Thanks for the answers, so...

Dave Anselmi anselmi at americanisp.net
Thu Oct 4 22:27:05 PDT 2001


Björn Lindberg wrote:

> If I understand this correctly my router would have my assigned IP
> number, and the other two boxes would have internal IP numbers. Should
> the router also have an internal IP number towards the internal boxes?
>
> Then I will just route the appropriate ports to the internal boxes
> respectively.
>
> I have some reading to do now I guess!

You'll have 2 interfaces on the router - one will get the external address
(static or dynamic depending on your ISP) the other will get an internal
address (and can be a dhcp server for the other 2 boxes).  Port forwarding
is called dnat by Rusty, and he has 2 howtos that might help at:
http://netfilter.samba.org/unreliable-guides/ (packet filtering and nat).

You should also be able to set up a VPN by running ppp over ssh to your
router.  Once the connection is made, your external box will think it's on
the internal network.  There are several howtos here:

http://www.linuxdoc.org/HOWTO/HOWTO-INDEX/networking.html#NETVPN

but I don't know how hard this is to do.  It would be really cool though.

Finally, if you really want to learn iptables, how about this:

    /-B
   /
--A
   \
    \-C

Yes, that's 3 NICs in A and may be more secure because if your web server
is hacked it can't get to your protected box.  I think the rules for that
would be a little hairy.

Before you decide to put the web server inside the firewall, find out what
kind of connector you'll use to your ISP.  Here (USA), cable modems and DSL
are most common.  Cable modems are just bridges - no IP so you need a
gateway/router/firewall behind them.  DSL (at least the Cisco 67x that is
common) uses a real router that does NAT, packet filtering (not as good as
iptables), and dhcp (client and/or server.  If you have something like that
then you don't necessarily need a firewall and have more flexibility if you
have one.

Dave


-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message



More information about the blfs-support mailing list