I am new in linux world,basically I''m using red hat 9 kernel 2.4.20-8. I need to build a trusted gateway. my linux box will be the gateway for several machine PCs to go to the desired server. there will be several subnets under the linux box, I''ve already assigned static IPs for the PCs . Now my problem is I only need 2 PCs from each subnets to connect to certain servers, and those 2 PCs can only have transaction(open) to the specified servers, for others it will drop(firewalled). for other PCs, they can''t log on to the outside world. should I use only iptable rules or with the help of squid(ACL) as well ? please add up the commands as well. Thanks. __________________________________ Discover Yahoo! Use Yahoo! to plan a weekend, have fun online and more. Check it out! http://discover.yahoo.com/
On Jeu 2 juin 2005 11:37, Gonn Star a écrit :> I am new in linux world,basically I''m using red hat 9 > kernel 2.4.20-8. I need to build a trusted gateway. my > linux box will be the gateway for several machine PCs > to go to the desired server. there will be several > subnets under the linux box, I''ve already assigned > static IPs for the PCs . Now my problem is I only need > 2 PCs from each subnets to connect to certain servers, > and those 2 PCs can only have transaction(open) to the > specified servers, for others it will > drop(firewalled). for other PCs, they can''t log on to > the outside world. should I use only iptable rules or > with the help of squid(ACL) as well ? please add up > the commands as well. Thanks. >Wether you need to use iptables or squid ACL''s relies on the type of traffic the 2 PCs on each subnet should be allowed to have with the outside world. You may want to use both. Regards, Sylvain
Gonn Star wrote:> I am new in linux world,basically I''m using red hat 9 > kernel 2.4.20-8. I need to build a trusted gateway. myWhoa! You are starting out with something very old and bug-ridden. You should scrap that and switch to a current release, whatever distro you may choose. Quite a few of those old bugs can bite very hard, including root compromises. Being new, did you know how to update for security? Sure, there''s Fedora Legacy which may or may not be supporting the old stuff with updates, but that is intended for people who have long-running stable servers ... not to entice new users to RH 9.> linux box will be the gateway for several machine PCs > to go to the desired server. there will be several > subnets under the linux box, I''ve already assigned > static IPs for the PCs . Now my problem is I only need > 2 PCs from each subnets to connect to certain servers, > and those 2 PCs can only have transaction(open) to the > specified servers, for others it will > drop(firewalled). for other PCs, they can''t log on to > the outside world. should I use only iptable rules or > with the help of squid(ACL) as well ?You do not seem to understand that HTTP is just one of many TCP/IP protocols, and yet you want to set up complex networking controls. Anyone who knows more than you do would likely find it a trivial task to get around your controls.> please add up the commands as well. Thanks.Specific questions which show that you have tried will tend to be better-received than generalised requests for spoonfeeding. I do things like this for a living, and I do not have time to earn your living as well. You mention "production" which implies that this is needed in a business setting. If so it''s probably worth it to the business owners to pay for expertise. You can''t learn everything you need to know, overnight. For you, I would recommend starting with the basics. There are good HOWTOs at netfilter.org which might help. -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header
Gonn Star wrote:> I am new in linux world,basically I''m using red hat 9 > kernel 2.4.20-8. I need to build a trusted gateway. my > linux box will be the gateway for several machine PCs > to go to the desired server. there will be several > subnets under the linux box, I''ve already assigned > static IPs for the PCs . Now my problem is I only need > 2 PCs from each subnets to connect to certain servers, > and those 2 PCs can only have transaction(open) to the > specified servers, for others it will > drop(firewalled). for other PCs, they can''t log on to > the outside world. should I use only iptable rules or > with the help of squid(ACL) as well ? please add up > the commands as well. Thanks.This sounds like a fairly basic firewall with out Squid in the mix. In short you are probably looking at a firewall like this (NOTE: This script will be incomplete for just about any scenario, but will give you the idea.): iptables -t filter -P FORWARD DROP iptables -t filter -F FORWARD iptables -t filter -A FORWARD -s 192.168.0.1 -j ACCEPT iptables -t filter -A FORWARD -s 192.168.0.2 -j ACCEPT iptables -t filter -A FORWARD -s 192.168.1.1 -j ACCEPT iptables -t filter -A FORWARD -s 192.168.1.2 -j ACCEPT iptables -t filter -A FORWARD -s 192.168.2.1 -j ACCEPT iptables -t filter -A FORWARD -s 192.168.2.2 -j ACCEPT iptables -t filter -A FORWARD -j REJECT --reject-with icmp-net-unreachable This quick and dirty (and incomplete) script will set the default policy (-P) of the FORWARD chain to DROP all traffic that is to be forwarded and not handled by any other rule. Once the default policy has been set it flushes (-F) the FORWARD chain to make sure that there were not any old rules lingering arround that could mess things up. The next six rules are in place to explicietly allow just the two machines from three subnets (in this example) to pass traffic through the FORWARD chain on out to a different network. Any traffic that is not explicietly handled by the six rules to allow traffic to be forwarded will meat the last rule which will reject the traffic with a message saying that there is no route to the destination thus making the computers think that they are icolated. As someone else pointed out if you are new to the Linux community you might be better off served by finding someone in your area with more experience at hardening a box and a firewall to help you in this endevor. Or if you are not new to unix or firewalling, just Linux and you need to acclimate your self with the Linux syntax and methodology you will probably be ok. Either way it would probably be worth your time to skim some of the HOW-TOs that are out there, namely the NetFilter HOW-TO as you are asking questions that are answered in it. Grant. . . .