[dundee] Hardware for a firewall/content filter
Andrew Clayton
andrew at digital-domain.net
Thu May 12 11:47:36 UTC 2011
On Thu, 12 May 2011 10:00:54 +0100, Colin Brough wrote:
> Andrew Clayton wrote:
> > On Mon, 09 May 2011 13:48:44 +0100, Colin Brough wrote:
> >
> >> I have a couple of NAS boxes (a Buffalo and a Synology) which can
> >> be made to run Linux, but neither of them have 2 LAN ports.
> >
> > Just a heads up. But you might not actually _need_ 2 interfaces.
> > Certainly iptables nat works fine with just the one.
>
> I want to put the content filter physically between the wireless
> router and the WAN, so that all boxes that use the network have to go
> through the filter, without individual, per-machine configuration.
> Proxying port 80, etc.
>
> I've put up a diagram of what I was thinking of, and what I interpret
> your suggestion as meaning - though I'm not sure if I quite get it...?
>
> http://www.colinbrough.pwp.blueyonder.co.uk/ContentFilter.pdf
>
> My "plan" is on the left - filter box sitting between the local
> network and the internet, filtering all traffic, with a an upstream
> and a downstream LAN port.
>
> How would you wire a single interface box into the network I'm
> thinking of?
OK. At home I have a block of static IP routed to me. With a number
transient devices, laptops, phones etc, they don't really need static
(routable) IP's so I configured iptables and dhcp on my media box
(one NIC) to do DHCP and NAT for these devices.
So while my workstation has a direct connection to the net. My netbook
on the other hand grabs an IP from the media/NAT box which sets it as
the gateway.
So anything that does DHCP will go through the box doing NAT.
Now, not sure the particulars at your end. And this may break your 'no
per client configuration rule'.
If you do and DHCP and NAT on the firewall then just connect it to the
network and make it the default route.
Perhaps some actual commands will help illustrate.
NAT with a single NIC
Starting from scratch with a machine with a single NIC and two networks; 192.168.1.x external and 192.168.10.x internal.
Bring up eth0
# ip link set eth0 up
Assign it some IP addresses
# ip addr add 192.168.1.10/24 brd + dev eth0
# ip addr add 192.168.10.10/24 brd + dev eth0
Add a default route for the external address
# ip route add default via 192.168.1.254 dev eth0
Clear iptables and set default policies.
# iptables -F
# iptables -t nat -F
# iptables -P INPUT ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -P FORWARD DROP
Set up NAT
# iptables -A FORWARD -i eth0 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD -i eth0 -o eth0 -j ACCEPT
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.1.10
Enable IP forwarding
# echo 1 > /proc/sys/net/ipv4/ip_forward
But yes, it could look like the diagram on the right.
Andrew
More information about the dundee
mailing list