Hmm, interesting question with a meriod of answers, some more complex than others. One point of contention though is that I have never seen a router that would forward the traffic on internally to a system on the LAN with the external globally rout able IP of the router. All the routers that have the concept of a DMZ host in them redirect the traffic to a system on the internal LAN with an IP on the internal subnet. This latter approach is the direction that I will go, if you do want the former let me know and I'll chew on it for a while. I would initially attempt to use a standard basic NATing firewall (no frills or sanity checks here). iptables -t filter -P INPUT DROP iptables -t filter -P FORWARD DROP iptables -t filter -P OUTPUT ACCEPT iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t filter -F INPUT iptables -t filter -F FORWARD iptables -t filter -F OUTPUT iptables -t nat -F PREROUTING iptables -t nat -F OUTPUT iptables -t nat -F POSTROUTING # eth0 will be the internet connection # eth1 will be the LAN connection. iptables -t filter -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t filter -A FORWARD -i eth1 -o eth0 -j ACCEPT # # If you have any services that you want to be port forwarded to systems other than the DMZ server # you will need to list them here. # # iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-destination $IP_of_other_system # # This is the line that I'm not sure about and would have to test as I'm not sure it will do what I think. # iptables -t nat -A PREROUTING -i eth0 -m state --state NEW -j DNAT --to-destination $IP_of_DMZ_server iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE This is completely untested code so test it at your own risk. This is what I would try out of the gate though. Grant. . . . John Wigley wrote: > Hi, > > I've asked this elsewhere and received hints but no one seems to have a > concrete explanation :- > > What I am looking to do is to be able to configure a Linux based router to > be able to share THE SAME SINGLE Public IP address between the linux > router and a > single computer on the lan acting as the DMZ host (NOT normal NAT IP > sharing !). > > So basically you have a linux router with two network ports, WAN and LAN. > The router takes the single ISP assigned public IP address for it's WAN > interface and then uses a non routable subnet for the LAN port. There are a > number of machines on the LAN segment and the linux router is performing > NAT > for them so that they have internet connectivity - so far this is a > standard > normal setup. > > Now what I want to do is to simultaneously assign that SAME PUBLIC IP > address onto one of the LAN computers so that it for all intents and > purposes is a DMZ host. > > Before anyone says that this is mad and that it can't be done, it can be > done perfectly well and all WESTELL ADSL / Ethernet routers have this > functionality along with some no name Far Eastern origin broadband routers > based on a Conexant OEM reference design. > > Having thought long and hard about how to do this but not knowing > NetFilter > at all, I realised that the way this must be done is for the router to > perform a standard NAT function with the added functions of tracking all > outgoing connections from the DMZ host and entering those into the NAT > table > as well, so that it doesn't try to do a Port Address Translation on top of > an existing outgoing connection from the DMZ host. For incoming > connections, > if the incoming packet has a reference in the NAT table then it is directed > to the originating LAN machine and if not is passed through unmodified to > the DMZ host. > > I have spent much time googling and reading list postings but cannot find > any reference on how to do this under linux, my guess is that Proxy ARP > needs to be enabled on the LAN interface and then a 1:1 POST NAT mapping > set > to remap all the packets for the DMZ host back to the original public IP > address but after that I'm stuck. > > This is an incredibly useful feature which I've used on the Westell routers > for some time, but now want to move to a Linux based router to be able > to do > QOS, as it allows all the benefits of NAT for sharing a single IP address > but also the benefits of a routed connection for NAT unaware applications > like IPSEC AH, and some VOIP implementations. > > Any advice on setting this up would be much appreciated, > > Thanks, > > John Wigley _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
