- Posts: 138
- Thank you received: 0
Linux: Firewall, NAT, Proxy
20 years 5 months ago #3905
by drizzle
Linux: Firewall, NAT, Proxy was created by drizzle
I work for a business about 1000 employees at 8 different locations. We are connected through a frame relay. My network segment consists of ~140 users. The problem is that our damn corporate office does jack for security and is always sending worms, viruses, etc. my way. With the slashed budgets of the past couple years I have been tasked to put a firewall between us and them without any funds.
So, I have found great sites like this and a bunch of white papers on setting up Linux on a box to perform the necessary tasks. However, I haven't found any hardware specs. The traffic goes out over a single T1 on a Cicso 2621. The pipe is pretty full all day but a lot of the traffic is junk and that is another reason for the proxy/firewall. Is a PIII 600 w/ 512RAM enough horsepower? Am I completely off base? Any suggestions? Links?
Thanks,
Drew
So, I have found great sites like this and a bunch of white papers on setting up Linux on a box to perform the necessary tasks. However, I haven't found any hardware specs. The traffic goes out over a single T1 on a Cicso 2621. The pipe is pretty full all day but a lot of the traffic is junk and that is another reason for the proxy/firewall. Is a PIII 600 w/ 512RAM enough horsepower? Am I completely off base? Any suggestions? Links?
Thanks,
Drew
20 years 5 months ago #3906
by Chris
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Replied by Chris on topic Re: Linux: Firewall, NAT, Proxy
Hi there Drizzle, welcome to our fast growing community!
The specs you have described should do the job for a Linux Firewall. The great thing about Linux is that it does not require the latest hardware specs to work, even for an network segment of 140 users!
Installing a Linux firewall/proxy on your segment will take care of unwanted traffic (considering you use IPTables to correctly block this traffic), but will not solve your worm/virus problem. For this, you require something a bit more sophisticated, such as Nexus or Snort; Sahir will be able to nail this part without a problem.
Have you ever played with IPTables at all? They are great, but a bit hard to understand for any first timers and I'm planning to cover them in much detail once the VLAN topic is out of the way.
If you are able to give us more information on what your trying to block and the end result you require, we will be able to help more.
As far as your t1 link to the HQ, I'd suggest you also use MTRG on your linux box to monitor the link's utilisation. I've done the same for my company's WAN and LAN links and it's the best thing I've done so far. You can spot in seconds a cluttered link or a link with problems, while at the same time observe the traffic patterns, to help you understand how data is transfered between nodes within your network, figuring out bottlenecks and taking action before they become a problem!
Nagios is also an excellent program, open source of course:) Check these tools out and let us know what you think. I can provide more info about them if required.
Cheers,
The specs you have described should do the job for a Linux Firewall. The great thing about Linux is that it does not require the latest hardware specs to work, even for an network segment of 140 users!
Installing a Linux firewall/proxy on your segment will take care of unwanted traffic (considering you use IPTables to correctly block this traffic), but will not solve your worm/virus problem. For this, you require something a bit more sophisticated, such as Nexus or Snort; Sahir will be able to nail this part without a problem.
Have you ever played with IPTables at all? They are great, but a bit hard to understand for any first timers and I'm planning to cover them in much detail once the VLAN topic is out of the way.
If you are able to give us more information on what your trying to block and the end result you require, we will be able to help more.
As far as your t1 link to the HQ, I'd suggest you also use MTRG on your linux box to monitor the link's utilisation. I've done the same for my company's WAN and LAN links and it's the best thing I've done so far. You can spot in seconds a cluttered link or a link with problems, while at the same time observe the traffic patterns, to help you understand how data is transfered between nodes within your network, figuring out bottlenecks and taking action before they become a problem!
Nagios is also an excellent program, open source of course:) Check these tools out and let us know what you think. I can provide more info about them if required.
Cheers,
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
20 years 5 months ago #3908
by drizzle
Replied by drizzle on topic Re: Linux: Firewall, NAT, Proxy
Thanks Chris! I am a bit of a linux/iptables noobie but I am up to the task. I have some time to work on this so I should have plenty of time to test. I am less concerned about the viruses as I am about the worms and all it really wouldn't have taken much to stop the worms that got through our corp firewall. That is what scares me! I finally got the damn enable passwords from corporate for my routers so I could put up some ACL's to stop their zombie boxes they had lying around attacking my network. As you can see, they are a real class act.
I have pretty good virus protection but I need better control over the content i/o on my network. I also want reporting tools like MRTG and possibly someday an IDS. Then I'm taking my solution to corporate and I'm gonna break some skulls!
I will deffinately be asking questions but at this point I am really just beginning to scratch the surface. I am going to use Fedora Core 1. I just got done setting up MRTG. I have used it in windows land but I am forcing myself to become a full time Linux user. Do you have any example IpTable configs your willing to share? I am going command line because I really want to learn exactly what is going on on my network. I was looking at the UNIX/LINUX forum and ran across some good info/advice there.
I look forward to your IpTable Tutorials. You have put together a real top notch resource with this site!
Regards!
drew
I have pretty good virus protection but I need better control over the content i/o on my network. I also want reporting tools like MRTG and possibly someday an IDS. Then I'm taking my solution to corporate and I'm gonna break some skulls!
I will deffinately be asking questions but at this point I am really just beginning to scratch the surface. I am going to use Fedora Core 1. I just got done setting up MRTG. I have used it in windows land but I am forcing myself to become a full time Linux user. Do you have any example IpTable configs your willing to share? I am going command line because I really want to learn exactly what is going on on my network. I was looking at the UNIX/LINUX forum and ran across some good info/advice there.
I look forward to your IpTable Tutorials. You have put together a real top notch resource with this site!
Regards!
drew
20 years 5 months ago #3910
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: Linux: Firewall, NAT, Proxy
If you're not very familiar with iptables you could consider implementing smoothwall or some similar free open-source firewall that is built on iptables but provides you with an easy to use web administration panel. Furthermore, it will give you the ability to create your rules in the GUI and then have a look at them in the actual script form.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Time to create page: 0.123 seconds