[PLUG] iptables, dmz, public addys

Derek Loree drl at drloree.com
Thu Mar 16 09:14:04 UTC 2006


On Wed, 2006-03-15 at 08:57 -0800, Carla Schroder wrote:
> On Wednesday 15 March 2006 00:25, Derek Loree wrote:
> > On Mon, 2006-03-13 at 14:02 -0800, Carla Schroder wrote:
> 
> > >
> > > My three network segments are
> > >
> > > wan 1.2.3.4
> > > lan 192.168.1.1
> > > dmz 192.168.2.1
> > >
> > > On the dmz are a few public servers, the usual web, mail, ftp, wotever.
> > > These have public routable IPs. To correctly route incoming traffic to
> > > them, do I need only FORWARD rules? Like this:
> > >
> > > $ipt -A FORWARD -p tcp -i $WAN_IFACE -o $DMZ_IFACE -d 192.168.2.1 --dport 
> 80
> > > -j ACCEPT
> > >
> > > I don't want any DNAT or SNAT on the server IPs, I want to use their real
> > > IPs. The idea is to forward only traffic that belongs to the servers, and
> > > drop all the other junk at the gateway. (all them charming ssh attacks
> > > and ms sql worms etc. ad nauseum, thank you very much microtwits)
> >
> > Do you mean that you have more than one dmz server and that you would
> > like to be able to access each of these using a different wan IP
> > address?  Or are you using several dmz servers and you would like to
> > access them by a single wan IP address?
> >
> > Both can be done.
> 
> The first. Assume a single shared Internet connection for both public services 
> and private LAN. The dmz NIC connects to a switch with a nice little batch of 
> servers, each one with its own gen-u-wine public IP.  So I want to have each 
> one Internet-accessible via its own address. I don't want to use DNAT/SNAT 
> because that's just dumb when you have real routable public IPs. Performance 
> hit, too complex, etc blah. I don't know if this is something that is better 
> handled with iproute, or something that iptables is good for. If I had an 
> actual pool of public IPs to play with I could figure it out, but alas, out 
> there are many cows and few IPs.

You don't even want the dmz, in that case.  All you need to do is use
the router supplied by your ISP (usually called a modem by the ISP),
plug that into your switch with your firewall as one of the bunch of
nice servers.  The exception to this is if your ISP assigned a subnet to
you, then you need to setup the router as a gateway for that subnet.  In
this case, no iptables rules are needed, though they can be applied.

Good Luck,

-- 
Derek Loree <drl at drloree.com>





More information about the PLUG mailing list