Re: iptables firewall and forwarding.

From: Zow (
Date: 10/22/02

To: "Sheldon Lee Wen" <>
Date: Tue, 22 Oct 2002 08:16:20 -0700
From: "Zow" Terry Brugger <>

> I'm in a big bind. Our raptor firewall is toast,=20
> That said, now my boss wants to put in a linux firewall.=20

Congratulations -- you have a smart boss. Raptor is a good firewall, but for
ROI, iptables puts it to shame.

> I have the box on both networks and masquerading, so that you can go from=
> the=20
> developer workstations to the development servers. However, the developme=
> nt=20
> servers use to be on the yyy.yyy.yyy.yyy and the raptor firewall has been=
> =20
> forwarding their old yyy.yyy.yyy.yyy addresses to the
> addresses, but the raptor firewall is not the router or gateway for the=20
> yyy.yyy.yyy.yyy network. So, I'm not sure how I can do that on Linux. Has=
> the=20
> raptor firewall been acting as a router as well? Do I need routed on Linu=
> x?

Okay, I'm a bit confused here: you said the box is connected to both
networks, however it is not the gateway for the yyy network? I'm reading that
as, that it is the gateway for the xxx network? What is the gateway for the
yyy network? Is the new Linux box suppose to be firewall for both networks?

I'm guessing the easiest solution will be a Linux box with three NICs: one
for the xxx net (with an IP on the xxx net), one for the yyy net (again, with
an IP on the yyy net), and a third connected to the outside world (with the
appropriate external IP). You won't need to use routed. Just set the internal
routing (use the route command) table to forward packets between the xxx and
yyy networks. Turn on IP forwarding, and set up iptables to masquerade any
addresses on the xxx or yyy networks as they come through. If this box is
suppose to be the gateway for the xxx net, set the boxes on the xxx net to
use it for such. Ditto for the yyy net.

If either net has a different gateway, you can continue to use that, however
I wouldn't recommend it: having multiple paths in or out of a network is just
an increase in the number of points that you need to monitor and maintain.

Hope this helps,

#include <stddisclaimer.h>

Relevant Pages