[KLUG Members] Re: I have some Proxy question

[Bryan J. Smith]

Scott Van Singel wrote:
> I have 3 Public IP's

Are they all "usable" or are they network/NAT/broadcast (i.e. only one
usable)?  It really doesn't matter either way (since 1 is all you need),
just curious.

> that come in my network and we use the 10.X IP scheme.

That's fine.  I know a couple of large ISPs that also use the 10.X IP
scheme, which can be a routing issue if you route through them.  FYI to
everyone, always consider the "lesser known" 172.16. - 172.31. Class B
reserved networks (yes, there in the same RTF as the 10. and 192.168.0.
- 192.168.255. ones).

> Here what I would like to do. I want to put the web and Exchange
> behind a firewall (IE possibly Squid or NetFilter). I need a systems
> of software that I can configure IP routes into my network to a
> system.  IE if 208.x.x.65 is my public IP, I need to have the firewall
> take all request for that iP and translate it to 10.1.1.26 for mail.
> The same goes for a IP of 208.x.x.63 that I need to route it to 10.1.1.25.

2.4/Netfilter is best for this (and most secure) thanx to its advanced
"Destination NAT".  Netfilter can also use (and round-robin) through
your 3 public IPs too.  It can also "load balance" incoming services
between multiple private IPs, but look like the same, public IP from the
outside.

> Can we use Netfilter for this or Proxy.

2.4/Netfilter can do it all.  As far as "Proxy" -- just use that for Web
caching, authorization, etc... via Squid (relevant plus add-ons, like
"SquidGuard" filtering since you're a school).

> One think to keep in mind we have about 800 PC's with web access,
> so what ever we do to change the network setting should be easy to
> change on the users connection.

Linux 2.4's Netfilter, which is right in the kernel, will do a _heck_ of
a lot better than most firewalls (let alone "add-on" software like MS'
ISA, he he he).  You shouldn't need "too much" to handle a T-1.  Any
Pentium Pro or greater with 64MB (128-256MB would be "safe" as the
Netfilter code does use user-space memory for all the connection
tracking).

The Squid server will be a different story.  I recommend dual-CPU,
RAID-0 (possibly RAID-0+1).  Go dual-Athlon ($200 mainboard, $100/CPU),
512MB-1GB RAM ($100-200), 3Ware Escalade 6400 ($179) with 4 drives
($90/60GB 5400rpms will do, 7200rpm if you want them) in a RAID-0+1 (aka
RAID-10) configuration (120GB usable with 4x60GB).  Should only run you
about $1K if you "play it right" -- don't skimp on the case (get extra
fans) and power supply (go for the Enermax 465 or 651 or a Power PC &
Cooling one if you can afford it).

-- Bryan

-- 
Bryan J. Smith, Engineer          mailto:b.j.smith@ieee.org
AbsoluteValue Systems, Inc.       http://www.linux-wlan.org
SmithConcepts, Inc.            http://www.SmithConcepts.com