Subject: Re: [IPCop-devel] Multiple Green NICs…
From: Paul Van Allsburg <paulvan () novagate ! com>
Date: 2004-05-22 22:12:41
Message-ID: 40AFD059.6030702 () novagate ! com
[Download message RAW]
Runar Skraastad wrote:
> tir, 18.05.2004 kl. 22.04 skrev Neil A. Hillard:
>> I’ve had a search but not come up with anything suitable. Has
>>anyone setup IPCop with multiple Green NICs ??? I have a requirement
>>for three Green NICs so that individual departments have full Internet
>>access but do not have access to each other’s networks.
>> Any advice would be appreciated.
>> Many thanks in advance,
> Hi Neil!
> I’ sorry for this late answer: Yes it’s possible, but it requires you to
> get your hands dirty 😉
> You can do this, with a number of different comersial firewall/routers.
> But at the moment there is no mod that will solve this on IPCop
> To do this, you have to follow this steps 🙂 (if you choose to use
> 1.4b3 instead you dont have to add an ekstra nic.)
> Log onto your IPCop. Choose an color for your nic, In the example I use
> yellow 🙂
> 1. Adding an ekstra nic.
> This is the part where I’m not 100% sertain. I’e only done this one
> time, and thats over an year ago. So you need to test this.
> First of all, you need to know what driver your card will use,
> Backup your settings file with
> cp /var/ipcop/ethernet/settings /var/ipcop/ethernet/settings.bak
> Open for editing with
> vi /var/ipcop/ethernet/settings
> YELLOW_DEV=<probarbly eth3>
> YELLOW_DRIVER=<drivername you need e.g 3c509>
> YEllOW_DRIVER_OPTIONS=<most likely you can leave this blank>
> YELLOW_DISPLAYDRIVER=<same value as YELLOW_DRIVER>
> YELLOW_ADDRESS=<choose an ip here e.g. 192.168.2.1>
> YELLOW_NETMASK=<the appropiate netmask e.g. 255.255.255.0>
> YELLOW_NETADDRESS=<the address to the ip-range for this net e.g.
> YELLOW_BROADCAST=<the broadcast address e.g. 192.168.2.255>
> Now, reboot your IPCop and run ifconfig, it should list your yellow card
> along with the others
> 2. Changing firewall rules
> backup your rc.local file with
> cp /etc/rc.d/rc.local /etc/rc.d/rc.local.bak
> Open it with
> vi /etc/rc.d/rc.local
> Add this lines:
> # Denying all traffic between the green nets
> /sbin/iptables -A CUSTOMFORWARD -i $YELLOW_DEV -o $GREEN_DEV -j DROP
> /sbin/iptables -A CUSTOMFORWARD -i $YELLOW_DEV -o $ORANGE_DEV -j DROP
> /sbin/iptables -A CUSTOMFORWARD -i $ORANGE_DEV -o $GREEN_DEV -j DROP
> /sbin/iptables -A CUSTOMFORWARD -i $ORANGE_DEV -o $YELLOW_DEV -j DROP
> /sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $YELLOW_DEV -j DROP
> /sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -o $ORANGE_DEV -j DROP
> # Denying
> # Allowing all other traffic from the added green nets
> /sbin/iptables -A CUSTOMFORWARD -i $ORANGE_DEV -j ACCEPT
> /sbin/iptables -A CUSTOMFORWARD -i $YELLOW_DEV -j ACCEPT
> # Allowing
> /sbin/iptables -A CUSTOMINPUT -i $ORANGE_DEV -j ACCEPT
> /sbin/iptables -A CUSTOMINPUT -i $YELLOW_DEV -j ACCEPT
> Now, rebboot and test the two nets, if you dont have the proxy active,
> they should have complete contakt to internett but not to each other 🙂
> 3. Making proxy work for the ekstra nets
> 4. Making dhcp work for the ekstra nets
> 3 and 4 is even more dirty work. If you don’t need it, forget it. But if
> you need it, contact me off list. I will guide you through it 🙂
> But first you need to test step 1 and 2. In case of an problem, contact
> me 🙂
I’d like to make dhcp work for the extra nets…
Then I’d like to Add DansGuardian on one of the networks.
But, I’ll tackle this one step at a time.