[sf-lug] Fwd: [AlamedaW] Need help: iptables

Rick Smith rick at rbsmith.com
Sat Jun 2 11:31:34 PDT 2007 

Hi Pete,

I have used and recommend ipcop.org .
When I google on "linux firewall", it's coming up first.

It's complete package, web and ssh access, ipsec vpn, port
forwarding, dhcp, web proxy, and so on.  If the feature set
fits, then it's a good fit -- easy to install and set up.

Rick


jim stockford wrote:
 > anybody interested in helping Alameda Wireless folks
 > set up a linux box as a port-forwarding firewall router?
 >
 > Begin forwarded message:
 >
 >> From: BlueSkye4 <BlueSkye4 at alamedanet.net>
 >> Date: June 2, 2007 10:36:14 AM PDT
 >> To: AW List <alameda at alamedawireless.org>
 >> Subject: [AlamedaW] Need help: iptables
 >>
 >> Hi, All,
 >>
 >> This is a request for assistance from anyone who might be versatile in
 >> setting up a firewall for a Linux router.
 >>
 >> Here's our problem.  Currently AW4 is using a Netgear FVS318 standard
 >> firewall router to connect the eth0 port of the AW4 router to its ISP
 >> connection.  AW4 is currently servicing internet for 7 AW nodes,
 >> including itself, through the Netgear FVS.  In order to run selected
 >> internet applications, many of these node owners have requested
 >> specific
 >> ports be forwarded at the FVS to: either their AW node router, or to a
 >> specific machine located on the eth subnet at their node.
 >>
 >> The current problem we have run into in performing such port forwarding
 >> is that the FVS has a max limit of 16 ports (or port ranges) that can
 >> be
 >> declared for possible forwarding.  We already have one node that is
 >> using 7 of the available 16 forwards.  Clearly, as the network grows,
 >> and as clients are added to routing nodes, having a limit of only 16
 >> forwards at the internet gateway for any AW node that is sharing an
 >> internet connection, is going to become a severe operational limitation
 >> for the AW Net.  At this point, all 16 ports (or port ranges) are being
 >> used at AW4, so AW4 is unable to add any additional forwarding in the
 >> future.
 >>
 >> I have tried to examine the standard router market out there, but what
 >> I
 >> have found is that all the standard routers I have seen on the market
 >> appear to have similar limitations on the number of ports that can be
 >> set up to be forwarded.  I've seen routers that max out at: 8, 10, 12,
 >> 16 and 20 ports (or port ranges).  Even the 20 max one is not anywhere
 >> great enough to meet the ultimate needs for port forwarding that a
 >> typical active internet-supplying AW node is eventually going to need.
 >>
 >> So  .  .  .  what to do?
 >>
 >> The suggestion has been made, that sounds most promising, is to replace
 >> the gateway firewall router (FVS in AW4's specific case), with a Linux
 >> machine running as a wired firewall router.  I think there would, for
 >> all practical purposes, be no limit to the number of ports that could
 >> be
 >> forwarded from a Linux box located at the gateway location connecting
 >> to
 >> the ISP modem.  This would mean that the machine would have to run
 >> iptables.  At the moment none of the AW routers run with any firewall
 >> rules (iptables).  Drew and I have, in the past, attempted to set up
 >> rules using iptables, but we (or at least certainly I) found the
 >> process
 >> more than we could handle.  We were never successful in properly
 >> configuring a firewall in a Linux box.
 >>
 >> One consideration, besides providing the firewalling and forwarding for
 >> the AW Net, is that this machine also would be performing the gateway
 >> firewalling and forwarding for my personal LAN.  I do have another
 >> hardware router that separates my personal LAN from the AW Net, but
 >> "both" of those nets ultimately receive their internet connection from
 >> the FVS.  If we can produce a  suitable Linux replacement, maybe this
 >> front-line gateway can become a Linux box.
 >>
 >> I suspect that somewhere out on the AW List, there are, most likely, a
 >> number of you skilled in configuring a Linux box with a rugged firewall
 >> that would perform as well, or better, than an FVS (or equal).  I can
 >> provide all the hardware and can install a base Linux system, but I
 >> can't configure a firewall, and I don't know anyone who can.  What I
 >> would like to do is develop a suitable rugged Linux firewalled router
 >> box, and to well document the process, so that other AW nodes in the
 >> future will be able to utilize this approach it they find the need to
 >> do
 >> perform a large number of port forwards.
 >>
 >> If there is anyone out there would be willing to assist me in setting
 >> up
 >> an effective wired firewalled router for the AW4 (and future AW nodes)
 >> internet connection, I (and AW) could really use your help right now.
 >>
 >>
 >> Pete
 >>
 >> --
 >> "Good judgment comes from experience
 >>          		- well, that comes from poor judgment..."
 >> 							- A.A.Milne
 >>
 >>
 >> ___________________________________________________________
 >> Alameda Wireless mailing list - alameda at alamedawireless.org
 >> http://alamedawireless.org/mailman/listinfo/alameda

More information about the sf-lug mailing list