[sf-lug] Fwd: [AlamedaW] Need help: iptables

jim stockford jim at well.com
Sat Jun 2 10:53:15 PDT 2007 

anybody interested in helping Alameda Wireless folks
set up a linux box as a port-forwarding firewall router?

Begin forwarded message:

> From: BlueSkye4 <BlueSkye4 at alamedanet.net>
> Date: June 2, 2007 10:36:14 AM PDT
> To: AW List <alameda at alamedawireless.org>
> Subject: [AlamedaW] Need help: iptables
>
> Hi, All,
>
> This is a request for assistance from anyone who might be versatile in
> setting up a firewall for a Linux router.
>
> Here's our problem.  Currently AW4 is using a Netgear FVS318 standard
> firewall router to connect the eth0 port of the AW4 router to its ISP
> connection.  AW4 is currently servicing internet for 7 AW nodes,
> including itself, through the Netgear FVS.  In order to run selected
> internet applications, many of these node owners have requested 
> specific
> ports be forwarded at the FVS to: either their AW node router, or to a
> specific machine located on the eth subnet at their node.
>
> The current problem we have run into in performing such port forwarding
> is that the FVS has a max limit of 16 ports (or port ranges) that can 
> be
> declared for possible forwarding.  We already have one node that is
> using 7 of the available 16 forwards.  Clearly, as the network grows,
> and as clients are added to routing nodes, having a limit of only 16
> forwards at the internet gateway for any AW node that is sharing an
> internet connection, is going to become a severe operational limitation
> for the AW Net.  At this point, all 16 ports (or port ranges) are being
> used at AW4, so AW4 is unable to add any additional forwarding in the
> future.
>
> I have tried to examine the standard router market out there, but what 
> I
> have found is that all the standard routers I have seen on the market
> appear to have similar limitations on the number of ports that can be
> set up to be forwarded.  I've seen routers that max out at: 8, 10, 12,
> 16 and 20 ports (or port ranges).  Even the 20 max one is not anywhere
> great enough to meet the ultimate needs for port forwarding that a
> typical active internet-supplying AW node is eventually going to need.
>
> So  .  .  .  what to do?
>
> The suggestion has been made, that sounds most promising, is to replace
> the gateway firewall router (FVS in AW4's specific case), with a Linux
> machine running as a wired firewall router.  I think there would, for
> all practical purposes, be no limit to the number of ports that could 
> be
> forwarded from a Linux box located at the gateway location connecting 
> to
> the ISP modem.  This would mean that the machine would have to run
> iptables.  At the moment none of the AW routers run with any firewall
> rules (iptables).  Drew and I have, in the past, attempted to set up
> rules using iptables, but we (or at least certainly I) found the 
> process
> more than we could handle.  We were never successful in properly
> configuring a firewall in a Linux box.
>
> One consideration, besides providing the firewalling and forwarding for
> the AW Net, is that this machine also would be performing the gateway
> firewalling and forwarding for my personal LAN.  I do have another
> hardware router that separates my personal LAN from the AW Net, but
> "both" of those nets ultimately receive their internet connection from
> the FVS.  If we can produce a  suitable Linux replacement, maybe this
> front-line gateway can become a Linux box.
>
> I suspect that somewhere out on the AW List, there are, most likely, a
> number of you skilled in configuring a Linux box with a rugged firewall
> that would perform as well, or better, than an FVS (or equal).  I can
> provide all the hardware and can install a base Linux system, but I
> can't configure a firewall, and I don't know anyone who can.  What I
> would like to do is develop a suitable rugged Linux firewalled router
> box, and to well document the process, so that other AW nodes in the
> future will be able to utilize this approach it they find the need to 
> do
> perform a large number of port forwards.
>
> If there is anyone out there would be willing to assist me in setting 
> up
> an effective wired firewalled router for the AW4 (and future AW nodes)
> internet connection, I (and AW) could really use your help right now.
>
>
> Pete
>
> -- 
> "Good judgment comes from experience
>          		- well, that comes from poor judgment..."
> 							- A.A.Milne
>
>
> ___________________________________________________________
> Alameda Wireless mailing list - alameda at alamedawireless.org
> http://alamedawireless.org/mailman/listinfo/alameda
>

More information about the sf-lug mailing list