|
-
March 23rd, 2006, 07:40 AM
#1
 IPCop + IPTables + Green + Blue
Hello everybody,
I'm setting up an IPCop firewall for this company I know in my free time.
Now everything works fine, except for the link between the Green(lan) and blue(Wifi).
Setup:
Firewall:
- Old box with enough ram for IPCop
- 3 NIC's in IPCop box = 1 for the "RED" (external eth2) 1 for the "GREEN"(lan eth0) and 1 for the "BLUE"(Wifi eth1) network.
LAN:
- Windows XP clients
- Windows 2003 Servers and DC
- AD
WiFi:
- Access Point
- WPA encryption
I got everything working and communicating with the internet, including the Wifi, so that's not the problem. The problem now is, this company wants the wireless users to be able to authenticate to the AD DC, receive DHCP from their DHCP server, be able to access the shares on the file server etc...
Now I advised them to use the VPN (roadwarrior) feature, to connect to their LAN (GREEN) but they thought it to be too difficult to administer once my job had finished  .
So the tidious task of shooting DMZ holes in the firewall between BLUE and GREEN began.
Thank god that IPCop now has the possibility to add entire NET's instead of having to add every single address of BLUE.
I made DHCP work (port 68), made LDAP work (port 389), DNS works (port53), etc...
Ok so what is the problem then you ask 
For optimal communication between a client (winXP) and the AD DC I need ICMP to work between BLUE and GREEN, because Windows must be able to check if the link is slow etc...
So because this can't be done via a port, I need to adjust the IPTables I guess ... This is where my knowledge stops a bit ...I've been reading up on it (the AO tutorial here and the internet page here ) but I need to find a solution quick ... Now I just need to know how to go about this and if I'm on the right track...
Do I add IPTables in the rc.local file on IPCop like this:
Code:
$IPT -A CUSTOMINPUT -i $BLUE_DEV -p icmp --icmp-type 0 -j ACCEPT
Is this the correct syntax to allow echo (0) reply from GREEN (eth0) to BLUE (eth1) (ping from blue to green) , do I need to add more then just echo reply for this setup to work ? What else can you recommend as ports to be open ? Is it "safe" to open port 445 (in retrospect I know it isn't but I'm not sure if Windows needs it at this point, need to check that)
Or is there a total other way to go about this ???
And they thought VPN was difficult 
Any info I missed, don't hesitate to ask.
Many thanks in advance for any help.
.C.
Back when I was a boy, we carved our own IC's out of wood.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote