Help with Linux Firewall configuration!?

Printable View

08-24-2007
z3r0ph3wl

Help with Linux Firewall configuration!?

Hello. My situation is like this:

School network has around 60 computers and 5 Printers. Line comes to Lucent DSLPIPE modem and then to HP ProCurve 4000m switch (witch has configuration). One of cables connects to Linux Firewall PC (Swedish distribution) and then there is Windows domain controler with 2 network cards for two subnets(teachers and students).
No school buy new PC so firewall has new PC also. Problem is with configuration of linux. I use other distribution...
Old firewall info:

/etc/.config:

domain: school.example.se
eth0 IP: 10.2.44.253
eth0 NetMask: 29
eth0 Broadcast: 255.255.255.255
eth0 Discription: Uplink interface
eth1 IP: 10.2.44.62
eth1 NetMask: 26
eth0 Broadcast: 255.255.255.255
eth0 Discription: Protected network
Gateway: 10.2.44.254
NTPS: 10.1.1.2

/etc/config.data/inet.routes:

#!/bin/sh
echo "inet.routes"
export GATEWAY=214.11.120.202
echo " Initiating VLAN:s and routes ..."
# Load VLAN module
insmod 8021q 2>&1 | grep -v 'insmod: a module named 8021q already exist' >&2
# Setup VLAN and IP-addresses
# Uplink on public IP
vconfig add eth0 100
ip link set dev eth0.100 up
ifconfig eth0.100 214.11.120.201 netmask 255.255.255.252
# Add Teachers network
vconfig add eth0 101
ip link set dev eth0.101 up
ifconfig eth0.101 10.2.44.62 netmask 255.255.255.192
# Add Students network
vconfig add eth0 102
ip link set dev eth0.102 up
ifconfig eth0.102 10.2.44.126 netmask 255.255.255.192
ip addr add 10.2.44.190/26 brd + dev eth0.102
# Add EXTRA_NAT network
#vconfig add eth0 103
#ip link set dev eth0.103 up
#ifconfig eth0.103 10.2.44.190 netmask 255.255.255.192
ip route add default via $GATEWAY
ip addr add 10.2.44.254/24 dev eth0

and then on windows domain info:
eht0 IP: 10.2.44.10
eht0 Netmask: 255.255.255.192
eht0 Gateway: 10.2.44.62
eht0 DNS: 10.2.44.10
eht1 IP: 10.2.44.109
eht1 Netmask: 255.255.255.192
eht1 Gateway: 10.2.44.126
eht1 DNS: 10.2.44.109

HP ProCurve info:

IP: 10.2.44.252
Mask: 255.255.255.248
Gateway: 10.2.44.253

For me is little complicated to understand how to set this info on new PC. I wont use old distribution because its old and small.
So please help/suggest what/how configuration i should use and whats best distribution for this.

Thank you!
Linux is the best! :))) Always I used it but i am a programmer not a Network specialist :))) But i really need help with this.
08-27-2007
framp

Frankly I don't get your problem.

Quote:

One of cables connects to Linux Firewall PC (Swedish distribution) and then there is Windows domain controler with 2 network cards for two subnets(teachers and students).

Why isn't the windows domain controller connected to the Linux FW? Has this box another FW? Do you want to connect your Linux box to the FW? Which Linux Distros are used?

Many questions :rolleyes: . You should give more details about your config/nw topology and explain in more detail your problem ;)
08-27-2007
z3r0ph3wl

Because its not my configuration. The company did all installation long time ago - and now that company do not exist :) So nobody know even passwords - i was need to reset them.
What i want is to make same network as it is now just with new machine and distribution or in other way but working. Network looks now like this:
First gos modem -----> To first port of HP ProCurve 4000m switch (switch looks more advanced not simple one HP ProCurve 4000m Switch ) -----> from switch second cable go's to Linux firewall with Bifrost Network Project (but it has two network cards and uses just one cable)
And two cables from switch gos to Windows Domain Server machine.
Network has two subnets - one for teachers and one for students. and other computers a connected by using same switch some other simple ones.
So please if you know how tell me :) If you need more info - describe and i will try to get :)

Thanks
08-27-2007
framp

Ok. Now I think I understand your problem much better. You just want to throw away the ugly old Linux FW SW and use a current Linux distro for the FW and keep the current network topology.

Normally there is one cable between the modem and the firewall on one interface and one cable between the internal protected LAN and the second interface of the FW.
You use VLANs in order to get the external and internal network separated such that all the clients connected to the windows domain server are protected by the firewall.

I wouldn't use VLANs if there is no strong reason to do so. I just would plug in a second network card in the Linux box, connect the windows domain server there and configure a normal Linux firewall. But then you have to reconfigure the switch and all the defined VLANs which might be challenging.

There is one point which I don't understand: The second cable to the windows box. Is there some service (e.g. web server ...) running on the windows box and accessible from the internet? If yes - that's again uggly because servers accessible from the internet should reside in a DeMilitarizedZone and not running on a normal server in the local LAN. I strongly recoomend to switch to a DMZ. Then you need another network card and another server which run's the external services and will be connected to the third interface of the FW. Then you have to configure your firewall the right way and should be done. But this requires Linux and iptables know how ;)

I'm not a VLAN expert. So there might be other way's to get the FW & DMZ stuff set up. Hope somebody who knows VLANs and FW will comment on this thread also.