# Firewall

## Tron

I have a network of 40+ computers with two servers a Win2k and a Gentoo linux box.  They are on a T1 line and I have a 6Mb DSL line I want to network using port forwarding or something to route all web traffic to the DSL.  I want to use the linux box as a firewall for the whole network using iptables and squid to route to the dsl (which I understand to be correct).  I would also possibly run DHCP, DNS, and a web server on the main linux server and then move the firewall and proxy to one of my extra 450MHz sitting around.  Is this at all possible and will it work like I think it will?  If you need any extra info like network set up and exact hardware I will be using just ask.  My isp is offering a firewall box which is $500 that I wont spend and I think this would be a better learning experience and more fun.  All the user computers are running XP by the way and I doubt that would effect anything.

I have no problems setting up anything web related which I have done before.  I am just new to firewalls on networks with a T1 line.

Thanks,

Tron

----------

## btg308

I've set up several P133-class boxes with Gentoo as firewalls, no sweat. Most of them are just one LAN, one Internet setup but one of them have three NICs; one LAN, one 256kbit DSL leased line and a DHCP Breezenet radio link. This one does NAT and routes traffic from both external interfaces into the main web and mail server and routes traffic from 10+ workstations out to the Internet. What I did was find a good sample firewall script and then I hit the manpages and howtos until I had a working setup. 

I'm not sure how you want the T1 and DSL lines setup in your case - do you want to use load-balancing for outgoing traffic or route everything to one of them until it goes down and fail-over to the other, or just lock everything to one and use the other for something else?

----------

## Tron

ok I dont want NAT it has trouble with games like starcraft.  Right now everything is connected to two cisco switches and the router is connected to the switches.  I would want to keep everything like that and the router just to do packet inspection and I guess I could use snort to do intrusion detection.  I dont wan the router connected to the firewall then connected out to the switches where it shares everything.  I know with squid this won't be a problem because the computers will have to connect to linux box to work.  So will the fact they have to connect for squid take care of the firewall wall part to?  Well I would want all port 80,21,25 and so on routed to the 6Mb DSL while things like games are routed to the T1 line.  I know all the ports for all my software so that wont be a problem.

Thanks,

Tron

p.s. I just woke up so if its unclear I will try and clear everything up. =)

----------

## Tron

Please can anyone help?

Thanks,

Tron

----------

## carlivar

Using two different internet connections for the same LAN can be very complicated.  Problem is, your Linux firewall can only have one default gateway.  So which Internet connection will the default gateway go to?  You can get around this with policy routing (source routing) on a decent Cisco router, which might be an option depending on what model you have.  Maybe Linux can do this sort of advanced routing too; I'm not sure.  I should check... anyway you might want to describe clearer exactly what you're looking for... your posts were a bit hard to follow!

Carl

----------

## Tron

ok I have two servers a Dual P3 1GHz running Gentoo and a Dual 2200+ running Win2k.  I have them connceted to a couple of cisco switches as well as 40+ other computers for employees and customers.  I also have a T1 line and a 6Mb DSL line.  

I want to install linux on an extra computer I have there 450MHz and whatever else I need to buy.  I might even buy a 1GHz Athlon and use it.  I want to make this computer a firewall and proxy server using squid.  I was wondering if squid would be able to route all web traffic and ports like 21, 25, etc. through the ADSL line.  And all game traffic will be routed through the T1 line.  If I understand correctly it might work with out doing to much since I will be using the proxy servers ip in my proxy settings in internet explorer's options.

I also don't want to have the router->firewall computer->switch->network.  I would rather it just do packet inspection or something so I could keep using DHCP and not use NAT since a lot of game's don't like it.

I wouldn't  mind the above situation if I could use something other then NAT for security.

Thanks,

Tron

----------

## de4d

ive tested equal cost multipath with 2 nat'ed DSL lines, which worked fine.

if u dont like NAT (which i would prefer for internal networks...), why dont you just replace your (main) router by a linux box? then u will have no problems about firewalling, routing, balancing and you wont have to relayout/change your subnets.

 *Quote:*   

> 
> 
> Using two different internet connections for the same LAN can be very complicated...
> 
> 

 

imho this is *not* very complicated if you have kind of idea about what you are doing. enabling equal c. mpath e.g. allows you to add a second 'default' route and the rest is done automatically...

 *Quote:*   

> 
> 
> Maybe Linux can do this sort of advanced routing too
> 
> 

 

i havent much played around with hardware routers, but i cant think of a sort of routing which a linux box could not do...

ok, in im not a networking/firewalling guru so this might be totally wrong or not help you at all...

----------

## Tron

Well the T1 line routes through the cisco router and the dsl is on the cayman.  The Cisco has another module slot for DSL but I am not sure it will work together.  My isp is not very helpful with anything since it is thier router.  I managed to change the password to the router and I was cut off the net till I gave it back to them.  They wont even enable the routers built in firewall or DHCP.  

I will do some more research on squid and either iptables or ipchains I dont know which one is the new one I forgot.  Like I said I dont mind the nat situation where the computer routes but I dont like nat it breaks a lot of games and that is what we need.

Thanks,

Tron

----------

## de4d

i could think of a linux box with all your client ips 'simulated' to your hardware router and the router ip 'simulated' to your client in between (i.e. 2 network interfaces).

maybe this is nothing new, or a general workaround to misconfigured routers, but it *may* solve your problem ;)

----------

## btg308

 *Tron wrote:*   

> I will do some more research on squid and either iptables or ipchains I dont know which one is the new one I forgot.

 

iptables (AKA netfilter) is the new one from kernel 2.4. It's supposed to be possible to route based on destination port (there's a load of kernel options that need enabling) but that particular feature has so far escaped my grasp. There are some docs, links, promising kernel patches and how-tos on multi-path routing at http://lartc.org/ and http://www.linuxvirtualserver.org/~julian/ .

 *Tron wrote:*   

> Like I said I dont mind the nat situation where the computer routes but I dont like nat it breaks a lot of games and that is what we need.

 

A T1 just for games? Sweet. :-) I haven't had any experience with NAT breaking any games and I play both StarCraft (well, I did until some asswipe stole my CD-key and got it banned on battle.net) and Counter-Strike behind a NAT firewall with no problems whatsoever. What problems have you encountered? Running a game server behind a NAT firewall requires some port-forwarding, but shouldn't be a problem otherwise.

----------

## Tron

Thx I will check those out for sure.  And yes if you have more then one person playing starcraft, quake2, etc. on the same server it will lag big time or not even work.

-Tron

----------

## btg308

 *Tron wrote:*   

> Thx I will check those out for sure.  And yes if you have more then one person playing starcraft, quake2, etc. on the same server it will lag big time or not even work.

 

We've been two people playing Counter-Strike behind the NAT FW at the same time with no problems. Haven't tried StarCraft, though. The FW should keep track of which internal machine the packets came from and route them back to the correct one, just as if two or more people are surfing the net or whatever. Could it be just a configuration or software version issue?

Oh, and if you don't want NAT, you either will need a proxy (probably not a good idea for the games, but great for the web stuff) and/or NAT or Masquerading unless you have 80 public IPs (one each for each line) for the internal XP machines... Or 40 public IPs for the T1 and a NAT/Masq/Proxy for the DSL.

----------

## Tron

I have 70 ips.  And starcraft doesnt work blizzard admitted to this.

-Tron

----------

## btg308

 *Tron wrote:*   

> I have 70 ips

 

OK, that's not an issue then. :-) But 70 public IPs and a T1 for playing games? I gotta ask what you're doing and if you need any help doing it. ;-) Internet Cafe / Arcade? 

Also, let us know what you did when you get it working. All my advice is GPLd. ;-)

----------

