161 lines
6.6 KiB
HTML
161 lines
6.6 KiB
HTML
<!--startcut ======================================================= -->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<html>
|
|
<head>
|
|
<TITLE>The Answer Guy 28: Linux as a General Purpose SOHO to
|
|
Internet Gateway</TITLE>
|
|
</head>
|
|
|
|
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#A000A0"
|
|
ALINK="#FF0000">
|
|
<!--endcut ========================================================= -->
|
|
<H4>"Linux Gazette...<I>making Linux just a little more fun!</I>"
|
|
</H4>
|
|
<P> <hr> <P>
|
|
|
|
<!-- =============================================================== -->
|
|
<H1 align="center"><A NAME="answer">
|
|
<img src="../gx/dennis/qbubble.gif" alt="" border="0" align="middle">
|
|
<a href="./lg_answer28.html">The Answer Guy</a>
|
|
<img src="../gx/dennis/bbubble.gif" alt="" border="0" align="middle">
|
|
</A></H1> <BR>
|
|
<H4 align="center">By James T. Dennis,
|
|
<a href="mailto:linux-questions-only@ssc.com">linux-questions-only@ssc.com</a><BR>
|
|
Starshine Technical Services,
|
|
<A HREF="http://www.starshine.org/">http://www.starshine.org/</A> </H4>
|
|
<p><hr><p>
|
|
<H3><img src="../gx/dennis/qbub.gif" alt="(?)" width="50" height="28"
|
|
align="left" border="0">Linux as a General Purpose SOHO to
|
|
Internet Gateway</H3>
|
|
|
|
<p><strong>From Ron Smith on Sat, 11 Apr 1998 on a newsgroup</strong></p>
|
|
|
|
<p><strong>
|
|
I looked thriugh the FAQ and didn't find any answers to this question.
|
|
I hope this is the right forum.</strong></p>
|
|
|
|
<blockquote><img src="../gx/dennis/bbub.gif" alt="(!)" width="50" height="28"
|
|
align="left" border="0">"The"
|
|
FAQ. There are a huge number of Linux FAQ and
|
|
HOW-TO documents. I haven't read them all and I'm
|
|
"<em>The Answer Guy</em>."
|
|
</blockquote>
|
|
|
|
<p><strong>
|
|
I am a fairly experienced UNIX developer but I usually leave the
|
|
difficult administrative stuff the the SysAdmins. I have been running a
|
|
small LAN for my business using Slakware LINUX (currently version 3.2)
|
|
for some time now. What I really want to do is use the LINUX server as
|
|
a gateway to the internet for the rest of my LAN. I can connect via PPP
|
|
to my ISP from the LINUX box with no problems but what I haven't found
|
|
any good books or documentation on is:
|
|
|
|
<br><br>
|
|
How do I setup the LINUX server to bridge between my local LAN and the
|
|
internet?</strong></p>
|
|
|
|
<blockquote><img src="../gx/dennis/bbub.gif" alt="(!)" width="50" height="28"
|
|
align="left" border="0">
|
|
You probably want to read up on IP Masquerading.
|
|
In it's simplest form you use the ipfw (kernel
|
|
packet filtering features) and configure them with
|
|
a command like:
|
|
|
|
<blockquote><code>
|
|
ipfwadm -F -a accept -m -S 192.168.1.0/24 -D any
|
|
</code></blockquote>
|
|
|
|
... which says:
|
|
|
|
<blockquote>
|
|
add a rule to accept packets for forwarding from
|
|
the <tt>192.168.1.*</tt> range of addresses, and masquerade
|
|
them to wherever they are going.
|
|
</blockquote>
|
|
|
|
This assumes you have all your internal systems already
|
|
configured with
|
|
<a href="http://www.cis.ohio-state.edu/htbin/rfc/rfc1918.html">RFC
|
|
1918</a> IP addresses like <tt>192.168.1.*</tt>
|
|
or <tt>172.16.*.*</tt> or <tt>10.*.*.*</tt>, and that you have
|
|
them all configured to use the Linux system as their default router.
|
|
It also assumes that you are running a reasonably recent
|
|
kernel with the ipfw options enabled.
|
|
|
|
<br><br>
|
|
There's quite a bit more to it than that --- but that is the core
|
|
command that makes it work. Note that some protocols --- ftp in
|
|
particular --- don't work reliably through masquerading. It is often
|
|
better to get a copy of the
|
|
<a href="http://www.tis.com/prodserv/fwtk/readme.html">TIS FWTK</a>
|
|
or <a href="http://www.socks.nec.com/whatissocks.html">SOCKS</a>
|
|
(application layer proxies) to support these
|
|
(<a href="#tag_gw_footnote">*</a>).
|
|
|
|
<br><br>
|
|
Suggestions: run a caching nameserver and a good caching
|
|
web proxy (like
|
|
<a href="http://squid.nlanr.net/Squid/"><tt>squid</tt></a>)
|
|
on the router (the Linux box).
|
|
Make a "best effort" to "harden" the router's configuration
|
|
and contract to have a thorough security audit performed
|
|
on it. If at all possible isolate the gateway on the
|
|
"outside" of an interior perimeter router (which can be
|
|
another Linux box running <em>no</em> services, not even
|
|
<tt>inetd</tt>).
|
|
|
|
<br><br>
|
|
Adding the caching for DNS and other protocols can
|
|
greatly reduce the traffic over the network link and
|
|
only costs a tiny investment in configuration time, RAM,
|
|
and disk space. Any traffic that's handled by the cache is
|
|
a bit less contention for everyone else using the link and
|
|
everyone between you and the servers that you're accessing
|
|
(i.e. the whole 'net benefits).
|
|
</blockquote>
|
|
|
|
<p><strong><img src="../gx/dennis/qbub.gif" alt="(?)" width="50" height="28"
|
|
align="left" border="0">I
|
|
would appreciate any help that you can give...I will check back here
|
|
periodically or, if possible, email me directly. Thanks in advance.
|
|
</strong></p>
|
|
|
|
<blockquote><img src="../gx/dennis/bbub.gif" alt="(!)" width="50" height="28"
|
|
align="left" border="0">
|
|
Feh! I'll try to remember to spool off a copy via e-mail.
|
|
Find a good consultant in your area. A good one will
|
|
show you how to do all of this and will be able to explain
|
|
quite a bit more because he or she will ask quite a bit
|
|
more about your requirements. I've glossed over quite a bit
|
|
here -- in particular regarding the security issues.
|
|
<hr width="40%"">
|
|
<ul><li><a name="tag_gw_footnote">Shortly</a> after writing this, but prior
|
|
to "going to press" I hunted around for an alternative to FWTK
|
|
and found <a href="http://wall.etl.go.jp/ysato/DeleGate/">DeleGate</a>,
|
|
which can be used as a SOCKS proxy (semi-transparent but requiring
|
|
client software support) and as a user-driven proxy. Thus it can be
|
|
used in place if SOCKS and FWTK and seems to be simpler to set up
|
|
than either. It hasn't been around as long, or used as widely, so
|
|
we can't be as confident in its security and feature set. But,
|
|
it's well worth a look and has a more BSDish license.
|
|
</ul>
|
|
</blockquote>
|
|
<!--================================================================-->
|
|
<P> <hr> <P>
|
|
<H5 align="center"><a href="http://www.linuxgazette.com/copying.html"
|
|
>Copyright ©</a> 1998, James T. Dennis <BR>
|
|
Published in <I>Linux Gazette</I> Issue 28 May 1998</H5>
|
|
<P> <hr> <P>
|
|
<!--================================================================-->
|
|
<A HREF="./index.html"><IMG SRC="../gx/indexnew.gif"
|
|
ALT="[ Table Of Contents ]"></A>
|
|
<A HREF="../index.html"><IMG SRC="../gx/homenew.gif"
|
|
ALT="[ Front Page ]"></A>
|
|
<A HREF="./lg_answer28.html"><IMG SRC="../gx/dennis/answernew.gif"
|
|
ALT="[ Answer Guy Index ]"></A>
|
|
<!--startcut ======================================================= -->
|
|
</body>
|
|
</html>
|
|
<!--endcut ========================================================= -->
|
|
|