I had a look on the NAT Howto , unfortunately explains the concept in brief
therefore im thinking some things to be done
1) the Apache will be hosted on 192.168.1.2 (eth2)
and my dynamic ip is something 22.22.22.22 (eth0)
somehow i declare
iptables -t nat -A PREROUTING -p tcp --d 22.22.22.22 --dport 8080 -j DNAT
--to 192.168.1.2
-the above line my not beeing correct- so i redirect whatever touches
22.22.22.22 to the
internal 192.168.1.2 threfore conclusion 2 i need a static ip
or a should never reboot the computer ! right ?
Please clarify
ps i phoned up my ISP they ask 5 pounds per month for static ip
From: "José R. \"Xous\" Negreira"<xous@xxxxxxxxxxxxxx>
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Re: DMZ howto
Date: Thu, 22 Sep 2005 23:47:36 -0300
Hi,
First of all, technically and strictly speaking...a DMZ is not (always) a
subnet. A DMZ is a independent network with a completely different IP
ranges.
you can have an internal network of 192.168.1.0/24 network, and a DMZ
10.1.1.0/24, just to say some example....
Possible question: But...may it be a subnet?? Yes! of course...but it's not
a must!
Your question:
My ISP assigns me a dynamic ip , therefore, is that a limitation
that could not allow me to develop the dmz subnet ?
short answer:
No, there's no limitation, AFAIK
long answer:
So now you have some doubts about the IP assigments huh?. Well...first of
all, put the DMZ concept aside. Just to clarify concepts...I tell you more,
it shouldn't bother too much this!
You want to publish a web server, and the problem is how people outside
reach to your web server.
If you have a static IP, there's no problem. People will reach you by
typing http://xx.xx.xx.xx in the browser, being the xx.xx.. your IP
address. But...that means that you have a web server INSTALLED on the
firewall.... too bad. You want to have it on another machine, right?
You will have a public IP, it doesn't matter if it's static or dynamic. In
both cases, you'll want to use FORWARDING, and NAT (Network Address
Translation), and that's now actually your real problem. What you do is
simply 'touching' each packet header that traverses on the firewall, and
redirecting wherever *you* want.
Suppose that you have not one machine, but 3 webservers, but... Oh My god,
you have only one IP!! Well, using NAT, you can (for example) let people
access to each webserver by typing:
http://xx.xx.xx.xx:80 (redirect to serverA, port 80)
http://xx.xx.xx.xx:81 (redirect to serverB, port 80)
http://xx.xx.xx.xx:82 (redirect to serverC, port 80)
How to do NAT? The answer is on the question: (Recommended reading - NAT
HOWTO)
So, as you can see, your network(s) on the outside, is reduced to only one
host (the firewall), behind it, it doesn't matter if it is just the
firewall itself, a small network, one small network, one big network,
or..... two or more *networks* (yes, you can return DMZ concept here!)!!.
From the outside, it's transparent!!
Well, re-reading this answer, it seemed to me like a big "concept salad",
but... tryied a shot, hope it helped a bit! :)
And good luck!
Regards
--
_____________________________________________
Jose R. "Xous" Negreira.
PortalJAVA.com.ar - http://www.portalJAVA.com.ar <-- ** new!!! ** :P
XousLAB - http://www.xouslab.com
iptableslinux - http://www.iptableslinux.com
RDP - http://www.relacionesdepareja.com.ar
P theodorou escribió:
Thank all of you for the replies,
i have now a good understanding of
the subject but before proceed into building the dmz subnet i need
to ask something :
My ISP assigns me a dynamic ip , therefore, is that a limitation
that could not allow me to develop the dmz subnet ?
Is that correct or inacurrate ? Visitors shall need to type my ip to
access my webpage, but what im interesting is the development
of the firewall itselfin terms of securing a network . It will never be
used for real casesit is just for me to understand.
the script that i have suggesetd uses static ip
# 1.1 Internet Configuration.
#
INET_IP="194.236.50.152"
HTTP_IP="194.236.50.153"
DNS_IP="194.236.50.154"
INET_IFACE="eth0"
So,
Can i develop dmz subnet without static ip and dmz'ed services
to be accessed on the Internet?
Regards
