16 Feb
2009
16 Feb
'09
5:41 p.m.
Thanks to all who responded !
[ Steve Lindsay ]
> I find shorewall is the nicest way to go about
this sort of thing. You
> write some fairly straightforward configuration files describing your
> setup and what you want to achieve, and it handles all the iptables
> configuration for you. Easy to setup, easy to maintain, easy to modify
> when your requirements change (if you want to do some port forwarding
> etc.).
>
> http://www.shorewall.net
[ Fernando ]
Second that, it's what we use. But I don't use
it as a NAT gateway.
For an internal authenticated "guest" network for wired/wireless laptop
access + NAT for outgoing stuff we use chillispot
(http://www.chillispot.info/), you need two network interfaces and
chillispot manages a dhcp server for the internal side and tunneling to
go outside. Users see a "login screen" through any browser where they
can enter their account name and password and then they are granted
access to the network (I did use shorewall in the gateway machine to
manage firewalling). In our own machines I set up a static route to the
"internal" 192.x.x.x network so that laptops are reachable from our
linux workstations.
The situtation here is somewhat different - the
internal network *is* trusted. All the computers
are in a single room, most of them even in the
same rack, and it's not a multi-user scenario.
Strict rules will be applied for anything coming
in from the outside to the router, but these are
essentially the same that would be applied to any
single machine.
I'll keep the higher level tools in mind for next
time. But since by now I've already learned to hack
iptables in order to accommodate some other special
requirements on the internal net, that's what I'm
going to do for the NAT as well - it's in fact a
lot simpler than what I imagined.
Ciao,
--
FA
Laboratorio di Acustica ed Elettroacustica
Parma, Italia
O tu, che porte, correndo si ?
E guerra e morte !