P theodorou wrote:
I had a look on the NAT Howto , unfortunately explains the concept in brief
therefore im thinking some things to be done
1) the Apache will be hosted on 192.168.1.2 (eth2)
and my dynamic ip is something 22.22.22.22 (eth0)
somehow i declare
iptables -t nat -A PREROUTING -p tcp --d 22.22.22.22 --dport 8080 -j
DNAT --to 192.168.1.2
-the above line my not beeing correct- so i redirect whatever touches
22.22.22.22 to the
internal 192.168.1.2 threfore conclusion 2 i need a static ip
or a should never reboot the computer ! right ?
Not necessarily. There are some options.
1.) Instead of DNATing everything that is destined for
22.22.22.22 to the other box - which (if i understand
correctly) means every port -, you could DNAT everything
that is destined to port 8080 to the other box. This means
omitting -d 22.22.22.22. And at the very minimum, you
must SNAT everything that leaves the box towards the internet.
You can add the incoming interface, like -i ppp0.
2.) Register with DynDNS or the like. Then write your rule like this:
... -p tcp --dport 8080 -d dyndns.name.tld ...
Do an iptables-save and every time your IP changes do
an iptables-restore. You may like to write a script.
3.) Other things that may come to mind :)
HTH,
Joerg
Please clarify
ps i phoned up my ISP they ask 5 pounds per month for static ip
From: "José R. \"Xous\" Negreira"<xous@xxxxxxxxxxxxxx>
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Re: DMZ howto
Date: Thu, 22 Sep 2005 23:47:36 -0300
Hi,
First of all, technically and strictly speaking...a DMZ is not
(always) a subnet. A DMZ is a independent network with a completely
different IP ranges.
you can have an internal network of 192.168.1.0/24 network, and a DMZ
10.1.1.0/24, just to say some example....
Possible question: But...may it be a subnet?? Yes! of course...but
it's not a must!
Your question:
My ISP assigns me a dynamic ip , therefore, is that a limitation
that could not allow me to develop the dmz subnet ?
short answer:
No, there's no limitation, AFAIK
long answer:
So now you have some doubts about the IP assigments huh?. Well...first
of all, put the DMZ concept aside. Just to clarify concepts...I tell
you more, it shouldn't bother too much this!
You want to publish a web server, and the problem is how people
outside reach to your web server.
If you have a static IP, there's no problem. People will reach you by
typing http://xx.xx.xx.xx in the browser, being the xx.xx.. your IP
address. But...that means that you have a web server INSTALLED on the
firewall.... too bad. You want to have it on another machine, right?
You will have a public IP, it doesn't matter if it's static or
dynamic. In both cases, you'll want to use FORWARDING, and NAT
(Network Address Translation), and that's now actually your real
problem. What you do is simply 'touching' each packet header that
traverses on the firewall, and redirecting wherever *you* want.
Suppose that you have not one machine, but 3 webservers, but... Oh My
god, you have only one IP!! Well, using NAT, you can (for example)
let people access to each webserver by typing:
http://xx.xx.xx.xx:80 (redirect to serverA, port 80)
http://xx.xx.xx.xx:81 (redirect to serverB, port 80)
http://xx.xx.xx.xx:82 (redirect to serverC, port 80)
How to do NAT? The answer is on the question: (Recommended reading -
NAT HOWTO)
So, as you can see, your network(s) on the outside, is reduced to only
one host (the firewall), behind it, it doesn't matter if it is just
the firewall itself, a small network, one small network, one big
network, or..... two or more *networks* (yes, you can return DMZ
concept here!)!!. From the outside, it's transparent!!
Well, re-reading this answer, it seemed to me like a big "concept
salad", but... tryied a shot, hope it helped a bit! :)
And good luck!
Regards
--
_____________________________________________
Jose R. "Xous" Negreira.
PortalJAVA.com.ar - http://www.portalJAVA.com.ar <-- ** new!!! ** :P
XousLAB - http://www.xouslab.com
iptableslinux - http://www.iptableslinux.com
RDP - http://www.relacionesdepareja.com.ar
P theodorou escribió:
Thank all of you for the replies,
i have now a good understanding of
the subject but before proceed into building the dmz subnet i need
to ask something :
My ISP assigns me a dynamic ip , therefore, is that a limitation
that could not allow me to develop the dmz subnet ?
Is that correct or inacurrate ? Visitors shall need to type my ip to
access my webpage, but what im interesting is the development
of the firewall itselfin terms of securing a network . It will never be
used for real casesit is just for me to understand.
the script that i have suggesetd uses static ip
# 1.1 Internet Configuration.
#
INET_IP="194.236.50.152"
HTTP_IP="194.236.50.153"
DNS_IP="194.236.50.154"
INET_IFACE="eth0"
So,
Can i develop dmz subnet without static ip and dmz'ed services
to be accessed on the Internet?
Regards
!DSPAM:43341f9e132561420745226!
--
-----------------------------------------------------------------------
mnemon
Jörg Harmuth
Niederkastenholzerstr. 24a
53881 Euskirchen
Tel.: (+49) 22 55 9 48 78 22
mail: harmuth@xxxxxxxxx
Web: http://www.mnemon.de
PGP-Key: http://www.mnemon.de/keys/harmuth_mnemon.asc
PGP-Fingerprint: 692E 4476 0838 60F8 99E2 7F5D B7D7 E48E 267B 204F
-----------------------------------------------------------------------
English version below.
Aufgrund massiven SPAM Aufkommens, werden Mails, die unser SPAM
Filter als SPAM einstuft, automatisch gelöscht. Falls Ihre Mail
fälschlicherweise als SPAM eingestuft wurde, senden Sie bitte eine
Email mit "No-Spam:" im Betreff.
Diese Mail wurde vor dem Versenden auf Viren und andere schädliche
Software untersucht. Es wurde keine maliziöse Software gefunden.
Due to massive SPAM, all mails our content filter classifies as SPAM,
are discarded silently. If you mail was classified as SPAM by mistake,
please send an email with "No-Spam:" within the subject.
This Mail was checked for virusses and other malicious software before
sending. No malicious software was detected.
-----------------------------------------------------------------------
