On the previous page we've build a Linux router to schedule an internet connection. We can now expand that setup and use that router as a firewall as well. The network design is slightly different, but increases the networking possibilities.
we assume the network will look something like this :
Note that the ADSL broadband router seems redundant. However, it also works as a modem to take care of the network access layer : dial-in and set up PPP over which the IP can work. So unless you can get Linux to do that for you, you need to keep that ADSL modem/hub/broadband router combination. It's probably included in the service / hardware that your ISP provides, anyway.
This is identical to the configuration explained on the router page, but this time you need 3 network cards. We assume
First draft only - still working on it
We need some NAT configuration as well. Network Address Translation is necessary to connect a LAN with private addresses to the internet. Here's a presentation about Network Address Translation.
Under Linux, NAT is called IP Masquerading. There are 3 mayor implementations, each associated with a Linux kernel :
Since iptables seems the way to go, we'll try that. ipchains is still used a lot too, and should not be to difficult to work out if you understand iptables. iptables offers more elaborate firewall and routing functionality, though.
Sample NAT configuration here .
To Do : incorporate this in routing / scheduling mechanisms
still working on it. This is just an outline of what I have in mind. It's incomplete, and not tested in real live yet.
(To Do : add more ipchains / iptables editing in script to regulate internet access and firewall functionality)
check firewall introduction and firewall layout for a basic understanding of firewalls and what rules to set
(To Do : add crontab editing + startup script, as before)
Don't forget to adjust the network settings (IP addresses, default router, ...) on the hosts in the LANs
The obvious benefits of this approach is that both the office network and the kids network is behind the Linux router, so both internet connections can be scheduled
By using firewall rules, we have more control over the connections : it's not just on / off, but we can specify what connections to allow / disallow at what time, both for the kids and for the office network.
We have a fully functional router and firewall between 3 networks (the internet, the home office network, and the kids network) - we no longer depend on the (limited ? non-existing ?) firewall functionality of the broadband router. We can even start thinking about intrusion detection systems, logging and monitoring of internet access and activity, load balancing, policy based routing, etc.
downside : it's a bit more complex to maintain. but maybe that's also more fun.
