Many many thanks to Ray, Anthony and Cedric - that's answered them absolutely. I'll shut up now and get back to lurking on the list learning from you clever sorts... Steve -----Original Message----- From: Cedric Blancher [mailto:blancher@xxxxxxxxxxxxxxxxxx] Sent: 27 November 2003 13.27 To: Knight, Steve Cc: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: quick questions --- Le jeu 27/11/2003 à 14:02, Knight, Steve a écrit : > 1) can iptables use eth0:0 as a valid interface distinct from eth0 ? No, because eth0:0 is _not_ an interface, it is an alias (afaik, usage of eth0:0 aliases are deprecated for this very reason). It's just another IP to which your interface (eth0) answers. > So I can use eth0 as LAN internal i/f and eth0:0 as DMZ internal i/f. This is to me a _very_ bad idea. The point of creating a DMZ is having public services hosted on a different ethernet segment than the one used for LAN. As hosts with public services are the most likely to get compromised, DMZ creates a compartiment so a cracker who would root one of them won't get full access to LAN stations. If your public services are on the same ethernet segment than LAN is, the intruder will have full access to its ressources... Setting up a different IP addressing scheme on the same ethernet segment is no security at all. If you want more info on what one can do once root on an ethernet segment : http://www.arp-sk.org/ > 2) Back when I did my checkpoint certs we covered "static NAT" - simple > one-to-one address translation, rather than "hide NAT" - aka iptables SNAT / > MASQUERADE.... > ...the question I have is - > is the example given in Ziegler starting on p280 and table 7.1 "Host > Forwarding to Servers in a Privately Addressed DMZ" an example of "static > NAT"? If my Ziegler remembers are OK, yes. To map an IP, it should be something like iptables -t nat -A PREROUTING -d $PubIP -j DNAT --to $PrivIP If your want to map one service only (aka port forwarding) : iptables -t nat -A PREROUTING -d $PubIP --dport 80 \ -DNAT --to $PrivIP:80 -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread! ----------------------------------------------------------------------- Information in this email may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. -----------------------------------------------------------------------
