Re: quick questions ---

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Le jeu 27/11/2003 à 14:02, Knight, Steve a écrit :
> 1) can iptables use eth0:0 as a valid interface distinct from eth0 ?

No, because eth0:0 is _not_ an interface, it is an alias (afaik, usage
of eth0:0 aliases are deprecated for this very reason). It's just
another IP to which your interface (eth0) answers.

>  So I can use eth0 as LAN internal i/f and eth0:0 as DMZ internal i/f.

This is to me a _very_ bad idea.

The point of creating a DMZ is having public services hosted on a
different ethernet segment than the one used for LAN. As hosts with
public services are the most likely to get compromised, DMZ creates a
compartiment so a cracker who would root one of them won't get full
access to LAN stations. If your public services are on the same ethernet
segment than LAN is, the intruder will have full access to its
ressources... Setting up a different IP addressing scheme on the same
ethernet segment is no security at all.

If you want more info on what one can do once root on an ethernet
segment :

	http://www.arp-sk.org/

> 2) Back when I did my checkpoint certs we covered "static NAT" - simple
> one-to-one address translation, rather than "hide NAT" - aka iptables SNAT /
> MASQUERADE....
> ...the question I have is - 
> is the example given in Ziegler starting on p280 and table 7.1 "Host
> Forwarding to Servers in a Privately Addressed DMZ" an example of "static
> NAT"?

If my Ziegler remembers are OK, yes.

To map an IP, it should be something like 

	iptables -t nat -A PREROUTING -d $PubIP -j DNAT --to $PrivIP

If your want to map one service only (aka port forwarding) :

	iptables -t nat -A PREROUTING -d $PubIP --dport 80 \
		-DNAT --to $PrivIP:80

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread! 



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux