Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 17
Hey guys, I'm about to get hired on at a place for a networking gig. I'm a semi-novice when it comes to all of this (it's a campus job, so ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Nov 2011
    Posts
    4

    Setting up a network with dedicated firewall in VirtualBox


    Hey guys,
    I'm about to get hired on at a place for a networking gig. I'm a semi-novice when it comes to all of this (it's a campus job, so they understand i'm not a long time professional). They use Vyatta firewalls, but I could just as easily do this with ip tables and any linux distro. Anyway, what he suggested was to set up multiple VMs including one that's a dedicated firewall, and set them up on their own little network that routes through that firewall. I'm using VirtualBox; could someone give me some pointers on how to get started with this kind of setup? I'm not exactly sure where to even begin.
    Thanks,
    Colin

  2. #2
    Just Joined!
    Join Date
    Nov 2011
    Posts
    4
    This was suggested as a way to help me learn how to manage firewalls, btw.

  3. #3
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,218
    Where to begin?
    Reading. Lots of it
    In general (for linux fw): netfilter/iptables project homepage - The netfilter.org project

    This tutorial here also covers basics:
    Iptables Tutorial 1.2.2


    P.S.: Personally I dont like firewalls on VMs. At least not for production use.

    FWs are part of the infrastructure and the infrastructure needs to be clear, structured, efficient and performant.
    I want to be sure the packets received and sent are *exact* and not mangled.
    I dont want to introduce additional update windows, just because there is a new version of the hypervisor.
    I want the performance the NICs can offer, not what the virtualized NIC can offer.
    Last edited by Irithori; 11-10-2011 at 11:05 PM. Reason: typo
    You must always face the curtain with a bow.

  4. #4
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,307
    I agree 100% with Irithori on this. Make your FW its own system, unfettered by the overhead and complications of a VM. It does not have to be a beast of a PC to be a firewall (think of the teeny Linksys wireless router sitting under your desk), just a meager machine with at least 2 NICs will do.

    Jc, what distro will you be using? I only ask b/c I have been playing with the GUI for iptables in RHEL6 and it has really come a long way. I actually haven't had to manually edit /etc/sysconfig/iptables yet!

  5. #5
    Just Joined!
    Join Date
    Oct 2011
    Posts
    15
    I am also against using vm as fw. you can build firewall by using any basic or older hw with at least 2 nics, so cheap.


    atreyu,

    thanks for sharing your experience.
    have you installed some third party app for iptables gui or it comes by default with rhel 6. I have not used version 6 of rhel or her sisters.
    How much control of iptables you have from gui and what was your overall experience.

    --
    Regards,
    Sachin Divekar

  6. #6
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,307
    @Sachin,

    The GUI front-end for configuring the iptables firewall belongs to a package called system-config-firewall. If the package is not found on your system, do:

    Code:
    yum install system-config-firewall
    You should find it under Applications > System Tools > Firewall, or you can launch it from the terminal with:
    Code:
    system-config-firewall
    It will prompt you for the root password, if not run as root.

    For direct types of iptables rules, like opening up port 80, or blocking a particular network from any access, it is ridiculously easy and straight-forward. I have not attempted to add any Custom Rules yet, though.

    One note of warning: if you do wish to use the graphical tool, be warned that it will overwrite your current /etc/sysconfig/iptables configuration file. So the best practice is, start first with the graphical tool to create all the configuration you require. Then, if there is some tweaking that you must do manually (by editing /etc/sysconfig/iptables directly), then do that afterwards, but remember that future uses of the graphical tool will undo your manual edits.

  7. #7
    Just Joined!
    Join Date
    Oct 2011
    Posts
    15
    atreyu,
    is it same as system-config-securitylevel in rhel/centos 5? I have used it for building very basic iptables rules. but we cannot build more complex rules using it. it is a very basic tool.

    --
    Regards,
    Sachin

  8. #8
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,307
    It is like system-config-security on steroids. The new version can do everything that one can do, but better, and more. Still, it is not perfect (for reasons already mentioned). Your best bet may be to do a combination of GUI and manual edits.

  9. #9
    Just Joined!
    Join Date
    Oct 2011
    Posts
    15
    must try system-config-firewall to see improvements. if it is providing more control using ui, it will prove useful for admins immediately after installation.

  10. #10
    Just Joined!
    Join Date
    Nov 2011
    Posts
    4
    Please read my messages before replying; this is not a production firewall, this is ONLY FOR ME TO LEARN. The company I will be working for uses dedicated Vyatta hardware running Vyatto OS for their primaryfirewalls, so it will not be an issue. That have smaller subnets for different environments where they use dedicated boxes using ip tables; I believe the distro they use for those is Debian. The network I want to set up is not going to be a large network running a lot of traffic; it will be a small, virtualized network so that I can learn this stuff. That's it.
    What I specifically asked for was how to set up the virtualized NETWORK on VirtualBox and run it through the firewall VM, also on VirtualBox.
    I do appreciate the information you guys have provided; it's all been very useful stuff, but it doesn't actually adress my initial question.
    Thanks,
    Colin

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •