look at IPcop (http://ipcop.org)
Okay currently this is how i have my linux network setup...
I am using verizon fios as my internet connection
I logged into my router (verizon) and enabled the STATIC NAT option. I have it so that port forwarding is enabled and the public ip address that is provided to me by verizon is now being forwarded back to my linux box at home.
Here is what i want to do...
I want to setup a linux box to act as a router with iptables doing all of the filtering to basically add a level of security. Then i want another linux box inside my network to do all the hosting and running services like ftpd sshd smtp and httpd
So here is how it would look
(verizon router) -> 192.168.1.1 forwards my public ip address to (linux box router) -> 192.168.1.3 and then i want the router to forward to my other linux box doing the hosting at (hosting linux box) -> 192.168.1.6
My verizon router would plug into the linux box router (192.168.1.3) which has 2 nic's and then my hosting linux box (192.168.1.6) plugs directly into the linux router right? Will this work?
Here are my questions...
The linux box acting as the router (192.168.1.3) i would need iptables rules to route all services to the hosting linux box at (192.168.1.6) right?
Then lets say the linux router has rules like prevent syn floods or malicious packets since it is front of the hosting linux box does the hosting linux box get the protection as well?
Also do i need to write iptables rules on the hosting linux box(192.168.1.6) to offer it protection or does it get the protection from the linux router (192.168.1.3) that already has linux rules?
And i am not sure about the routing...? The hosting linux box (192.168.1.6) needs to go through the linux router (192.168.1.3) to get the firewall protection right?
How do i make sure that the hosting linux box 192.168.1.6 goes through -> 192.168.1.3 ?
And as i said before do i need iptables rules on the hosting linux box or is that not needed because the hosting linux box is going through a linux router?
Also another thing i am not sure about, the linux router box (192.168.1.3) needs iptables and a second layer of nat to route the public ip address back to the hosting box (192.168.1.6) right? Even though verizon is forwarding my public ip address back to my linux router i still need it to go to the hosting linux box. How would i go about doing that?
I hope you all can understand what i am talking about i hope some of you might have some input for me...
Thank you all for your time and help.
If your verizon router forwards every port to your linux-router, you need some sort of firewall on this, like ipcop, you can set what ports should be open, what ports should be forwarded to your linux-server aswell as what ports should be allowed for outgoing traffic.The firewall will act as a sieve, meaning if one port is closed for incomming traffic on the router, it wont be possible to forward or contact the server on that port from the outside, so technicaly you wouldn't need a firewall on the server itself.However, since you decide to use a linux-router, there is the possible concern, where it get's compromised and from that moment on, an intruder will potentialy be able to connect from teh linux-router to every machine on the inside on every port, including your server, so a good double security would be to add a firewall on the server, which would only allow access through the ports you know you want to run services on.A scenario, for the router-firewall would beallow incomming connections in state NEW on (ftp, ssh, smtp, http, imaps, https) let ssh be handled by the router itself the other services be forwarded to your server.On your server-firewallallow incomming connections in state NEW on (ftp, ssh, smtp, http, imaps, https) You have the router only allowing the desired ports that you will be using on the server, and on the server you only allow access through those ports.For maintainance reason it's nice to have the opåtion to ssh into the router, from there on you can ssh to the server, here I would point out taht the ssh setup should only allow connections through shared keys, and not allow connections as root, this will add another layer of security in the prevention of unwanted intrusion.Else have fun with it, and gain some experience from this smallscale coorporate setup :-)
Don't worry Ma'am. We're university students, - We know what We're doing.
'Ruiat coelum, fiat voluntas tua.'Datalogi - en livsstil; Intet liv, ingen stil.