Ubuntu Gateway

Pandu Poluan pandu at poluan.info
Mon Apr 4 05:44:27 UTC 2011


Heh, to each their own poison, I guess :-)

But Diego is right: For most use-cases, Shorewall or Arno's would be enough.

So it all depends on one's needs.

On Mon, Apr 4, 2011 at 12:24, Diego Xirinachs <dxiri343 at gmail.com> wrote:
> I think what Pandu suggested is great but way to advanced for some people
> (including me), I would say shorewall can fulfill most people needs, and
> what they say its true (shorewall, iptables made easy). I use it and have
> had no problems at all with it. For me, just shorewall + squid does the job,
> I mantain 2 offices, 1 with + clients and the other one with 56, in both I
> have the same setup and works very well.
> Pandu's approach is great but like he said, you need to know iptables more
> than you know your wife.
> cheers and hope it helped
>
> 2011/4/3 Pandu Poluan <pandu at poluan.info>
>>
>> Hello Kaushal.
>>
>> I've been using Ubuntu Server as a gateway and firewall since the last
>> LTS before 10.04 LTS. Currently, my company's Internet gateway is
>> 10.04.02 LTS, handling 4 Internet Connections (2Mbps, 2Mbps, 10Mbps,
>> 1Mbps), outgoing *and* incoming.
>>
>> You'll need to be familiar with iptables. And by familiar, I mean
>> *really* familiar. I'd say I know iptables better than I know my wife
>> :) ... well, just kidding. Sort of.
>>
>> You'll also need to become familiar with iproute2 if you need
>> Policy-Based Routing (e.g., routing based on source instead of
>> destination). And you will want to learn fwmark-based routing.
>>
>> If you want to throttle connections, you also have to familiarize
>> yourself with tc. Or use tcng for a (much) friendlier way to configure
>> tc.
>>
>> You will want to tune the box's networking parameters. In particular,
>> various timeouts and buffer sizes. Oh, and use HTCP rather than CUBIC.
>>
>> Finally, when you've gone the highly-customized system route like I
>> did, you can't rely on simple iptables management like
>> iptables-persistent. Even Shorewall or Arno's can't fulfill my needs.
>> I have to create my own 'harness' to run everything, e.g.:
>> + Custom startup scripts to ensure ipset's sets get loaded before
>> iptables' rules
>> + Custom startup scripts to populate the routing table
>> + Custom scripts to save the state of the firewall/gateway when a
>> change has been made (so that the next startup will properly restore
>> the state)
>>
>> I am currently in the progress of making Python-based scripts to help
>> in my firewall/gateway maintenance. But it's still in 'Deep Alpha'
>> state, so I can't share it with you yet.
>>
>> Feel free to contact me privately if you want to see how I set things
>> up. I'll share my scripts and configs.
>>
>> Rgds,
>>
>>
>> On 2011-04-04, Kaushal Shriyan <kaushalshriyan at gmail.com> wrote:
>> > Hi,
>> >
>> > I have planned to use 10.04 LTS for setting up Internet Gateway in my
>> > office. What should be the hardware configuration and what all
>> > recommended
>> > applications are needed ?


--
Pandu E Poluan
~ IT Optimizer ~
Visit my Blog: http://pepoluan.posterous.com




More information about the ubuntu-server mailing list