Linux DSL, Proxy and Firewall

rmacm · 17-04-2004 7:23pm #1

My former secondary school is going to be investing in broadband sometime soon and I've been asked to look into some stuff. Basically there are 3 seperate networks in the school. 2 computer rooms and one that the principal, depty principal and secretary use. What I want to do is have the 3 networks use the one internet connection. Anybody any pointers on how I should approach this.

I've a pretty good idea so far. I'm going to use a linux machine to do firewalling and proxy stuff. Really what I need to know is how should I connect the linux box to all 3 networks. I can figure out most of the software config myself. I'm planning on using the Squid proxy, IP tables for firewalling.

If anybody has any suggestions I'd be glad to hear them.

Cheers
Rory

slartibardfast · 17-04-2004 11:10pm

Just use mutiple ip aliases as per this guide:
http://www.iptel-now.de/HOWTO/LINUX_IP_ALIAS/linux_ip_alias.html

Given different subnets (eg 192.168.1.x, 192.168.2.x, 192.168.3.x) and a subnet mask of 255.255.255.0, each network will be independant.
e.g. Gateway 192.168.1.254 It is not perfect security (if anything should compromise the linux box), but it's damn effective.

Personally I'd mod a smoothwall box, with custom dhcp rules etc.
(if only for the shiney graphs!

)

Edit: on second thoughs scratch the smoothwall, you might want to check http://dansguardian.org out if it's for a school, it's a nice content filter works great with squid:

voxpop · 18-04-2004 11:20am

if you want a proper setup then have one box conected to your dsl line, put the firewall on this box and harden it as much as possible. This box should have two network cards, one externally pointing and one internally pointing.
Connect the external card to your dsl modem and the internal card to your internal server(another linux box) - this server will do proxying and routing and anything else you want . From this box you can partition off any subnets you want.

With a setup like this your firewall box is seperated as much as possible from your internal network(only allow connections from your internal box out to your firwall and nothing in), so if its compromised, your internal network should be safe.

To get you started on iptables, check out
arno's iptables
You can mod this to suit your needs - saves having to build everything up from scratch

Use squid for your proxy - its easy to setup and works a treat

thats my 2c

Jaden · 19-04-2004 9:31am

This is exactly what you want

I have 9 or 10 of these running all over the place, some doing exactly what you are trying to do.

Gerry · 19-04-2004 10:37am

Angry Penguin, I don't see how 2 boxes increases security, if the firewall is compromised, you are still screwed. Unless you were to run 2 packet filters, on 2 different OS's..
Ipcop is certainly the way to go, there are many addons available for it now, including dansguardian.

rmacm · 19-04-2004 1:24pm

Thanks for the help everyone. I'll look over it as soon as I get the time.

Cheers
Rory

Emboss · 19-04-2004 1:29pm

you might also take a look at http://m0n0.ch/wall/

Linux DSL, Proxy and Firewall

Comments