DMZ howto

DMZ howto

[P theodorou]

Hello

I want to achieve the firewall script in the official iptables tutorial
1.20 version practices here 
http://iptables-tutorial.frozentux....MZ.firewall.txt

typically a well known set up is
to receive traffic from the ISP via dhcp which assigns IP to eth0
and eth0 forwords traffic to eth1 (NAT) which is the default gateway for a 
laptop .

Now the machine has eth0 eth1 and eth2 so far we have spoken
for eth1 . Eth2 i wanted to be a DMZ for servers who need passive 
connections
FTP etc...

The concept of DMZ confuses me , can you suggest any resources
for the topic ?

Really appreciated

RE: DMZ howto

[Derick Anderson]

 

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org 
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of P 
> theodorou
> Sent: Thursday, September 22, 2005 8:50 AM
> To: netfilter@lists.netfilter.org
> Subject: DMZ howto 
> 
> Hello
> 
> I want to achieve the firewall script in the official 
> iptables tutorial 1.20 version practices here 
> http://iptables-tutorial.frozentux....MZ.firewall.txt
> 
> typically a well known set up is
> to receive traffic from the ISP via dhcp which assigns IP to 
> eth0 and eth0 forwords traffic to eth1 (NAT) which is the 
> default gateway for a laptop .
> 
> Now the machine has eth0 eth1 and eth2 so far we have spoken 
> for eth1 . Eth2 i wanted to be a DMZ for servers who need 
> passive connections FTP etc...
> 
> The concept of DMZ confuses me , can you suggest any 
> resources for the topic ?
> 
> Really appreciated

Technically a DMZ is a subnet with unfiltered access to the internet.
However common usage of the term is a subnet with servers running
services available to the outside world. I can't think of any reason why
an internal network shouldn't be protected by a firewall (not that
firewalls are the answer to security...).

The point of having a separate network for your servers (DMZ) is to
isolate them from the outside world _and_ from your inside users. You
then use your FORWARDing rules to dictate what can travel between the
networks, just like you do for a WAN/LAN setup, but instead of two
possible vectors (WAN->LAN, LAN->WAN) you've got six: WAN->LAN,
WAN->DMZ, DMZ->WAN, DMZ->LAN, LAN->WAN, LAN->DMZ. Makes it easy to
inadvertently block traffic.

Derick Anderson

Re: DMZ howto

[Michael Gale]

Hello,

    A DMZ / SSN (Separate secure network) is where you would put servers 
that require access from internally and externally.

So example you setup a firewall with 3 interfaces:

External
DMZ
Internal

Now on the DMZ you may place your company mail server for example. All 
mail from the Internet would come in and be forwarded to the server in 
the DMZ. This way if the mail server is compromised the intruder will 
have not gained access to your internal corporate network. A company web 
server would be another example, but not a intra net web server.

The firewall rules between EXT <=> DMZ should be as secure as possible, 
same with DMZ<=>INT.

I hope this helps clear some things up a little.

Michael

P theodorou wrote:

> Hello
>
> I want to achieve the firewall script in the official iptables tutorial
> 1.20 version practices here 
> http://iptables-tutorial.frozentux....MZ.firewall.txt
>
> typically a well known set up is
> to receive traffic from the ISP via dhcp which assigns IP to eth0
> and eth0 forwords traffic to eth1 (NAT) which is the default gateway 
> for a laptop .
>
> Now the machine has eth0 eth1 and eth2 so far we have spoken
> for eth1 . Eth2 i wanted to be a DMZ for servers who need passive 
> connections
> FTP etc...
>
> The concept of DMZ confuses me , can you suggest any resources
> for the topic ?
>
> Really appreciated
>
>
>

Re: DMZ howto

[Michael Gale]

Hey,

    I should clarify that the mail server in the DMZ would not be your 
IMAP / POP server. It would handle the AV and SPAM and then forward good 
mail your internal corporate mail server.

Michael

Michael Gale wrote:

> Hello,
>
>    A DMZ / SSN (Separate secure network) is where you would put 
> servers that require access from internally and externally.
>
> So example you setup a firewall with 3 interfaces:
>
> External
> DMZ
> Internal
>
> Now on the DMZ you may place your company mail server for example. All 
> mail from the Internet would come in and be forwarded to the server in 
> the DMZ. This way if the mail server is compromised the intruder will 
> have not gained access to your internal corporate network. A company 
> web server would be another example, but not a intra net web server.
>
> The firewall rules between EXT <=> DMZ should be as secure as 
> possible, same with DMZ<=>INT.
>
> I hope this helps clear some things up a little.
>
> Michael
>
> P theodorou wrote:
>
>> Hello
>>
>> I want to achieve the firewall script in the official iptables tutorial
>> 1.20 version practices here 
>> http://iptables-tutorial.frozentux....MZ.firewall.txt
>>
>> typically a well known set up is
>> to receive traffic from the ISP via dhcp which assigns IP to eth0
>> and eth0 forwords traffic to eth1 (NAT) which is the default gateway 
>> for a laptop .
>>
>> Now the machine has eth0 eth1 and eth2 so far we have spoken
>> for eth1 . Eth2 i wanted to be a DMZ for servers who need passive 
>> connections
>> FTP etc...
>>
>> The concept of DMZ confuses me , can you suggest any resources
>> for the topic ?
>>
>> Really appreciated
>>
>>
>>
>

DMZ howto

[P theodorou]

>From: "XouS - Jose R Negreira" <xous@xouslab.com.ar>
>Reply-To: xous@xouslab.com.ar
>To: "P theodorou" <props666999@hotmail.com>
>Subject: Re: DMZ howto
>Date: Thu, 22 Sep 2005 11:20:50 -0300 (ART)
>
>Hi,
>
>the reason for having a DMZ, is (being put in the most simple terms):
>
>to publish services to internet or another insecure network reducing
>impact in case someone breaks through any of this published service.
>
>You want to have separated your hosts, on ONE network, DMZ, the "internet"
>machines, possible insecure, or if you want...call them the "dirty"
>machines, in a kinda way phisical isolation from ANOTHER network, your
>internal network, with your clean, nice, and secure hosts.
>
>
>Regards
>
>_____________________________________________
>Jose R. "Xous" Negreira.
>PortalJAVA.com.ar - http://www.portalJAVA.com.ar <--  ** new!!! ** :P
>XousLAB - http://www.xouslab.com
>iptableslinux - http://www.iptableslinux.com
>RDP - http://www.relacionesdepareja.com.ar
>
>
>
>
>
> > Hello
> >
> > I want to achieve the firewall script in the official iptables tutorial
> > 1.20 version practices here
> > http://iptables-tutorial.frozentux....MZ.firewall.txt
> >
> > typically a well known set up is
> > to receive traffic from the ISP via dhcp which assigns IP to eth0
> > and eth0 forwords traffic to eth1 (NAT) which is the default gateway for 
>a
> > laptop .
> >
> > Now the machine has eth0 eth1 and eth2 so far we have spoken
> > for eth1 . Eth2 i wanted to be a DMZ for servers who need passive
> > connections
> > FTP etc...
> >
> > The concept of DMZ confuses me , can you suggest any resources
> > for the topic ?
> >
> > Really appreciated
> >
> >
> >
>
>
>

DMZ howto

[P theodorou]

Thank all of you for the replies,

i have now a good understanding of
the subject but before proceed  into building the dmz subnet i need
to ask something :

My  ISP assigns me  a dynamic ip , therefore, is that a limitation
that could not allow me to develop the dmz subnet ?

Is that correct or inacurrate ? Visitors shall need to type my ip to
access my webpage,  but what im interesting is the development
of the firewall itselfin terms of securing a network . It will never be
used for real casesit is just for me to understand.
the script that i have suggesetd uses static ip

# 1.1 Internet Configuration.
#
INET_IP="194.236.50.152"
HTTP_IP="194.236.50.153"
DNS_IP="194.236.50.154"
INET_IFACE="eth0"
So,
Can i develop dmz subnet without static ip   and dmz'ed services
to be accessed on the Internet?

Regards

Re: DMZ howto

["José R. \"Xous\" Negreira"]

Hi,

First of all, technically and strictly speaking...a DMZ is not (always) 
a subnet. A DMZ is a independent network with a completely different IP 
ranges.
you can have an internal network of 192.168.1.0/24 network, and a DMZ 
10.1.1.0/24, just to say some example....
Possible question: But...may it be a subnet?? Yes! of course...but it's 
not a must!


Your question:
My  ISP assigns me  a dynamic ip , therefore, is that a limitation
that could not allow me to develop the dmz subnet ?

short answer:
No, there's no limitation, AFAIK

long answer:
So now you have some doubts about the IP assigments huh?. Well...first 
of all, put the DMZ concept aside. Just to clarify concepts...I tell you 
more, it shouldn't bother too much this!

You want to publish a web server, and the problem is how people outside 
reach to your web server.
If you have a static IP, there's no problem. People will reach you by 
typing http://xx.xx.xx.xx in the browser, being the xx.xx.. your IP 
address. But...that means that you have a web server INSTALLED on the 
firewall.... too bad. You want to have it on another machine, right?

You will have a public IP, it doesn't matter if it's static or dynamic. 
In both cases, you'll want to use FORWARDING, and NAT (Network Address 
Translation), and that's now actually your real problem. What you do is 
simply 'touching' each packet header that traverses on the firewall, and 
redirecting wherever *you* want.

Suppose that you have not one machine, but 3 webservers, but... Oh My 
god, you have only one IP!!  Well, using NAT, you can (for example) let 
people access to each webserver by typing:
http://xx.xx.xx.xx:80 (redirect to serverA, port 80)
http://xx.xx.xx.xx:81 (redirect to serverB, port 80)
http://xx.xx.xx.xx:82 (redirect to serverC, port 80)

How to do NAT? The answer is on the question: (Recommended reading - NAT 
HOWTO)

So, as you can see, your network(s) on the outside, is reduced to only 
one host (the firewall), behind it, it doesn't matter if it is just the 
firewall itself, a small network, one small network, one big network, 
or..... two or more *networks* (yes, you can return DMZ concept 
here!)!!. From the outside, it's transparent!!

Well, re-reading this answer, it seemed to me like a big "concept 
salad", but... tryied a shot, hope it helped a bit! :)
And good luck!

Regards

-- 
_____________________________________________
Jose R. "Xous" Negreira.
PortalJAVA.com.ar - http://www.portalJAVA.com.ar <--  ** new!!! ** :P
XousLAB - http://www.xouslab.com
iptableslinux - http://www.iptableslinux.com
RDP - http://www.relacionesdepareja.com.ar



P theodorou escribió:

>
>
>
> Thank all of you for the replies,
>
> i have now a good understanding of
> the subject but before proceed  into building the dmz subnet i need
> to ask something :
>
> My  ISP assigns me  a dynamic ip , therefore, is that a limitation
> that could not allow me to develop the dmz subnet ?
>
> Is that correct or inacurrate ? Visitors shall need to type my ip to
> access my webpage,  but what im interesting is the development
> of the firewall itselfin terms of securing a network . It will never be
> used for real casesit is just for me to understand.
> the script that i have suggesetd uses static ip
>
> # 1.1 Internet Configuration.
> #
> INET_IP="194.236.50.152"
> HTTP_IP="194.236.50.153"
> DNS_IP="194.236.50.154"
> INET_IFACE="eth0"
> So,
> Can i develop dmz subnet without static ip   and dmz'ed services
> to be accessed on the Internet?
>
> Regards
>
>
>

DMZ howto

[P theodorou]

I had a look on the NAT Howto , unfortunately explains the concept in brief
therefore im thinking some things to be done
1) the Apache will be hosted on 192.168.1.2 (eth2)
and my dynamic ip is something 22.22.22.22  (eth0)

somehow i declare
iptables -t nat -A PREROUTING -p tcp --d 22.22.22.22  --dport 8080 -j DNAT 
--to 192.168.1.2

-the above line my not beeing correct- so i redirect whatever touches 
22.22.22.22 to the
internal 192.168.1.2 threfore conclusion 2 i need a static ip
or a should never reboot the computer ! right ?

Please clarify

ps i phoned up my ISP they ask 5 pounds per month for static ip


>From: "José R. \"Xous\" Negreira"<xous@xouslab.com.ar>
>To: netfilter@lists.netfilter.org
>Subject: Re: DMZ howto
>Date: Thu, 22 Sep 2005 23:47:36 -0300
>
>Hi,
>
>First of all, technically and strictly speaking...a DMZ is not (always) a 
>subnet. A DMZ is a independent network with a completely different IP 
>ranges.
>you can have an internal network of 192.168.1.0/24 network, and a DMZ 
>10.1.1.0/24, just to say some example....
>Possible question: But...may it be a subnet?? Yes! of course...but it's not 
>a must!
>
>
>Your question:
>My  ISP assigns me  a dynamic ip , therefore, is that a limitation
>that could not allow me to develop the dmz subnet ?
>
>short answer:
>No, there's no limitation, AFAIK
>
>long answer:
>So now you have some doubts about the IP assigments huh?. Well...first of 
>all, put the DMZ concept aside. Just to clarify concepts...I tell you more, 
>it shouldn't bother too much this!
>
>You want to publish a web server, and the problem is how people outside 
>reach to your web server.
>If you have a static IP, there's no problem. People will reach you by 
>typing http://xx.xx.xx.xx in the browser, being the xx.xx.. your IP 
>address. But...that means that you have a web server INSTALLED on the 
>firewall.... too bad. You want to have it on another machine, right?
>
>You will have a public IP, it doesn't matter if it's static or dynamic. In 
>both cases, you'll want to use FORWARDING, and NAT (Network Address 
>Translation), and that's now actually your real problem. What you do is 
>simply 'touching' each packet header that traverses on the firewall, and 
>redirecting wherever *you* want.
>
>Suppose that you have not one machine, but 3 webservers, but... Oh My god, 
>you have only one IP!!  Well, using NAT, you can (for example) let people 
>access to each webserver by typing:
>http://xx.xx.xx.xx:80 (redirect to serverA, port 80)
>http://xx.xx.xx.xx:81 (redirect to serverB, port 80)
>http://xx.xx.xx.xx:82 (redirect to serverC, port 80)
>
>How to do NAT? The answer is on the question: (Recommended reading - NAT 
>HOWTO)
>
>So, as you can see, your network(s) on the outside, is reduced to only one 
>host (the firewall), behind it, it doesn't matter if it is just the 
>firewall itself, a small network, one small network, one big network, 
>or..... two or more *networks* (yes, you can return DMZ concept here!)!!. 
From the outside, it's transparent!!
>
>Well, re-reading this answer, it seemed to me like a big "concept salad", 
>but... tryied a shot, hope it helped a bit! :)
>And good luck!
>
>Regards
>
>--
>_____________________________________________
>Jose R. "Xous" Negreira.
>PortalJAVA.com.ar - http://www.portalJAVA.com.ar <--  ** new!!! ** :P
>XousLAB - http://www.xouslab.com
>iptableslinux - http://www.iptableslinux.com
>RDP - http://www.relacionesdepareja.com.ar
>
>
>
>P theodorou escribió:
>
>>
>>
>>
>>Thank all of you for the replies,
>>
>>i have now a good understanding of
>>the subject but before proceed  into building the dmz subnet i need
>>to ask something :
>>
>>My  ISP assigns me  a dynamic ip , therefore, is that a limitation
>>that could not allow me to develop the dmz subnet ?
>>
>>Is that correct or inacurrate ? Visitors shall need to type my ip to
>>access my webpage,  but what im interesting is the development
>>of the firewall itselfin terms of securing a network . It will never be
>>used for real casesit is just for me to understand.
>>the script that i have suggesetd uses static ip
>>
>># 1.1 Internet Configuration.
>>#
>>INET_IP="194.236.50.152"
>>HTTP_IP="194.236.50.153"
>>DNS_IP="194.236.50.154"
>>INET_IFACE="eth0"
>>So,
>>Can i develop dmz subnet without static ip   and dmz'ed services
>>to be accessed on the Internet?
>>
>>Regards
>>
>>
>>
>
>
>
>

Re: DMZ howto

[Jörg Harmuth]

P theodorou wrote:
> I had a look on the NAT Howto , unfortunately explains the concept in brief
> therefore im thinking some things to be done
> 1) the Apache will be hosted on 192.168.1.2 (eth2)
> and my dynamic ip is something 22.22.22.22  (eth0)
> 
> somehow i declare
> iptables -t nat -A PREROUTING -p tcp --d 22.22.22.22  --dport 8080 -j 
> DNAT --to 192.168.1.2
> 
> -the above line my not beeing correct- so i redirect whatever touches 
> 22.22.22.22 to the
> internal 192.168.1.2 threfore conclusion 2 i need a static ip
> or a should never reboot the computer ! right ?

Not necessarily. There are some options.

1.) Instead of DNATing everything that is destined for
     22.22.22.22 to the other box - which (if i understand
     correctly) means every port -, you could DNAT everything
     that is destined to port 8080 to the other box. This means
     omitting -d 22.22.22.22. And at the very minimum, you
     must SNAT everything that leaves the box towards the internet.
     You can add the incoming interface, like -i ppp0.
2.) Register with DynDNS or the like. Then write your rule like this:
     ... -p tcp --dport 8080 -d dyndns.name.tld ...
     Do an iptables-save and every time your IP changes do
     an iptables-restore. You may like to write a script.
3.) Other things that may come to mind :)

HTH,

Joerg


> Please clarify
> 
> ps i phoned up my ISP they ask 5 pounds per month for static ip
> 
> 
>> From: "José R. \"Xous\" Negreira"<xous@xouslab.com.ar>
>> To: netfilter@lists.netfilter.org
>> Subject: Re: DMZ howto
>> Date: Thu, 22 Sep 2005 23:47:36 -0300
>>
>> Hi,
>>
>> First of all, technically and strictly speaking...a DMZ is not 
>> (always) a subnet. A DMZ is a independent network with a completely 
>> different IP ranges.
>> you can have an internal network of 192.168.1.0/24 network, and a DMZ 
>> 10.1.1.0/24, just to say some example....
>> Possible question: But...may it be a subnet?? Yes! of course...but 
>> it's not a must!
>>
>>
>> Your question:
>> My  ISP assigns me  a dynamic ip , therefore, is that a limitation
>> that could not allow me to develop the dmz subnet ?
>>
>> short answer:
>> No, there's no limitation, AFAIK
>>
>> long answer:
>> So now you have some doubts about the IP assigments huh?. Well...first 
>> of all, put the DMZ concept aside. Just to clarify concepts...I tell 
>> you more, it shouldn't bother too much this!
>>
>> You want to publish a web server, and the problem is how people 
>> outside reach to your web server.
>> If you have a static IP, there's no problem. People will reach you by 
>> typing http://xx.xx.xx.xx in the browser, being the xx.xx.. your IP 
>> address. But...that means that you have a web server INSTALLED on the 
>> firewall.... too bad. You want to have it on another machine, right?
>>
>> You will have a public IP, it doesn't matter if it's static or 
>> dynamic. In both cases, you'll want to use FORWARDING, and NAT 
>> (Network Address Translation), and that's now actually your real 
>> problem. What you do is simply 'touching' each packet header that 
>> traverses on the firewall, and redirecting wherever *you* want.
>>
>> Suppose that you have not one machine, but 3 webservers, but... Oh My 
>> god, you have only one IP!!  Well, using NAT, you can (for example) 
>> let people access to each webserver by typing:
>> http://xx.xx.xx.xx:80 (redirect to serverA, port 80)
>> http://xx.xx.xx.xx:81 (redirect to serverB, port 80)
>> http://xx.xx.xx.xx:82 (redirect to serverC, port 80)
>>
>> How to do NAT? The answer is on the question: (Recommended reading - 
>> NAT HOWTO)
>>
>> So, as you can see, your network(s) on the outside, is reduced to only 
>> one host (the firewall), behind it, it doesn't matter if it is just 
>> the firewall itself, a small network, one small network, one big 
>> network, or..... two or more *networks* (yes, you can return DMZ 
>> concept here!)!!. From the outside, it's transparent!!
>>
>> Well, re-reading this answer, it seemed to me like a big "concept 
>> salad", but... tryied a shot, hope it helped a bit! :)
>> And good luck!
>>
>> Regards
>>
>> -- 
>> _____________________________________________
>> Jose R. "Xous" Negreira.
>> PortalJAVA.com.ar - http://www.portalJAVA.com.ar <--  ** new!!! ** :P
>> XousLAB - http://www.xouslab.com
>> iptableslinux - http://www.iptableslinux.com
>> RDP - http://www.relacionesdepareja.com.ar
>>
>>
>>
>> P theodorou escribió:
>>
>>>
>>>
>>>
>>> Thank all of you for the replies,
>>>
>>> i have now a good understanding of
>>> the subject but before proceed  into building the dmz subnet i need
>>> to ask something :
>>>
>>> My  ISP assigns me  a dynamic ip , therefore, is that a limitation
>>> that could not allow me to develop the dmz subnet ?
>>>
>>> Is that correct or inacurrate ? Visitors shall need to type my ip to
>>> access my webpage,  but what im interesting is the development
>>> of the firewall itselfin terms of securing a network . It will never be
>>> used for real casesit is just for me to understand.
>>> the script that i have suggesetd uses static ip
>>>
>>> # 1.1 Internet Configuration.
>>> #
>>> INET_IP="194.236.50.152"
>>> HTTP_IP="194.236.50.153"
>>> DNS_IP="194.236.50.154"
>>> INET_IFACE="eth0"
>>> So,
>>> Can i develop dmz subnet without static ip   and dmz'ed services
>>> to be accessed on the Internet?
>>>
>>> Regards
>>>
>>>
>>>
>>
>>
>>
>>
> 
> 
> 
> 
> !DSPAM:43341f9e132561420745226!


-- 
-----------------------------------------------------------------------
mnemon
Jörg Harmuth
Niederkastenholzerstr. 24a
53881 Euskirchen

Tel.: (+49) 22 55 9 48 78 22
mail: harmuth@mnemon.de
Web:  http://www.mnemon.de
PGP-Key: http://www.mnemon.de/keys/harmuth_mnemon.asc
PGP-Fingerprint: 692E 4476 0838 60F8 99E2  7F5D B7D7 E48E 267B 204F
-----------------------------------------------------------------------
English version below.

Aufgrund massiven SPAM Aufkommens, werden Mails, die unser SPAM
Filter als SPAM einstuft, automatisch gelöscht. Falls Ihre Mail
fälschlicherweise als SPAM eingestuft wurde, senden Sie bitte eine
Email mit "No-Spam:" im Betreff.

Diese Mail wurde vor dem Versenden auf Viren und andere schädliche
Software untersucht. Es wurde keine maliziöse Software gefunden.

Due to massive SPAM, all mails our content filter classifies as SPAM,
are discarded silently. If you mail was classified as SPAM by mistake,
please send an email with "No-Spam:" within the subject.

This Mail was checked for virusses and other malicious software before
sending. No malicious software was detected.
-----------------------------------------------------------------------

Re: DMZ howto

[/dev/rob0]

On Friday 23 September 2005 10:17, P theodorou wrote:
> 1) the Apache will be hosted on 192.168.1.2 (eth2)

Is 192.168.1.2 the eth2 IP on this machine? Or are you saying, it's a 
different machine which is reached through the subnet on eth2? In the 
latter case ...

> and my dynamic ip is something 22.22.22.22  (eth0)
>
> somehow i declare
> iptables -t nat -A PREROUTING -p tcp --d 22.22.22.22  --dport 8080
> -j DNAT --to 192.168.1.2

... this is correct, *if* you want http://22.22.22.22:8080/ to pass 
through to 192.168.1.2:8080. Apache listens on 80 by default, so unless 
you have changed that prepare to be disappointed. Also note that all 
browsers default to connect to 80.

> -the above line my not beeing correct- so i redirect whatever
> touches 22.22.22.22 to the
> internal 192.168.1.2 threfore conclusion 2 i need a static ip
> or a should never reboot the computer ! right ?

You need to update your DNAT rules whenever your IP address changes. 
Perhaps your IP is relatively static, as mine is at home: dynamic in 
name only. For all practical purposes I can be confident I'll have this 
IP as long as I'm using this MAC address for DHCP with the ISP.

DHCP clients and pppd all offer ways of running scripts when the IP 
address changes. Generally the new IP address would be passed to that 
script as an argument, so it should be a simple exercise to delete your 
previous DNAT rules and replace them with the new IP.

> ps i phoned up my ISP they ask 5 pounds per month for static ip

In some cases a static IP is a good idea. It all depends on what you 
need to do. If you're running authoritative DNS and/or MTA, you do need 
a static IP. In your case you're more likely to be running afoul of 
your ISP's TOS. Many do not allow "servers" in dynamic IP space.

Another issue with residential Internet accounts might be bandwidth: 
many of them do not provide much upload bandwidth. Home users tend not 
to notice, but users connecting to your server from the outside might 
think it seems slow. Likewise when you have outside users taking all 
your upstream bandwidth, you will have trouble getting your own 
requests out.

[superfluous and hard-to-follow top-posted quotes removed]
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

DMZ howto

[P theodorou]

Joerg

excellent i didn't know iptables are capable of doing it

im registered with one of those sites to publish my webpage

Thank You very much

Re: DMZ howto

[XouS - Jose R Negreira]

Well, IMHO you don't need to specify your public IP on the rule.

erase the --d 22.22.22.22 for matching, because all your internet packets
coming here will have that rule. Just try with this:

iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to 192.168.1.2

So, from now on...whatever goes to 8080, it'll forward to your web server.
(of course, you need another -A FORWARD rule, allowing forwarding!)

on the other hand,
iptables -t nat -A POSTROUTING -s 192.168.1.2 -o eth0  -j MASQUERADE

no matter your current public IP, it'll always mask to 22.22.22.22, and
when your ISP assigns 33.33.33.33, it'll rewrite the source to
33.33.33.33, and so on ;)

regards & Good Luck

PS: my mails aren't going to the list???

_____________________________________________
Jose R. "Xous" Negreira.
PortalJAVA.com.ar - http://www.portalJAVA.com.ar <--  ** new!!! ** :P
XousLAB - http://www.xouslab.com
iptableslinux - http://www.iptableslinux.com
RDP - http://www.relacionesdepareja.com.ar




> I had a look on the NAT Howto , unfortunately explains the concept in
> brief
> therefore im thinking some things to be done
> 1) the Apache will be hosted on 192.168.1.2 (eth2)
> and my dynamic ip is something 22.22.22.22  (eth0)
>
> somehow i declare
> iptables -t nat -A PREROUTING -p tcp --d 22.22.22.22  --dport 8080 -j DNAT
> --to 192.168.1.2
>
> -the above line my not beeing correct- so i redirect whatever touches
> 22.22.22.22 to the
> internal 192.168.1.2 threfore conclusion 2 i need a static ip
> or a should never reboot the computer ! right ?
>
> Please clarify
>
> ps i phoned up my ISP they ask 5 pounds per month for static ip
>
>
>>From: "José R. \"Xous\" Negreira"<xous@xouslab.com.ar>
>>To: netfilter@lists.netfilter.org
>>Subject: Re: DMZ howto
>>Date: Thu, 22 Sep 2005 23:47:36 -0300
>>
>>Hi,
>>
>>First of all, technically and strictly speaking...a DMZ is not (always) a
>>subnet. A DMZ is a independent network with a completely different IP
>>ranges.
>>you can have an internal network of 192.168.1.0/24 network, and a DMZ
>>10.1.1.0/24, just to say some example....
>>Possible question: But...may it be a subnet?? Yes! of course...but it's
>> not
>>a must!
>>
>>
>>Your question:
>>My  ISP assigns me  a dynamic ip , therefore, is that a limitation
>>that could not allow me to develop the dmz subnet ?
>>
>>short answer:
>>No, there's no limitation, AFAIK
>>
>>long answer:
>>So now you have some doubts about the IP assigments huh?. Well...first of
>>all, put the DMZ concept aside. Just to clarify concepts...I tell you
>> more,
>>it shouldn't bother too much this!
>>
>>You want to publish a web server, and the problem is how people outside
>>reach to your web server.
>>If you have a static IP, there's no problem. People will reach you by
>>typing http://xx.xx.xx.xx in the browser, being the xx.xx.. your IP
>>address. But...that means that you have a web server INSTALLED on the
>>firewall.... too bad. You want to have it on another machine, right?
>>
>>You will have a public IP, it doesn't matter if it's static or dynamic.
>> In
>>both cases, you'll want to use FORWARDING, and NAT (Network Address
>>Translation), and that's now actually your real problem. What you do is
>>simply 'touching' each packet header that traverses on the firewall, and
>>redirecting wherever *you* want.
>>
>>Suppose that you have not one machine, but 3 webservers, but... Oh My
>> god,
>>you have only one IP!!  Well, using NAT, you can (for example) let people
>>access to each webserver by typing:
>>http://xx.xx.xx.xx:80 (redirect to serverA, port 80)
>>http://xx.xx.xx.xx:81 (redirect to serverB, port 80)
>>http://xx.xx.xx.xx:82 (redirect to serverC, port 80)
>>
>>How to do NAT? The answer is on the question: (Recommended reading - NAT
>>HOWTO)
>>
>>So, as you can see, your network(s) on the outside, is reduced to only
>> one
>>host (the firewall), behind it, it doesn't matter if it is just the
>>firewall itself, a small network, one small network, one big network,
>>or..... two or more *networks* (yes, you can return DMZ concept here!)!!.
>>From the outside, it's transparent!!
>>
>>Well, re-reading this answer, it seemed to me like a big "concept salad",
>>but... tryied a shot, hope it helped a bit! :)
>>And good luck!
>>
>>Regards
>>
>>--
>>_____________________________________________
>>Jose R. "Xous" Negreira.
>>PortalJAVA.com.ar - http://www.portalJAVA.com.ar <--  ** new!!! ** :P
>>XousLAB - http://www.xouslab.com
>>iptableslinux - http://www.iptableslinux.com
>>RDP - http://www.relacionesdepareja.com.ar
>>
>>
>>
>>P theodorou escribió:
>>
>>>
>>>
>>>
>>>Thank all of you for the replies,
>>>
>>>i have now a good understanding of
>>>the subject but before proceed  into building the dmz subnet i need
>>>to ask something :
>>>
>>>My  ISP assigns me  a dynamic ip , therefore, is that a limitation
>>>that could not allow me to develop the dmz subnet ?
>>>
>>>Is that correct or inacurrate ? Visitors shall need to type my ip to
>>>access my webpage,  but what im interesting is the development
>>>of the firewall itselfin terms of securing a network . It will never be
>>>used for real casesit is just for me to understand.
>>>the script that i have suggesetd uses static ip
>>>
>>># 1.1 Internet Configuration.
>>>#
>>>INET_IP="194.236.50.152"
>>>HTTP_IP="194.236.50.153"
>>>DNS_IP="194.236.50.154"
>>>INET_IFACE="eth0"
>>>So,
>>>Can i develop dmz subnet without static ip   and dmz'ed services
>>>to be accessed on the Internet?
>>>
>>>Regards
>>>
>>>
>>>
>>
>>
>>
>>
>
>
>

RE: DMZ howto

[Ruben Cardenal]

Hi,

> -----Mensaje original-----
> De: netfilter-bounces@lists.netfilter.org [mailto:netfilter-
> bounces@lists.netfilter.org] En nombre de P theodorou
> Enviado el: viernes, 23 de septiembre de 2005 18:04
> Para: netfilter@lists.netfilter.org
> Asunto: DMZ howto
> 
> Joerg
> 
> excellent i didn't know iptables are capable of doing it
> 
> im registered with one of those sites to publish my webpage
> 

  Please:

  a) Don't top post
  b) Keep the portion of text you are answering to, untouched, so the rest
can know what you're talking about
  b) Please -again- KEEP the original subject, with the "RE" part, to make
the thread readable.

  Regards,

- Ruben

RE: DMZ howto

[P theodorou]

Apologies  for the mess


>From: "Ruben Cardenal" <ruben@ruben.cn>
>To: <netfilter@lists.netfilter.org>
>Subject: RE: DMZ howto
>Date: Fri, 23 Sep 2005 18:14:41 +0200
>
>Hi,
>
> > -----Mensaje original-----
> > De: netfilter-bounces@lists.netfilter.org [mailto:netfilter-
> > bounces@lists.netfilter.org] En nombre de P theodorou
> > Enviado el: viernes, 23 de septiembre de 2005 18:04
> > Para: netfilter@lists.netfilter.org
> > Asunto: DMZ howto
> >
> > Joerg
> >
> > excellent i didn't know iptables are capable of doing it
> >
> > im registered with one of those sites to publish my webpage
> >
>
>   Please:
>
>   a) Don't top post
>   b) Keep the portion of text you are answering to, untouched, so the rest
>can know what you're talking about
>   b) Please -again- KEEP the original subject, with the "RE" part, to make
>the thread readable.
>
>   Regards,
>
>- Ruben
>
>
>

Re: DMZ howto

[Cedric Blancher]

Le vendredi 23 septembre 2005 à 18:00 +0200, Jörg Harmuth a écrit :
> 3.) Other things that may come to mind :)

pppd has scripts triggered on up and down, with useful parameters, such
as IP address. Thus, you can add stuff to push filtering and NAT rules
that fits current configuration, whatever the configured IP can be.

More detailed info on pppd man page.


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!