[sf-lug] Fwd: [AlamedaW] Need help: iptables
jim at well.com
Sat Jun 2 10:53:15 PDT 2007
anybody interested in helping Alameda Wireless folks
set up a linux box as a port-forwarding firewall router?
Begin forwarded message:
> From: BlueSkye4 <BlueSkye4 at alamedanet.net>
> Date: June 2, 2007 10:36:14 AM PDT
> To: AW List <alameda at alamedawireless.org>
> Subject: [AlamedaW] Need help: iptables
> Hi, All,
> This is a request for assistance from anyone who might be versatile in
> setting up a firewall for a Linux router.
> Here's our problem. Currently AW4 is using a Netgear FVS318 standard
> firewall router to connect the eth0 port of the AW4 router to its ISP
> connection. AW4 is currently servicing internet for 7 AW nodes,
> including itself, through the Netgear FVS. In order to run selected
> internet applications, many of these node owners have requested
> ports be forwarded at the FVS to: either their AW node router, or to a
> specific machine located on the eth subnet at their node.
> The current problem we have run into in performing such port forwarding
> is that the FVS has a max limit of 16 ports (or port ranges) that can
> declared for possible forwarding. We already have one node that is
> using 7 of the available 16 forwards. Clearly, as the network grows,
> and as clients are added to routing nodes, having a limit of only 16
> forwards at the internet gateway for any AW node that is sharing an
> internet connection, is going to become a severe operational limitation
> for the AW Net. At this point, all 16 ports (or port ranges) are being
> used at AW4, so AW4 is unable to add any additional forwarding in the
> I have tried to examine the standard router market out there, but what
> have found is that all the standard routers I have seen on the market
> appear to have similar limitations on the number of ports that can be
> set up to be forwarded. I've seen routers that max out at: 8, 10, 12,
> 16 and 20 ports (or port ranges). Even the 20 max one is not anywhere
> great enough to meet the ultimate needs for port forwarding that a
> typical active internet-supplying AW node is eventually going to need.
> So . . . what to do?
> The suggestion has been made, that sounds most promising, is to replace
> the gateway firewall router (FVS in AW4's specific case), with a Linux
> machine running as a wired firewall router. I think there would, for
> all practical purposes, be no limit to the number of ports that could
> forwarded from a Linux box located at the gateway location connecting
> the ISP modem. This would mean that the machine would have to run
> iptables. At the moment none of the AW routers run with any firewall
> rules (iptables). Drew and I have, in the past, attempted to set up
> rules using iptables, but we (or at least certainly I) found the
> more than we could handle. We were never successful in properly
> configuring a firewall in a Linux box.
> One consideration, besides providing the firewalling and forwarding for
> the AW Net, is that this machine also would be performing the gateway
> firewalling and forwarding for my personal LAN. I do have another
> hardware router that separates my personal LAN from the AW Net, but
> "both" of those nets ultimately receive their internet connection from
> the FVS. If we can produce a suitable Linux replacement, maybe this
> front-line gateway can become a Linux box.
> I suspect that somewhere out on the AW List, there are, most likely, a
> number of you skilled in configuring a Linux box with a rugged firewall
> that would perform as well, or better, than an FVS (or equal). I can
> provide all the hardware and can install a base Linux system, but I
> can't configure a firewall, and I don't know anyone who can. What I
> would like to do is develop a suitable rugged Linux firewalled router
> box, and to well document the process, so that other AW nodes in the
> future will be able to utilize this approach it they find the need to
> perform a large number of port forwards.
> If there is anyone out there would be willing to assist me in setting
> an effective wired firewalled router for the AW4 (and future AW nodes)
> internet connection, I (and AW) could really use your help right now.
> "Good judgment comes from experience
> - well, that comes from poor judgment..."
> - A.A.Milne
> Alameda Wireless mailing list - alameda at alamedawireless.org
More information about the sf-lug