F-Secure Internet Gatekeeper for Linux/Administrator’s Guide
115
•
Required Software:
[OS] Linux2.4.21 (or later)
(The Linux Kernel Archives:
http://www.kernel.org/
)
[eb br-netfilter (kernel patch)] ebtables-brnf_vs_2.4.21.diff.gz (or later)
(ebtables:
http://ebtables.sourceforge.net
/ )
•
Kernel settings:
[Code maturity level options]=[Prompt for development and/or incomplete code/drivers]
:
ON
[Network Options]=[Network packet filtering (replaces ipchains)]
:
ON
[Network Options]=[IP: Netfilter Configurations]
:
Set all ON
[Network Options]=[802.1d Ethernet Bridging]
: ON
3 To set the bridge, change the IP address, netmask, default root, and interface name in
/opt/f-secure/fsigk/misc/rc.bridge
and launch the bridge as a startup script.
You need the brctl command to set the bridge. If it is not available, install a package which
includes the brctl command (for example, the “bridge-utils” package).
If a subnet exists under the network structure, apply routing settings as needed.
#
cp /opt/f-secure/fsigk/misc/rc.bridge /etc/rc.d/init.d/bridge
#
/etc/rc.d/init.d/bridge start
#
chkconfig --add bridge
Check that communication works between interfaces (
eth0,eth1
) on both sides.
4 Change the access destination of the client to FSIGK:9110. Do it on the server at the access
destination by changing iptables on Internet Gatekeeper.
Next, run the following commands to redirect the server access to each service (
http(80), smtp(25),
pop(110), ftp(21)
) to 9080, 9025, 9110, 9021 of FSIGK.
FSIGK#
iptables -t nat -A PREROUTING ¥
-p tcp --dport 80 -j REDIRECT --to-port 9080
FSIGK#
iptables -t nat -A PREROUTING ¥
-p tcp --dport 25 -j REDIRECT --to-port 9025
FSIGK#
iptables -t nat -A PREROUTING ¥
-p tcp --dport 110 -j REDIRECT --to-port 9110
FSIGK#
iptables -t nat -A PREROUTING ¥
-p tcp --dport 21 -j REDIRECT --to-port 9021
Save the settings by running the following command:
FSIGK#
/etc/rc.d/init.d/iptables save
You can make iptable setting changes also by running the following command:
/opt/f-secure/fsigk/misc/rc.transparent