Dear Tom, All, A friend asked me if I could setup a firewall for him, his little business, I said I could try and the first thing I thought was to use shorewall. But there are some tricks in this configuration, at least for me, so maybe you can put me in the right direction. The setup goes like this: He has an ADSL connection that is provided not by a modem but by a router: Alcatel Speed Touch 510 v4. Also, he has 2 fixed IPs which at this time I suppose are configured in the router. We would like to have one of this IPs used by the outgoing connections and the other by the mail server that will have a DNS MX record pointed to it. The IP from the router in the lan is 10.0.0.138 I thought to build a box with 3 NICs (LAN, DMZ, WAN), put the mail server on DMZ, connect the router to the WAN NIC and so on. If instead of the router I had a modem I think I knew how to setup this, but with a router I don''t know exactly what to do. If use DNAT, Proxy ARP and how to configure the WAN NIC. The ISP Technician said to me that I could map a public IP to an internal one in the router. Don''t know if this helps. Sorry if this isn''t the right place to put this question, but any help would be higly appreciated. Thanks in advance, Cheers, Joao
--On Monday, December 16, 2002 12:40:10 +0000 "Jo=E3o Alexandre -=20 Pluridata/LI" <J.Alexandre@pluridata.com> wrote:> If instead of the > router I had a modem I think I knew how to setup this, but with a router > I don''t know exactly what to do.There''s really no difference. When you have a DSL/Cable "modem", it is=20 acting like a bridge between your firewall''s WAN interface and your ISP''s=20 router. In this case, the router just happens to be on site rather than=20 being back at the ISP. It would be ideal if the ISP could configure the router so that both of the external IP addresses were available to your firewall. That would simplify=20 your setup while only passing one through while using NAT on the other=20 would complicate your setup somewhat. In any event, this is similar to what is described in the Shorewall Setup=20 Guide (http://shorewall.sf.net/shorewall_setup_guide.htm) with the=20 exception that there are only two IP addresses so you will be using one for the DMZ and one for local network access. There won''t be any static NAT. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
Hi Tom, Thanks once again, I don''t want to waste your precious time with me, but I have a question, simple, that you may quickly help me. With Shorewall, can I use in the wan link IP aliases, like eth0:0, and so on? If not I really don''t know how to setup this. Thanks and before I forget, have you a Happy New Year, Cheers, Joao> -----Original Message----- > From: Tom Eastep [mailto:teastep@shorewall.net] > Sent: segunda-feira, 16 de Dezembro de 2002 18:32 > To: Jo=E3o Alexandre - Pluridata/LI > Subject: RE: [Shorewall-users] Odd setup. >=20 >=20 >=20 >=20 > --On Monday, December 16, 2002 06:19:56 PM +0000 "Jo=E3o Alexandre -=20 > Pluridata/LI" <J.Alexandre@pluridata.com> wrote: >=20 > > Hi Tom, > > > > Thanks for your prompt reply. > > If I can understand, if don''t please forgive me, I could=20 > setup my box in > > the WAN nic with 2 IPs (ex 10.0.0.10, 10.0.0.11) and at the=20 > router level > > do a static NAT from the public IPs to these ones? And then=20 > work with > > 10.0.0.10 and 10.0.0.11 like they were my public IPs? >=20 > Yes -- that is what I was suggesting. >=20 > > It would be easier if it was a cable connection. >=20 > Having the second router in this particular case does get in=20 > your way. Is=20 > there an option to remove it and replace it with the Shorewall box? >=20 > > I''m kind of lost here. Maybe I should > > choose another day to think about this and in the meanwhile=20 > improve my > > TCP/IP knowledge. > > >=20 > Might be a good idea -- I don''t have the time this week to=20 > step you through=20 > this; sorry. >=20 > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://shorewall.sf.net > Washington USA \ teastep@shorewall.net >=20 >=20
On Fri, 27 Dec 2002, João Alexandre - Pluridata/LI wrote:> Hi Tom, > > Thanks once again, I don''t want to waste your precious time with me, but I > have a question, simple, that you may quickly help me. > > With Shorewall, can I use in the wan link IP aliases, like eth0:0, and so > on? If not I really don''t know how to setup this. >This is FAQ #18.> Thanks and before I forget, have you a Happy New Year,Thanks -- likewise. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net