Linux Firewall for a Multipule IP Network

Hello,
I want to configure a linux box as firewall to protect my web and
email server.
Please read and tell what you think...

The email server has one external IP, the web server has 20 of them.

This linus box box has two network cards already.
So I was thinking that one of them will be connected to my T1, the
other one would connected to the swtich that connects my servers.

Now I need to configure bridging between the two as follows:

webSrvPuplicIP1 --> webSrvPrivateIP1 (only if the port is 80 or 443,
otherwise drop)

and similair configuration for the email server.

Now, I'm not sure where or how to start, I new to Linux so here it
goes..

- Would Red Hat 8.0 be good enough for what I want?
- What packages to I need to include when install Linux?
- Does the RH 8.0 come with all the required packages or do I need to
download some of them?
- Finally, is there a documentation or a HOW-To you think would help
me with the task?

Sorry I'm asking too many question, but any comments you would share
with me would be greatly heplful and appreciated.

Thanks in advance

Hani wrote:
> Hello,
> I want to configure a linux box as firewall to protect my web and
> email server.
> Please read and tell what you think...
>
> The email server has one external IP, the web server has 20 of them.

Me thinks: What a waste of resources, 20 IPs on one server...


> This linus box box has two network cards already.
> So I was thinking that one of them will be connected to my T1, the
> other one would connected to the swtich that connects my servers.
>
> Now I need to configure bridging between the two as follows:

We're not starting the old "router/switch/bridge" discussion over...


> webSrvPuplicIP1 --> webSrvPrivateIP1 (only if the port is 80 or 443,
> otherwise drop)
>
> and similair configuration for the email server.
>
> Now, I'm not sure where or how to start, I new to Linux so here it
> goes..
>
> - Would Red Hat 8.0 be good enough for what I want?
> - What packages to I need to include when install Linux?
> - Does the RH 8.0 come with all the required packages or do I need to
> download some of them?
> - Finally, is there a documentation or a HOW-To you think would help
> me with the task?

Ok, what You're trying to do is really, really simple (and has been
discussed in this NG over and over and over...).

To start off, I recommend reading the Networking-HowTo. You say that
You are new to linux (and one can tell from Your questions), so this
is really _need_ reading. - After that, find some "iptables" tutorial
on the web and You will be surprised how easily You can achieve Your
goal. -- BTW, RH8.0 is capable of doing this and comes with iptables
(AFAIK).


> Sorry I'm asking too many question, but any comments you would share
> with me would be greatly heplful and appreciated.

You're welcome - that's what we're here for. On the other hand, You will
have to do at least the basic homework for Yourself. But You said that
Yo're new to linux, so You're forgiven


Cheers, Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...

jack <(E-Mail Removed)> writes:

> Hani wrote:
>> The email server has one external IP, the web server has 20 of them.
>
> Me thinks: What a waste of resources, 20 IPs on one server...

Not necessarily. If you have multiple SSL-enabled sites and you want all
of them to use the standard https port, you need one IP per site. You
can do it with 20 servers with 1 IP each or 1 server with 20 IPs
each. No matter how you slice it, you need all the IPs.

Or perhaps the poster needs to enforce some kind of connection policy
that's easier to do with iptables and multiple IP addresses, versus
complicated squid ACLs.

Without knowing the original poster's requirements for his web server,
it's impossible to know whether the 20 IPs are wasteful or not.

--
Dave Carrigan
Seattle, WA, USA
(E-Mail Removed) | http://www.rudedog.org/ | ICQ:161669680
UNIX-Apache-Perl-Linux-Firewalls-LDAP-C-C++-DNS-PalmOS-PostgreSQL-MySQL

Dave Carrigan wrote:
> jack <(E-Mail Removed)> writes:
>
>
>>Hani wrote:
>>
>>>The email server has one external IP, the web server has 20 of them.
>>
>>Me thinks: What a waste of resources, 20 IPs on one server...
>
>
> Not necessarily. If you have multiple SSL-enabled sites and you want all
> of them to use the standard https port, you need one IP per site. You
> can do it with 20 servers with 1 IP each or 1 server with 20 IPs
> each. No matter how you slice it, you need all the IPs.
>
> Or perhaps the poster needs to enforce some kind of connection policy
> that's easier to do with iptables and multiple IP addresses, versus
> complicated squid ACLs.
>
> Without knowing the original poster's requirements for his web server,
> it's impossible to know whether the 20 IPs are wasteful or not.

Well, Dave,

You really are a "rude dog"... -- Good point, though.

I was a bit quick, perhaps - But from the terminology in that post
all I can tell is that Hani shouldn't be running such thing...

I really, really want to be everything but unfair or prejudiced here,
but if somebody is running such service in a Win environment, he/she
_must_ know about some networking basics. And "bridging the switch"
has nothing to do with that, I think.

That the OP wants to use linux now for the important parts is more
than OK for me, hence the answer I gave. And, be it Linux or Win*,
TCP/IP is the same everywhere (, or, should be...).

I'm a bit old-fashioned in my idea of networking, I know. But if I
hear that 20 IPs point at one-and-the-same box, from my experience
I can tell that there's something rotten with the initial network
design there. So that was my point.

And to the OP, Hani, I hope You got some hints from that answer; if
so and it didn't solve the problem yet, just holler!, and we'll help.

Dave, I really appreciate what You said, and that You said it.


Cheers, Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...

Thanks, for your reponses guys....

Jack,
I know you have very good intentions, but it was hard to interpret
your responses in anyway but unfair and prejudging...

First, you don't know what kinda of a server I have; it could be a Sun
Fire 15K for all you know, but unfortunately it's not
I didn't indicate what services it runs, or how much traffic hits
it... so implying that I'm wasting resources isn't fair..
But if you must know, Dave was correct I have 16 SSL sites, there all
for one client, and it was the client's request to host everything on
one machine. Some people consider that rotten! Well, I got news, the
real world is rotten...

No resources on the server are being wasted. In fact, the CPU
utilization on it is always in the range of 75-90%, so it's just what
the client needs.

Second, no where in my question I ask for lessons in networking or
TCP/IP. My question were specific: Would Red Hat 8.0 be good enough
for what I want do? (you answered that and I'm thankful). That, and I
asked for some recommended documentation...

Again, I'm sure you have had the best of intentions (the sole fact
that you posted back indicates that you're willing to help others,
which is a good quality), and I'm not in anyway trying to defend
myself or affend you. I just wanted to let it out.......

Once again, thanks a bunch for the help you guys provided.

Regards,
Hani

OK, Hani,

Thank You for that, and my apologies...!


Cheers, Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...