[pptp-server] Re: PPTP on a 2 layer firewall
Shanker Balan
shanu at exocore.com
Mon Oct 15 03:43:08 CDT 2001
Hello:
Paul Reed wrote,
> It may not be the best solution, but this is how i would approch it:
>
> I would use a Linux (2.4 kernel) box as a central Firewall/Router (using
> iptables).
>
> PopTop Server
> (192.168.1.x/24)
> /\
> |
> \/
> (eth2)
> Internet ---> (eth0) Firewall/Router (eth1)<--> LAN (192.168.0.x/24)
> (eth3)
> /\
> |
> \/
> Other Servers (192.168.2.x/24)
>
> (the /24 on the ips means a subnet mask of 255.255.255.0)
> This way, the Firewall acts as a router between 4 separate networks.
> I would suggest a separate NIC for each network, but you could get
> away with 1 external and 1 internal NIC with 3 IPs on different
> networks (by aliasing). With this setup we have the ability to see
> very strict rules set in place. You can specify which
> machines/networks can see which servers, etc...
This is an interesting setup. Does exactly what i want to do, which is:
a) Restrict movement
b) Track connections
> Only the workstations (192.168.0.x) would need to use NAT through the
> router, but if the servers need to have internet access, you can setup
> firewall/NAT rules on an IP by IP basis. VERY strict rules would need to be
> setup on eth0 (External interface), you could still use another firewall in
> front, but it would just overcomplicate things when forwarding and
> NATing. As long as your rules are good, another box in front would just be
> redundant.
Since the central router/firewall will have static routes to the PopTop
server, i wont have to masquerade connections to and from the PopTop
server. Great!
> Port 1723 and protocol 47 will be forwarded from the firewall to PoPToP
> server. The Poptop server can be setup to provide IP's by login, so you can
> then restrict 'joe' on 192.168.1.20 to see only 1 or two servers and not the
> LAN network, but 'fred' who uses 192.168.1.21 can see all servers and all
> networks. 'fred' can even be setup to use the pptp server as his internet
> gateway, and you can NAT him back through, that way internet traffic to him
> is filtered through your firewall aswell.
Access controls are always a good thing and something non-existent in
the current setup.
> This could get very complicated, routing and firewalling is only limited by
> your imagination.. :)
Heh! :)
> Hope this helps.. :)
Yes it did. Guess i will have to talk to management for a stand alone VPN
server and another NIC. :)
Thanks a lot for your time Paul.
--
Luke Skywalker:
I'm Luke Skywalker, I'm here to rescue you.
More information about the pptp-server
mailing list