the internet users allowed, unless done by dial-in. (Both Red and Green sides)

Ppro-150: has 1 NIC card, 1 G harddrive, 1 G Jaz drive and other stuff. Want to use the Jaz as a "live" backup drive. Can be the print server and NTP server if the setup will allow it; as for now the P3-450 will do that job. Will need NTP updates if it is not the server, runs part of RH 9.0 but I have not been able to "see" it on the LAN. I would like to have the boot cd method for this machine. Will always be on the (Green side, unless a tunnel for NTP is setup). Setup? How to write the CD when this machine does not have a CD-RW?

Win98 Laptop: will be able to connect from different places by internet, modem, and a LAN hub to the LAN. Will need NTP updates. (runs programs that Linux can't.) What safe and secure software to do these connection is needed on both ends? How to setup? (Both Red (over the net connect in) and Green at home)
(I do have 10 G hdrive to swap with the Win98 hddrive as to put Linux to this laptop. But I need a version which will run only one program at a time because of the real time requirements of a device I have. To be done later)

DOS laptop: only needs dail-in or serial port NTP updates by the LAN?? (Always green.)

The LAN is on 192.168.X.X

The software setups and wants (lots of Qs):

DNS: How to set this up for both sides of the firewall? (or do I need it on both?) How to setup routing for each computer too?
DHCP: do I need this with local DNS and pppoe? I don't think it will work over the internet with pppoe will it?
Proxy: I don't think I need a proxy (what use is it to me, clueless?) If I do need it How to do set it up? If not How to remove it and all file related to it but not dependant on other files.
Samba: (same Q's as DNS) setup for both sides?
F/P server: One side only for the printer (I don't want internet printing); As for files, setup for both.
Apache: which is working right now but is not secure. for personal web pages. (web pages will have to edited, so not pressing.)
Webmin: is there something better, if not which machine to run it on?
NTP: Need a single server for the cleints (which ever machine that will be.) I won't this to work at boot time I currently have an error
IPTables: what is the way to allow the different machines to work with the different
dynamic pppoe: How to set up to have automatic updated to dyndsn.org Also I want it to work with NTP and not allow any spoofing, hacking, and etc. I won't this to work at boot time as of now I currently have an error.
SSH: I won't this instead of FTP for doing things FROM the internet, FTP is fine for doing things TO the internet.
Mail: I would like a clean and secure method of collecting mail (from yahoo, sbc pop3 in/ , and a personal web site to be made) and sending it to "server" which hold the mail and arcives it. If this can be done on the same machine that I read mail

Lan Users: (how to set this all up?)
Root (of course) but only as needed.
SU a user to do the things, and change things like root without using root.
ME a common user which does not have much more than internet use, and running programs that are not SU stuff, can run SU to be a SU. Can only login locally.
iME (for internet connections) same as ME as stated but will not be able to have SU powers. Can only login from the internet.

Any help will be great!!!!

John

John:

You are certainly asking for a lot. I would recommend reading some of the older How To's, since most of them are still applicable.

Let's start with your basic configuration.

First, I would recommend that you by yourself two (2) pieces of hardware, a router (does not have to be wireless, in fact I would recommend against that and use a Wireless access point later on). The router will cost you about $20-50 (US). It need not have many ports. In fact, unless you are planning on having a web site in a DMZ, then a single port would suffice. The next piece of hardware is a switch, they run about 30 - 50 ($US). Make sure you have enough ports on it so that all your systems, plus your firewall can be connected.

Now for the configuration.

Since you have a router, you will not need to configure for PPOE, since the router will perform all your authentication and provide you with NAT'ing.

Connect your firewall to the router via the Red zone and connect the Green zone to your switch.

The Red Zone can have an IP address of say 192.168.1.2, the router will probably be 192.168.1.1 So, your gateway on the Firewall will be 192.168.1.1.

The green zone can have an IP address of 192.168.100.254 (the normal address for routers is x.x.x.254).

Now once you've connected your other systems to the switch, they will be part of the 192.168.100.xxx segment with a gateway address of 192.168.100.254

Now whenever they access the internet they wil pass through your switch, then the firewall and finally through the router.

You could establish a local workgroup called foo.org which will be everyone in the 192.168.100.xxx segment and they should be able to see everyone.

The next step would be to setup a caching DNS server (see http://www.linux.org/docs/ldp/howto/DNS-HOWTO.html
)

Your firewall should point only at your ISP's DNS servers and as a secondary point to your internal DNS. Do not make your firewall a DNS server.

You can also block ad's with your DNS server but I wil expalin that in another post.

While building your DNS server, I would test it to make sure that you can perform both a forward and a reverse lookup on your machines to other local machines and the ineternet..

A proxy server is a cahing server for your web pages. This will make your browser appear to be working faster since it will cache the pages a system uses. Thus if system A access www.foo.com's home page and then system B does the same request, the page will be sent from the proxy server's cache.

Try to designate one server as your DNS, Proxy (aka Squid), Time server (NTP), DHCP, etc...

Let me know how the first part goes and I can help you through the rest...:)

egurski:

You just cleared some stuff up for me also.

I just had to go get a new NIC card. While there I got a DSL router. I will be installing them soon. I was cool to see that on the box they are Linux compatable, so installing should be easy. I also go a book with 2 disk of FC1, which will help with setting up this a bit faster and smoother. (I am having problems with CD not working one the player of the Ppro machine.

I will be back,

Thanks for the great info
Egurski

egurski,

This is a very crude diagram! But is this wahat you are advocating as I want to clarify your setup...

-----pub---Router---pri----- -----------Firewall----------
192.168.1.2 / 192.168.1.1 -->192.168.1.1 / 192.168.100.254 -->switch -->>>192.168.100.xxx

i.e. Your public address is 192.168.1.2? this is not a usual public address.
also is the routers (private side) address the same as the firewalls address on the router side> is this allowed?

Actualy, your public address will be setup by the router. Everything behind the router is private --- your servers/PC's will all share the same internet connection, thus if your ISP assigns a public address like 4.2.2.10 that is the address all your systems will share. However, interanlly they will all be 192.168.100.xxx and have their own addresses.

The router (if it's a Linksys will probably default to) will be 192.168.1.1 or if you prefer make the router 192.168.1.254. That way you know it's a router and follows a standard. Then your firewall will have 2 IP's (192.168.1.2 Red Zone and 192.168.100.254 Green Zone

It will look something like this:

Router: 192.168.1.1 or 192.168.1.254

Firewall 192.168.1.2 (Red Zone)
Firewall 192.168.100.254 (Green Zone)

Switch

Your systems 192.168.100.xxx

Hope this clarifies the issue...

Ed

BTW: I use 10.25.x.x as my private network...

As I promised, I am including links to sites that have proven useful to me.

DNS (Bind)
http://www.tldp.org/HOWTO/DNS-HOWTO.html


rc.firewall (It's a tutorial on IPTables)
http://www.faqs.org/docs/iptables/index.html

Proxy server (Squid)
http://www.squid-cache.org/

Samba:
http://hr.uoregon.edu/davidrl/samba/

Ok, I bought a linksys and used the:
http://www.tldp.org/HOWTO/Linksys-Blue-Box-Router-HOWTO/
configurations on:
http://www.tldp.org/HOWTO/Linksys-Blue-Box-Router-HOWTO/confighints.html
to set it up.

It does not do any DNS work so I will have to set something up for that. With the number of machines do I need to set up full DNS or can I just do it from /etc/hosts ?

I also am wondering what I need to do to transfer files from one machine to another without ftp, also the one which I am wanting to transfer file to is command line only.

You could always setup a caching DNS server. In this way you could assign all your systems a static IP address plus shorten the time for DNS lookups. I believe this is all expalined in the DNS Howto. If not I could always give you some advice.

I choose to make one system my DNS, DHCP, Samba, NTP, Squid, Apache, etc...

However, it is not the system that runs the firewall.

As far as transferring files between systems, Fedora comes setup blocking FTP, Telnet and others. You will have to change your local IPTables to allow SSh (it is much more secure). Iptables can be found in /etc/sysconfig/iptables. The other option is to use the Redhat security level utility and enable ssh, but make sure you check your NIC card (I'll assume eth0) as being trusted. Then you can ssh and sftp to your hearts content.

Now if you have some Windows machines, you will need to install Putty (Do a Google search) and it will have ssh and sftp for Windows in the utuility.

Ed
;)

I am in the need to back things up on the p3-450 but I have not set up the DNS bit as to give things names. I can ping the address, or ssh to the other machine but what command would I have to do to copy the files from one machine to another using IP addresses? This will be the first time I have done this without FTP sence I nerver had a FTP server. I only have used others, and I don't want the insecurity added.

John

As for the setup with DNS what is the minuim that I would have to do?

John:

The first thing is to use sftp (the secure shell way for ftp). The commands are exactly the same except it will not accept hash or bin.

As for the DNS portion, the simplest way without actually setting up a DNS server is to add entries to your /etc/hosts file after the localhost definiton (i.e. 127.0.0.1)

You can do something like this
192.168.1.10 server1 server1.mydoamin.com
192.168.1.11 server2 server2.mydomain.com

The second form is optional (i.e server1.mydoamin.com). Although you may want to setup a workgroup and give it a name in your private addresses.

Then you would copy this file to all your machines so that each one has the same hosts file.

I know in the DNS Howto, there is a section on setting up a name caching server, that is what most home users setup. But unless you have a large number of machines (I have 8) or would just like to get practice in setting up a DNS server, stick with the hosts file.

I found that by being a DNS caching server, I can quickly resolve my commonm internet addresses since my DNS server has them sitting in it's cache.

Ed