From: Bill Tangren <bjt@aa.usno.navy.mil>
Cc: netfilter@lists.netfilter.org
Subject: Re: DMZ problems
Date: Thu, 25 Jan 2007 17:22:09 -0500 [thread overview]
Message-ID: <45B92D91.8070500@aa.usno.navy.mil> (raw)
In-Reply-To: <45B61EAB.1040706@pason.com>
Michael Gale wrote:
> Hey,
>
> Why can you not use DNAT ?
>
We are not allowed to "hide" servers in a private network behind a firewall. All
servers have to have public IP numbers.
eth0:199.202.112.127/28 | eth1:199.202.112.127/29 199.202.112.132
------------ ----------
{Internet}----------->| Firewall |--------------------------->| server |
------------ ----------
Let's say I've been allocated 199.202.112.127/28 (these are made up addresses)
by my ISP, and I'm told to netmask as 255.255.255.0. Let's say I assign my
firewall the IP address of 199.202.112.130 with a netmask of 255.255.255.0 as
required. My /etc/sysconfig/network-scripts/ifcfg-eth0 will look something like
this:
DEVICE=eth0
BOOTPROTO=static
BROADCAST=199.202.112.255
HWADDR=00:10:20:30:40:50
IPADDR=199.202.112.130
NETMASK=255.255.255.0
ONBOOT=yes
TYPE=Ethernet
GATEWAY=199.202.112.1
I can then subnet eth1 as, let's say 199.202.112.127/29, but I cannot create a
private network, so /etc/sysconfig/network-scripts/ifcfg-eth1 would have to look
something like this:
DEVICE=eth1
BOOTPROTO=static
BROADCAST=199.202.112.134
HWADDR=00:10:20:30:40:50
IPADDR=199.202.112.127
NETMASK=255.255.255.248
ONBOOT=yes
TYPE=Ethernet
The problem I'm having is the netmask for the outside NIC (eth0) overlaps the
netmask for the DMZ side NIC (eth1). If I try to ping a server connected via hub
to eth1 on the firewall FROM the firewall:
# ping 199.202.112.132
Destination host unreachable
but
# ping -I eth1 199.202.112.132
works. I need to have all of the servers on the DMZ pingable from the Internet,
but still protected by a firewall.
I believe I have iptables set up to adequately protect the DMZ, but I have not
been able to solve the problem outlined above.
> If you can not NAT the traffic then it needs to function as a router or
> a bridge. A lot of companies use a "Interconnect". the ISP will provide
> a small public subnet which is available behind a public IP.
>
> So our ISP provides us with a /27 subnet of public IP's available behind
> a public IP:
>
> ISP -> route (X.X.X.X/27) -> external IP (Cisco router) Internal
> IP[X.X.X.X/27]
>
> So on the "internal" side of our Cisco router is a small /27 public
> routeable network. We then assign the public IP's to our firewall and
> other systems if needed.
>
> You could do the same, if you were provided a small subnet. You could
> also create bridge.
>
> Michael
>
>
Sorry Michael about the off list post.
next prev parent reply other threads:[~2007-01-25 22:22 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-01-19 20:51 DMZ problems Bill Tangren
2007-01-23 14:41 ` Michael Gale
2007-01-25 22:22 ` Bill Tangren [this message]
2007-01-26 11:13 ` Ted Phelps
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45B92D91.8070500@aa.usno.navy.mil \
--to=bjt@aa.usno.navy.mil \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.