Ubuntu Gateway
Kaushal Shriyan
kaushalshriyan at gmail.com
Mon Apr 4 05:46:12 UTC 2011
On Mon, Apr 4, 2011 at 11:14 AM, Pandu Poluan <pandu at poluan.info> wrote:
> Heh, to each their own poison, I guess :-)
>
> But Diego is right: For most use-cases, Shorewall or Arno's would be
> enough.
>
> So it all depends on one's needs.
>
>
Arno's ? what does it mean ?
Thanks
Kaushal
> On Mon, Apr 4, 2011 at 12:24, Diego Xirinachs <dxiri343 at gmail.com> wrote:
> > I think what Pandu suggested is great but way to advanced for some people
> > (including me), I would say shorewall can fulfill most people needs, and
> > what they say its true (shorewall, iptables made easy). I use it and have
> > had no problems at all with it. For me, just shorewall + squid does the
> job,
> > I mantain 2 offices, 1 with + clients and the other one with 56, in both
> I
> > have the same setup and works very well.
> > Pandu's approach is great but like he said, you need to know iptables
> more
> > than you know your wife.
> > cheers and hope it helped
> >
> > 2011/4/3 Pandu Poluan <pandu at poluan.info>
> >>
> >> Hello Kaushal.
> >>
> >> I've been using Ubuntu Server as a gateway and firewall since the last
> >> LTS before 10.04 LTS. Currently, my company's Internet gateway is
> >> 10.04.02 LTS, handling 4 Internet Connections (2Mbps, 2Mbps, 10Mbps,
> >> 1Mbps), outgoing *and* incoming.
> >>
> >> You'll need to be familiar with iptables. And by familiar, I mean
> >> *really* familiar. I'd say I know iptables better than I know my wife
> >> :) ... well, just kidding. Sort of.
> >>
> >> You'll also need to become familiar with iproute2 if you need
> >> Policy-Based Routing (e.g., routing based on source instead of
> >> destination). And you will want to learn fwmark-based routing.
> >>
> >> If you want to throttle connections, you also have to familiarize
> >> yourself with tc. Or use tcng for a (much) friendlier way to configure
> >> tc.
> >>
> >> You will want to tune the box's networking parameters. In particular,
> >> various timeouts and buffer sizes. Oh, and use HTCP rather than CUBIC.
> >>
> >> Finally, when you've gone the highly-customized system route like I
> >> did, you can't rely on simple iptables management like
> >> iptables-persistent. Even Shorewall or Arno's can't fulfill my needs.
> >> I have to create my own 'harness' to run everything, e.g.:
> >> + Custom startup scripts to ensure ipset's sets get loaded before
> >> iptables' rules
> >> + Custom startup scripts to populate the routing table
> >> + Custom scripts to save the state of the firewall/gateway when a
> >> change has been made (so that the next startup will properly restore
> >> the state)
> >>
> >> I am currently in the progress of making Python-based scripts to help
> >> in my firewall/gateway maintenance. But it's still in 'Deep Alpha'
> >> state, so I can't share it with you yet.
> >>
> >> Feel free to contact me privately if you want to see how I set things
> >> up. I'll share my scripts and configs.
> >>
> >> Rgds,
> >>
> >>
> >> On 2011-04-04, Kaushal Shriyan <kaushalshriyan at gmail.com> wrote:
> >> > Hi,
> >> >
> >> > I have planned to use 10.04 LTS for setting up Internet Gateway in my
> >> > office. What should be the hardware configuration and what all
> >> > recommended
> >> > applications are needed ?
>
>
> --
> Pandu E Poluan
> ~ IT Optimizer ~
> Visit my Blog: http://pepoluan.posterous.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-server/attachments/20110404/26a2affb/attachment.html>
More information about the ubuntu-server
mailing list