[KLUG Members] IPTABLES and VPN support

[Adam Tauno Williams]

> > > So I would need a firwall between my
> > > VPN server and my boxes that provide the stream. 
> > Yep.
> Can you explain that one? It sounds like you are saying you need two
> firewalls on your LAN.  One between your network and the internet, the
> other between your VPN server and your network.
> Internet - FW - LAN - FW - VPN server
> or maybe
>                    LAN
>                /
> Internet - FW                    routed VPN traffic to LAN
>                \              / 
>                    VPN server 

Something like that. If you don't trust the traffic from the VPN then
you need to protect yourself from that too.

>Internet<---FW-->DMZ<--->FW<--->LAN<

I assume the VPN server would be a box on the DMZ network, like a web
server.  The external firewall protects the DMZ from the Internet
letting traffic through that you expect (port 80 to your web server for
instance) and the internal firewall protects your LAN from the DMZ, only
allowing traffic from the DMZ hosts that you expect.  DMZ hosts usually
are boxes with public IP addresses while the LAN has private IP numbers,
in business environments the external FW is also often a router as well
(in the traditional sense, T1 WICs, etc...)

For instance my home network is setup this way:

Internet--->router/fw<---Switch--->floppyfw<--->Switch 

So there is an ethernet segment with multiple public IP addresses in
between the Internet and the LAN.  Hosts in the DMZ know that the
privately numbered network is 'over yonder fence',  while (of course)
the Internet knows nothing about the privately numbered hosts.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.kalamazoolinux.org/pipermail/members/attachments/20060412/0c276f5c/attachment.bin