-wassup-
09-23-2004, 12:58 PM
My school currently runs and old runs and old Sun Netra 150 server to do a few tasks on the network. Everyone there is fed up with it and me (a student) suggested that we replace it with a linux box. My school's admin said okay and now I am making an itinerary of what I need to do. My school's current network topology is like this.
There is a leased line (ATM) that goes into a Cisco router which then is connected over Ethernet to the Sun box. The Sun box then splits the network into the Administrators network and then the Student network. Both the Cisco and the Sun have routeable IPs. This is what the Sun server currently does:
-Firewall the students from the teachers using port 660 (Appletalk Over IP)
-Provide NAT from the student and admin networks
-Do DNS lookups
-Provide a caching proxy via Netscape Proxy Server
So this is what I have come up with so far for the Slackware box to replace it:
-BIND for DNS
-Caching proxy via Squid HTTP Proxy
This is my firewalling script:
## Firewall Script for Slack Server
## Written by Alex
## Parts taken from the Linux IP Masquerade HOWTO
## Find all our useful binaries
IPTABLES=/usr/sbin/iptables
IFCONFIG=/sbin/ifconfig
## Set up our interfaces
EXTIF="eth0"
ADMINIF="eth1"
STUDENTIF="eth2"
echo " External Interface: $EXTIF"
echo " Admin Interface: $ADMINIF"
echo " Student Interface: $STUDENTIF"
## Identify what IPs lead to what
EXTIFIP="<left out for security reasons>"
ADMINIFIP="172.17.0.1"
STUDENTIFIP="172.18.0.1"
## Assign our IPs
$IFCONFIG $EXTIF $EXTIFIP netmask 255.255.255.255.0
$IFCONFIG $ADMINIF $ADMINIFIP netmask 255.255.0.0
$IFCONFIG $STUDENTIF $STUDENTIFIP netmask 255.255.0.0
## Enable IP forwarding in the kernel via /proc
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
## Flush IPTABLES
$IPTABLES -F
## Set up the actual IP Masquerading
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
## Firewall Appletalk Over IP (Port 660) between the two LANs
$IPTABLES -A FORWARD -i $ADMINIF -o $STUDENTIF -p tcp --dport:660 -j REJECT
$IPTABLES -A FORWARD -i $STUDENTIF -o $ADMINIF -p tcp --dport:660 -j REJECT
## Enable internal interfaces to communication between each other
$IPTABLES -A FORWARD -i $ADMINIF -o $STUDENTIF -j ACCEPT
$IPTABLES -A FORWARD -i $STUDENTIF -o $ADMINIF -j ACCEPT
## Stop the internet from using Slack's services
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport:8080 -j DROP
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport:22 -j DROP
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport:21 -j DROP
## Enable IP Masquerading (NAT)
$IPTABLES -A FORWARD -o $EXTIF -s 172.17.0.0/16 -d 0.0.0.0/0 -j MASQ
$IPTABLES -A FORWARD -o $EXTIF -s 172.18.0.0/16 -d 0.0.0.0/0 -j MASQ
## EOF
Can anyone see anything wrong with my solution and more specifically my firewall script? I have never really used linux as a NAT gateway before and I'm hoping this will work with out too much debugging. :)
I am thinking there would be a problem with the student and the admin networks talking to each other.
There is a leased line (ATM) that goes into a Cisco router which then is connected over Ethernet to the Sun box. The Sun box then splits the network into the Administrators network and then the Student network. Both the Cisco and the Sun have routeable IPs. This is what the Sun server currently does:
-Firewall the students from the teachers using port 660 (Appletalk Over IP)
-Provide NAT from the student and admin networks
-Do DNS lookups
-Provide a caching proxy via Netscape Proxy Server
So this is what I have come up with so far for the Slackware box to replace it:
-BIND for DNS
-Caching proxy via Squid HTTP Proxy
This is my firewalling script:
## Firewall Script for Slack Server
## Written by Alex
## Parts taken from the Linux IP Masquerade HOWTO
## Find all our useful binaries
IPTABLES=/usr/sbin/iptables
IFCONFIG=/sbin/ifconfig
## Set up our interfaces
EXTIF="eth0"
ADMINIF="eth1"
STUDENTIF="eth2"
echo " External Interface: $EXTIF"
echo " Admin Interface: $ADMINIF"
echo " Student Interface: $STUDENTIF"
## Identify what IPs lead to what
EXTIFIP="<left out for security reasons>"
ADMINIFIP="172.17.0.1"
STUDENTIFIP="172.18.0.1"
## Assign our IPs
$IFCONFIG $EXTIF $EXTIFIP netmask 255.255.255.255.0
$IFCONFIG $ADMINIF $ADMINIFIP netmask 255.255.0.0
$IFCONFIG $STUDENTIF $STUDENTIFIP netmask 255.255.0.0
## Enable IP forwarding in the kernel via /proc
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
## Flush IPTABLES
$IPTABLES -F
## Set up the actual IP Masquerading
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
## Firewall Appletalk Over IP (Port 660) between the two LANs
$IPTABLES -A FORWARD -i $ADMINIF -o $STUDENTIF -p tcp --dport:660 -j REJECT
$IPTABLES -A FORWARD -i $STUDENTIF -o $ADMINIF -p tcp --dport:660 -j REJECT
## Enable internal interfaces to communication between each other
$IPTABLES -A FORWARD -i $ADMINIF -o $STUDENTIF -j ACCEPT
$IPTABLES -A FORWARD -i $STUDENTIF -o $ADMINIF -j ACCEPT
## Stop the internet from using Slack's services
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport:8080 -j DROP
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport:22 -j DROP
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport:21 -j DROP
## Enable IP Masquerading (NAT)
$IPTABLES -A FORWARD -o $EXTIF -s 172.17.0.0/16 -d 0.0.0.0/0 -j MASQ
$IPTABLES -A FORWARD -o $EXTIF -s 172.18.0.0/16 -d 0.0.0.0/0 -j MASQ
## EOF
Can anyone see anything wrong with my solution and more specifically my firewall script? I have never really used linux as a NAT gateway before and I'm hoping this will work with out too much debugging. :)
I am thinking there would be a problem with the student and the admin networks talking to each other.