Complete.Org: Mailing Lists: Archives: linux-help: April 2001:
[linux-help] Re: Ethernet card setup / Gateway system
Home

[linux-help] Re: Ethernet card setup / Gateway system

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: <linux-help@xxxxxxxxx>
Subject: [linux-help] Re: Ethernet card setup / Gateway system
From: Carl D Cravens <raven@xxxxxxxxxxx>
Date: Wed, 4 Apr 2001 11:25:46 -0500 (CDT)
Reply-to: linux-help@xxxxxxxxx

On Tue, 3 Apr 2001, John Lucas wrote:

> mainly because I really have no idea what I am doing.  I have a Linksys card
> that uses the "tulip" driver.  My card came with the tulip.o and pciscan.o
> files, and I followed the instructions for installing those on the system,
> but when it came time to compile those files, I was presented with a screen
> full of compiler errors.  Brick wall (AKA "duh", AKA "I'm lost").

.o files are object files... they're already compiled.  I'm not sure what
your instructions look like, but those are likely the final driver modules
that get loaded dynamically by the kernel.

> Now, back to the gateway server thing.  I would like to get your thoughts on
> the best way to arrange a network so that I can have multiple computers on
> line while having the rest of the internet only see one IP.  Can this be
> accomplished on a single LAN?  Or do I have to have two NIC's in the gateway
> (is that even the correct name for it?) server?

Gateway is an appropriate term.

It is possible to have two entirely different subnets on the same physical
network.  They both talk on the same wire, but the two networks don't
interact.  It would proably double your traffic on the wire...  Host A
talks to the gateway, then the gateway passes it on to the cable modem on
the same wire.  There are security issues... there's nothing to keep a
client from changing its netmask and joining the wrong network.  It
doesn't physically segment the cable modem from the rest of your LAN and
probabaly compromises any attempt at firewalling.

The traditional method is to use two NIC's though... one talks to the
cable modem, the other to the "internal" network.  That's how I do it and
it's easier to keep the routing table straight in your head that way.

> I've heard people talk about "gateway servers" and NAT and "proxy servers"
> and "firewalls" etc.,  but I'm really not sure what the difference is
> between them, which one I need, or what will be required to set it up.

A gateway is a box which traffic must pass through to get from one network
to another.  A plain vanilla gateway doesn't change the addresses in the
packets, it just forwards them on to the next gateway or destination
server.  (Your client has a default gateway...  if it doesn't know exactly
where a packet goes, it sends it there.  Your gateway *also* has a default
gateway (the cable modem) that it sends things it doesn't know how to
deliver.)

A proxy server "stands in" for another machine when talking to another
network...  the proxy is also a gateway, but it's a very restrictive
gateway and only allows specific traffic through.  It's what allows you to
use the web from work, but not telnet out.  It essentially pretends to be
the server to you and the client to the guy you want to talk to... both of
you see only the proxy and never talk directly to each other.  The proxy
generally doesn't reveal your IP address to the server you talk to, it
pretends to be the client and the server doesn't realize it's not talking
to the proxy machine.

A firewall restricts and logs incoming connections.  It's what keeps AOL
users from viewing your company's secret web servers.

(A proxy basicially restricts what you can reach from inside your network.
A firewall basically restricts what other can reach from outside your
network.  Most companies with security concerns will run both on the same
gateway machine.  So your gateway can be a proxy and a firewall at the
same time.

I don't recognize the term 'NAT' so you probably don't need to know about
it. :)

Technically, if you're using one IP address on the cable modem and all
your internal hosts use non-routable addresses (192.168.0.x), then you'll
use IP Masquerading on the Linux gateway...  it will technically be a
proxy server, even if you don't want to restrict what the internal hosts
can reach on the Internet, because it has to do host address
translation...  you've got 5 hosts talking to web servers on the Internet,
but those five web servers see only one IP address, which is how a proxy
works.

You may or may not run a firewall, depending on how worried you are about
security.  Because the internal hosts don't have routable IP addresses,
they can't be contacted from the outside, so you don't need a firewall to
protect them.  But you may want a firewall to protect the gateway machine
itself, or at least to log attempted connections to it.  (A compromise is
to shut off every service in inetd.conf that you don't use and don't run
daemons for services you don't use.)

(If you really want to know how IP Masq knows what traffic goes to what
machine, I can cover that... but it requires a brief explaination of
sockets so I won't go into it at this time.)

--
Carl D Cravens (raven@xxxxxxxxxxx)
Everyone is gifted...  Some open the package sooner.



-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi


[Prev in Thread] Current Thread [Next in Thread]