Re: [coLinux-users] coLinux as software firewall

[Holger K. <hol...@gm...>]

David Kaufman schrieb:
> Hi Holger,
> 
> "Holger Krull" <hol...@gm...>
>> I dare to disagree. You can do that [force all traffic to go through
>> coLinux] if you bridge the network card with a tap device and remove
>> any protocol from the bridge.
>>
>> All communcation would go through colinux and get filtered and back
>> to windows through a second tap device.
> 
> Could you provide detailed steps on how to do this?
> 
> I've always been interested in setting up Colinux to be my windows 
> firewall, too.

Assuming you have colinux up and running on xp with a bridged tap device 
and  an external router for your internet connection and windows and 
colinux have different ip addresses, you need:

1. Install a second tap device
Open shell, cd to your colinux directory\netdriver, do
tapcontrol.exe install OemWin2k.inf TAP0801co
Answer yes to questions.

2. Check in network configuration that an additional Network device
showed up. Open its configuration and unbind everything except tcp/ip.
Assign static address (192.168.15.1/255.255.255.0 for example). Don't
use a subnet you already have, don't assign a public/routed address.
(Windows probably needs to reboot)

3. Change your colinux conf to assign a the second network interface, like:
eth0=tuntap,"LAN-Verbindung 3",02:00:00:00:00:02
eth1=tuntap,"LAN-Verbindung 4",02:00:00:00:00:03

You have to change the names of the "Lan-Verbindung X" according to the
names in your network config. Make sure you don't change the mac address
of you previously existing connection. You need DIFFERENT mac addresses 
on both tap interfaces.

4. Boot colinux, check if both interfaces exist (ifconfig).

5. Assign a static address to eth1 (the new interface) from the same
subnet as your windows tap device (192.168.15.2/255.255.255.0)
(restart networking if necessary)

6. Ping the eth1 address from windows, and vice versa. If that doesn't 
work check network configuration/reboot.

7. Check if internet connection from colinux works (ping a server)

8. Enable routing in colinux
echo 1 > /proc/sys/net/ipv4/ip_forward
Write that in a local startup file. Maybe boot.local depending on your 
distro. (Don't know what debian uses these days)

9. Unbind any protocol/service from the tap/ethernet card bridge in windows.

10. Set the colinux address as default router on the tap interface in 
windows. (you probably need to reboot windows)

11. ping a internet server from Windows

12. Setup iptables. (Depending on your rules disable routing)
I recommend installing bind9 on colinux and adding colinux as a 
nameserver on the windows tap interface.


If you don't have a external router doing the internet connection, you 
need to configure colinux to do that and probably setup nat in colinux.