Linux Router with Firewall

Sun Nov 6 02:32:31 UTC 2005

Craig White wrote:
> On Sat, 2005-11-05 at 08:25 -0600, Nathaniel Hall wrote:
> 
>>Craig White wrote:
>>
>>
>>>On Fri, 2005-11-04 at 08:35 -0600, Nathaniel Hall wrote:
>>> 
>>>
>>>
>>>>I know this sounds like a stupid questions, but I'm gonna ask anyway.  I
>>>>would like to create a router using Fedora Core 3 (or 4) and netfilter,
>>>>but I don't want to masquerade.  Am I going to have to do SNAT and DNAT
>>>>or is there any way I can do it without any kind of nat.
>>>>   
>>>>
>>>
>>>----
>>>it might be easier to make suggestions if it were clearer what you had
>>>in mind.
>>>
>>>A router doesn't need to do NAT if the clients know where there are
>>>going (i.e. static routes) or it very well may be a proxy server like
>>>squid will do what you want.
>>>
>>>Craig
>>> 
>>>
>>
>>I have a setup with multiple firewalls around my DMZ.  The DMZ is
>>addressed with legal IP addresses and the internal network is addressed
>>with private addresses. I perform many to one NAT on the external
>>firewall and simply route (and filter) at the internal firewall.  This
>>keeps me from having to figure out which internal IP address was NATed
>>to which external IP address when I am looking at access logs. The
>>internal firewall took very little setup, but it isn't netfilter.  Is
>>there any way to get FC4 to do the same?
> 
> ----
> Still not entirely clear but perhaps I'm not smart enough. It sounds to
> me like you are doing a double NAT with both firewalls.
> 
> Thinking that your external firewall provides NAT to computers in DMZ
> and external address of your internal firewall and your internal
> firewall is providing NAT to your the private address systems on your
> LAN, then your systems on the LAN are using the internal IP of your
> internal firewall as their default gateway and that means the internal
> firewall is providing NAT.
> 
> If you didn't want to do NAT through the internal firewall, you would
> have to set the default gateway to the internal side of your external
> firewall and a static route for these systems to know how to get there
> which seems to be too much of a hassle...hence doing NAT on the internal
> firewall makes sense.
> 
> Craig
> 
> 

If you don't mind dedicating a box solely to this effort, you could try
the GPL'd version
of smoothwall, which is available here:

http://www.smoothwall.org

As I understand it, their relationship to the commercial product that
Smoothwall, Ltd.
sells is similar to the Fedora Project's relationship to RHEL:  the
former is a testing
grounds for the later (although it doesn't appear to be as "open" a
process).

For what it's worth I run the commercial version on my home network and
haven't
had any issues at all.   And no, no one is paying me to say this!

Good Luck,
DP

-- 
David-Paul Niner, RHCE
Orange Park, Florida, United States
GPG Key ID: 0x106B54E3