[CentOS] More about firewalling

Tue Oct 6 16:45:01 UTC 2009
Dan Carl <danc at bluestarshows.com>

ML wrote:
> I have a Comcast business circuit with 13 IP's. The gateway device  
> they provide is a 'pass through' device. They sent traffic for all 13  
> IP's my way. It just allows traffic through. So if I put in a device  
> to firewall (like Ipcop or Vyatta or something) in front, say it has 3  
> NICS, how do I do that?
>   
Before I start this my not be the best/easiest way to accomplish this, 
just sharing how I do it.

I too have Comcast Business (love the speed and the price).
I have only a standard 5 usable IP block, but my setup may work for you.
I choose to use CentOS for everything, I know there are better suited 
OS's out there for this.
I just don't want to have to remember the different nuances between nix's.
You could also buy a commercial router for this but if you're cheap like 
me, and have an ever shrinking IT budget why.
I use a recycled dual P-III 866MHz, 512K RAM and a 4 port Intel NIC..
You should be able to purchase similar boxes for $100-$150 or use 
whatever you have laying around.
I mirror 2 40GB HD's but a more reliable setup would be to boot a live 
CD and use a USB drive for storage.
I just have not got around to trying this yet.

If you want the IP's to go to different boxes you can just buy a switch 
connect it to the Comcast device.
Then set  your assigned IP addresses on each boxes nic.
But what I believe you want is  to have all the IP's come into one point 
and be distributed to your other boxes behind it.
To do this  use IP aliasing and assign your 13 IP's to eth0 - eth0:12.
For more info google IP aliasing.
You can route the traffic out one or several nics.
I DMZ my internal network, mailserver and webserver to seperate nics but 
you don't have to.
To decide where the whole IP and or port traffic goes use iptables for this.
Everything and more you need to know about it and more is here:
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
I just like writing /editing iptables from a script.
> If the Firewall has IP A and Traffic for IP B comes in how would IP A  
> answer and decide if the traffic to IP B belonged?  Without statically  
> routing I am confused on how to accomplish this?
>
> How fast does this device need to be?
>
>   
I run DNS, DHCP, NTP without ever using 1% of CPU and very rarely using 
swap.
So I'd say its fast enough.
Just install base, no GUI, and turn off all nonessential services .
If you want email me off list and I can forward you a crude howto.
Cheers
Dan