I had no previous experience with Linux. After reading about the different distributions, I opted for Debian 2.1 (slink), as at the time of writing this was the most recent stable Debian release, complete with 2.0.36 kernel. To make the Linux ipchains software work with this kernel it had to be recompiled with the following options set:

Prompt for development and/or incomplete code/drivers (CONFIG_EXPERIMENTAL) [Y/n/?] YES Enable loadable module support (CONFIG_MODULES) [Y/n/?] YES Networking support (CONFIG_NET) [Y/n/?] YES Network firewalls (CONFIG_FIREWALL) [Y/n/?] YES TCP/IP networking (CONFIG_INET) YES IP: forwarding/gatewaying (CONFIG_IP_FORWARD) YES IP: syn cookies (CONFIG_SYN_COOKIES) [Y/n/?] YES IP: firewalling (CONFIG_IP_FIREWALL) [Y/n/?] YES IP: firewall packet logging (CONFIG_IP_FIREWALL_VERBOSE) [Y/n/?] YES IP: masquerading (CONFIG_IP_MASQUERADE [Y/n/?] YES IP: ICMP masquerading (CONFIG_IP_MASQUERADE_ICMP) [Y/n/?] YES IP: always defragment (CONFIG_IP_ALWAYS_DEFRAG) [Y/n/?] YES IP: optimize as router not host (CONFIG_IP_ROUTER) [Y/n/?] YES IP: Drop source routed frames (CONFIG_IP_NOSR) [Y/n/?] YES Dummy net driver support (CONFIG_DUMMY) [M/n/y/?] YES /proc filesystem support (CONFIG_PROC_FS) [Y/n/?] YES

This is with kernel series 2.0.x--according to the IP Chains HOWTO 2.2.x configuration is much more straightforward. Also, the dual ethernet cards in the system (2 old 10base2 Western Digital WD8013 cards) had to be configured. I added the line options wd io=0x220,0x300 to /etc/modutils/modconf and then ran update-modules.

Once I had done this and rerun lilo to install the new boot information I was ready to reboot and set up the ipchains software. It worked the first time around! The protocol we devised for communications between the webserver and backoffice was as lightweight as we could make it, thus keeping performance as high as possible. We have been very impressed by overall performance.

Since then I have moved our primary and secondary DNS and email services over onto Linux machines as well, using bind and sendmail. The ipchains software is now running on a very old 486 machine.

#! /bin/sh ifconfig lo 127.0.0.1 route add -net 127.0.0.0 IPADDR=10.0.0.1 NETMASK=255.255.255.0 NETWORK=10.0.0.0 BROADCAST=10.0.0.255 ifconfig eth0 ${IPADDR} netmask ${NETMASK} broadcast ${BROADCAST} route add -net ${NETWORK} IPADDR2=20.0.0.1 NETMASK2=255.255.255.0 NETWORK2=20.0.0.0 BROADCAST2=20.0.0.255 ifconfig eth1 ${IPADDR2} netmask ${NETMASK2} broadcast ${BROADCAST2} route add -net ${NETWORK2} route add -host 30.0.0.1 gw 10.0.0.2 metric 1 ipchains -F input ipchains -F output ipchains -F forward ipchains -P input ACCEPT ipchains -P output ACCEPT ipchains -P forward DENY ipchains -A forward -s 20.0.0.0/24 -d 30.0.0.1 -j MASQ

Our Network's Topology

The 10.0.0.0 network is our private network.
The 20.0.0.0 network is internet interfacing.
The backoffice system is on a box with ip 30.0.0.1
We have an isdn router (10.0.0.2) on our private network which has a route to the backoffice box.

We masquerade our connections from the 20.0.0.0 network when connecting through to 30.0.0.1. In this way we did not need to set up a route back to the 20.0.0.0 network, as the connection will appear to have come from 10.0.0.1, to which we already have a route.

10.0.0.0 is a private network address aka RFC1918 (20.0.0.0 and 30.0.0.0 aren't our real addresses, just examples).

Next: To Sum up.... »