Re: DMZ problems

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Michael Gale wrote:

Hey,

    Why can you not use DNAT ?
We are not allowed to "hide" servers in a private network behind a firewall. All servers have to have public IP numbers. 

  eth0:199.202.112.127/28  |  eth1:199.202.112.127/29      199.202.112.132
                      ------------                            ----------
{Internet}----------->| Firewall |--------------------------->| server |
                      ------------                            ----------
Let's say I've been allocated 199.202.112.127/28 (these are made up addresses) by my ISP, and I'm told to netmask as 255.255.255.0. Let's say I assign my firewall the IP address of 199.202.112.130 with a netmask of 255.255.255.0 as required. My /etc/sysconfig/network-scripts/ifcfg-eth0 will look something like this: 

DEVICE=eth0
BOOTPROTO=static
BROADCAST=199.202.112.255
HWADDR=00:10:20:30:40:50
IPADDR=199.202.112.130
NETMASK=255.255.255.0
ONBOOT=yes
TYPE=Ethernet
GATEWAY=199.202.112.1
I can then subnet eth1 as, let's say 199.202.112.127/29, but I cannot create a private network, so /etc/sysconfig/network-scripts/ifcfg-eth1 would have to look something like this: 

DEVICE=eth1
BOOTPROTO=static
BROADCAST=199.202.112.134
HWADDR=00:10:20:30:40:50
IPADDR=199.202.112.127
NETMASK=255.255.255.248
ONBOOT=yes
TYPE=Ethernet
The problem I'm having is the netmask for the outside NIC (eth0) overlaps the netmask for the DMZ side NIC (eth1). If I try to ping a server connected via hub to eth1 on the firewall FROM the firewall: 

# ping 199.202.112.132
Destination host unreachable

but

# ping -I eth1 199.202.112.132
works. I need to have all of the servers on the DMZ pingable from the Internet, but still protected by a firewall.
I believe I have iptables set up to adequately protect the DMZ, but I have not been able to solve the problem outlined above.
If you can not NAT the traffic then it needs to function as a router or a bridge. A lot of companies use a "Interconnect". the ISP will provide a small public subnet which is available behind a public IP.
So our ISP provides us with a /27 subnet of public IP's available behind a public IP:
ISP -> route (X.X.X.X/27) -> external IP (Cisco router) Internal IP[X.X.X.X/27]
So on the "internal" side of our Cisco router is a small /27 public routeable network. We then assign the public IP's to our firewall and other systems if needed.
You could do the same, if you were provided a small subnet. You could also create bridge. 

Michael




Sorry Michael about the off list post.
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux