Koozali.org: home of the SME Server

Obsolete Releases => SME 7.x Contribs => Topic started by: mgb on June 18, 2009, 10:35:22 AM

Title: Setting Up an "alternative" NAT table!
Post by: mgb on June 18, 2009, 10:35:22 AM

Hello!
I wanted, with your attentive gaze, to hear your opinions about setting up a custom-tailored NAT table;
That is, having two NICs, instead of employing the common toolbox already present for the installation, building one oursevles, via the "RELATED/ESTABLISHED" protocols;
Having tested it on a different machine(However, A different dist.), I can say that some very statisfactory results were attained.
Please, Voicing your thoughts is curcial,
With many Thanks,
P.S
While relaying only the packets included in the sphere of the said protocols, we hope to eliminate requests posted to our server that don't comply.
Would this really make a difference?
Thank You!

Title: Re: Setting Up an "alternative" NAT table!
Post by: Stefano on June 18, 2009, 10:49:02 AM

mgb
if you search the forums for 'firewall iptables custom' you'll find many topics.

in short, you shouldn't modify nat/iptables on your own because you'll break your server..

if you need something different, I suggest you to use a different distro as firewall in front of your SME (smoothwall, ipcop, m0n0wall, endian etc)

or, you can subscribe dev's ML and ask them how to Modify SME firewall behaviour in the SME's way.

hth
ciao
Stefano

Title: Re: Setting Up an "alternative" NAT table!
Post by: shawnbishop on August 03, 2009, 05:42:28 PM

Ok..

If I was to use say a different distro, what steps would I follow to install say "IPCop" as a virtual machine inside the SME with VMware, and then configure the Ipcop to act as the firewall...

1. What would the configuration of the VMware IPcop be?
2. Would the SME be in Server only mode or Server/Gateway..

etc...

Title: Re: Setting Up an "alternative" NAT table!
Post by: Stefano on August 03, 2009, 06:07:43 PM

hi

- install vmware or virtualbox on your SME (in server only)
- install your favourite firewall distro (I suggest you m0n0wall (http://m0n0.ch/wall) as it needs a very small amount of resources); its VM must have 2 virtual nic
- configure your firewall to use, on wan side, your default GW
- configure your clients and SME to use your firewall lan address as default gateway

that's the theory..

anyway running a virtual fw has, obviously, pros and cons.. think about a failure in your SME.. and consider also the fact that your FW will start after you start SME

if you need a pure firewall (i.e. no proxy), I suggest, as I said, m0n0wall.. you can install on a small appliance (http://m0n0.ch/wall/hardware.php)

HTH
Ciao
Stefano

Title: Re: Setting Up an "alternative" NAT table!
Post by: shawnbishop on August 03, 2009, 09:04:27 PM

Mmmm..It seems interesting...does Monowall have 1 to 1 NAT for multiple external static IP address on a single NIC??

What about a Option like Smoothwall or Vyatta??

Title: Re: Setting Up an "alternative" NAT table!
Post by: Stefano on August 03, 2009, 09:35:00 PM

Quote from: shawnbishop on August 03, 2009, 09:04:27 PM

Mmmm..It seems interesting...does Monowall have 1 to 1 NAT for multiple external static IP address on a single NIC??

I think so, but did you read here (http://m0n0.ch/wall/features.php)? :-)

Quote

What about a Option like Smoothwall or Vyatta??

I was an SW user years ago, but I left it for IpCop/m0n0wall
anyway, if you need only a powerfull firewall (i.e. no proxy, no ids, nothing more than packet filtering) I strongly suggest m0n0wall because it runs entirely in ram and because... oh, wait, you'd better try it, you'll discover :-)

HTH
Ciao
Stefano