Le lun 27/01/2003 à 12:31, Jet a écrit : > I just got a strange setup on a client site. > It is a standard network setup, from Internet-> router->firewall->DMZ > The firewall is doing NAT for the servers at DMZ. > > The strange part is they always do a IP alias at the firewall external > interface when creating a NAT rule (either preroute or post-route). > If I remove the ip alias, then the connection will never work. > > My question is, is this the right setup? Yes it is. > To my understanding, it should be just doing NAT with pre-route or > post-route, and then creating the policy using FORWARD chain. > Using IP alias never seems make sence to me here (what if there is 1000 > servers in DMZ). To get packets NATed as you want them to, they have to reach PREROUTING chain on the firewall. That means when access router wants to forward theses packets, it must get an ARP reply for their destination IP. If NATed IPs were not aliased on firewall, then nobody would answer access router's ARP requests, and connections would not get established. When you create such a configuration, you have two ways for having it work. (eth0)Routeur(eth1) ---- (eth0)Firewall(eth1) ---- DMZ interco Access router is supposed to be Linux box. 1. You set access router as usual and use aliases on firewall : on router : route add -net $interco_net dev eth1 on firewall : ip address add $nated_ip dev eth0 NAT and filtering stuff With this configuration, firewall answers ARP stuff for NATed IPs. 2. You explicitly configure your access router to route NATed IP to firewall : on routeur : route add -host $firewall dev eth1 route add -host $nated_ip gw $firewall on firewall : NAT and filtering stuff With this configuration, router only ARP for firewall IP. In both case, this is quite painful configuration stuff, but you can handle it quite easily with a shell script that will automate aliasing, NATing and filtering stuff for all IP you want to NAT. You can also provide some king of Perl frontend that can help you add new IPs. The only thing you have to keep in mind is that packets you want to NAT have to reach the firewall. As they're not destined to, you have to force them a bit ;) -- Cédric Blancher <blancher@cartel-securite.fr> IT systems and networks security expert - Cartel Sécurité Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99 PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
