Building a Linux Router

Posted on 2006-03-23
Last Modified: 2010-03-17
I need to build a Linux Router at my office.  We currently have a PIX firewall so the Linux route does not need do NAT and be a router.  After going through all the different pre assembled options out there I think I will build it my self either using Fedora Core 4 or RHEL4 update 2.  One of the most compelling reasons for my doing it on my own is that I can setup some really nice monitoring tools on the machine and incorporate them into our corporate monitoring.

Anyway, my questions are this:
     1. Should I enable the firewall but leave NAT turned off?  Will this slow down the router?
     2. Should I enable SELINUX?
     3. I have found a few TCP Tuning options on the net but what options do I really need to tune?
     4. Are there and good tools out there that I can run to show me if I need to change/tweek any of the TCP Tuning options?

Question by:louisbohm
    LVL 3

    Accepted Solution

    Premature optimization is the root of all evil.
    If you have a firewall upstream, do you trust the people between you and the firewall?
    If you turn on the firewall, there will be a cost (the incoming packets have to be matched against
    the rules).  Is this noticable?  depends on a lot of things (the size of the rule set, the speed of the hardware).  
    2) Its hard to answer your questions -- do you have a reason to enable SELINUX (I never have.... I work for
    a Fortune 500 company).  
    3)Maybe none...please see first line....I'd have to look at how to tune...
    4) good questions, I suppose there are test suites -- you'd want  to look at
    latency and bandwidth....

    LVL 1

    Author Comment

    I have to trust the people behind the firewall at least to some extent.  My only thought for running the firewall and/or selinux is to protect the router itself.  So allow packets to be routed between the networks but use the firewall to prevent/limit access to the local machine.  Control which IP's can access the localhost and setup rules for DoS and Sync attacts.  Though I have no idea how to set up thouse rules.

    On the machine I would be running NTOP and maybe a couple of other things to collect performance data and try to send it to my monitoring station.

    The machine I have is a Dual Pentium 3 700 Mhz with 1 gig of ram and about a 20 gig HD.  I have not seen a huge amount of traffic going over the internet link but since I have T3 internet access (got to love wireless access) the users definitly could create a lot of traffic.  If I do run the firewall and I find that it gets in the way I could always shut it down.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
    Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now