iptables
Ben Scott
dragonhawk at gmail.com
Mon Sep 22 10:57:24 EDT 2008
On Mon, Sep 22, 2008 at 10:06 AM, Labitt, Bruce
<labittb1 at tycoelectronics.com> wrote:
> I am trying to configure my firewall at work. I need to have an
> internal trusted network (my number-cruncher) and everything else. The
> trusted network is on eth0, and the other is on eth1.
In general, I would do this by:
A1. Having a dedicated switch for the cluster.
A2. Having a single gateway connected to A1 and the corporate LAN.
A3. Configuring a separate IP network on A1.
A4. Using NAT on the A2 gateway to route between A3 and the corporate
LAN's IP net.
The A2 gateway could be a general-purpose computer running Linux, or
one of those SOHO gateway boxes (from LinkSys, D-Link, NetGear, etc.).
Advantages and disadvantages to both. GP computers tend to be more
flexible, and you might already have one. SOHO boxes are smaller, use
less power, and your router won't go down when the GP PC needs to be
rebooted.
For A3, unless corporate wants me to use an address space they
assign, I would use something from the RFC-1918 private address space.
Specifically, I would subnet a part of 192.168.0.0/16, 10.0.0.0/8, or
172.16.0.0/12 as a /24. For example, I'm partial to 10.0.0.0/24 (it
makes typing easier). If corporate is already using RFC-1918 in their
networks, I'd pick something outside of their plan, to avoid
conflicts. If you're not sure, pick something odd, like
172.16.42.0/24. Or get an assignment from corporate.
Most likely, your distribution already has a mechanism in place to
configure iptables. Are you still using running Sci Linux 5, or have
you changed to something else by now?
> Ben, do you remember this?
No, but my GMail account does. :) That let me dig up the archived thread:
http://thread.gmane.org/gmane.org.user-groups.linux.gnhlug/13370
That thread didn't get into the low-level details of which iptables
commands to run, though.
-- Ben
More information about the gnhlug-discuss
mailing list