From: Bill Tangren <bjt@aa.usno.navy.mil>
Cc: netfilter@lists.netfilter.org
Subject: Re: DMZ problems
Date: Thu, 25 Jan 2007 17:22:09 -0500 [thread overview]
Message-ID: <45B92D91.8070500@aa.usno.navy.mil> (raw)
In-Reply-To: <45B61EAB.1040706@pason.com>
Michael Gale wrote:
> Hey,
>
> Why can you not use DNAT ?
>
We are not allowed to "hide" servers in a private network behind a firewall. All
servers have to have public IP numbers.
eth0:199.202.112.127/28 | eth1:199.202.112.127/29 199.202.112.132
------------ ----------
{Internet}----------->| Firewall |--------------------------->| server |
------------ ----------
Let's say I've been allocated 199.202.112.127/28 (these are made up addresses)
by my ISP, and I'm told to netmask as 255.255.255.0. Let's say I assign my
firewall the IP address of 199.202.112.130 with a netmask of 255.255.255.0 as
required. My /etc/sysconfig/network-scripts/ifcfg-eth0 will look something like
this:
DEVICE=eth0
BOOTPROTO=static
BROADCAST=199.202.112.255
HWADDR=00:10:20:30:40:50
IPADDR=199.202.112.130
NETMASK=255.255.255.0
ONBOOT=yes
TYPE=Ethernet
GATEWAY=199.202.112.1
I can then subnet eth1 as, let's say 199.202.112.127/29, but I cannot create a
private network, so /etc/sysconfig/network-scripts/ifcfg-eth1 would have to look
something like this:
DEVICE=eth1
BOOTPROTO=static
BROADCAST=199.202.112.134
HWADDR=00:10:20:30:40:50
IPADDR=199.202.112.127
NETMASK=255.255.255.248
ONBOOT=yes
TYPE=Ethernet
The problem I'm having is the netmask for the outside NIC (eth0) overlaps the
netmask for the DMZ side NIC (eth1). If I try to ping a server connected via hub
to eth1 on the firewall FROM the firewall:
# ping 199.202.112.132
Destination host unreachable
but
# ping -I eth1 199.202.112.132
works. I need to have all of the servers on the DMZ pingable from the Internet,
but still protected by a firewall.
I believe I have iptables set up to adequately protect the DMZ, but I have not
been able to solve the problem outlined above.
> If you can not NAT the traffic then it needs to function as a router or
> a bridge. A lot of companies use a "Interconnect". the ISP will provide
> a small public subnet which is available behind a public IP.
>
> So our ISP provides us with a /27 subnet of public IP's available behind
> a public IP:
>
> ISP -> route (X.X.X.X/27) -> external IP (Cisco router) Internal
> IP[X.X.X.X/27]
>
> So on the "internal" side of our Cisco router is a small /27 public
> routeable network. We then assign the public IP's to our firewall and
> other systems if needed.
>
> You could do the same, if you were provided a small subnet. You could
> also create bridge.
>
> Michael
>
>
Sorry Michael about the off list post.
next prev parent reply other threads:[~2007-01-25 22:22 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-01-19 20:51 DMZ problems Bill Tangren
2007-01-23 14:41 ` Michael Gale
2007-01-25 22:22 ` Bill Tangren [this message]
2007-01-26 11:13 ` Ted Phelps
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45B92D91.8070500@aa.usno.navy.mil \
--to=bjt@aa.usno.navy.mil \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox