On Tue, 27 Nov 2001, Benjamin Stocker wrote: > > Hy all, > > I maintain a small Hosting center with 6 webservers, fax, pop3-mail. > etc. I only have one C Subnet! I would like to protect my servers with a > iptables firewall. Unfortunately, it seems to be odd to put the fw AND > the servers in the same subnet. > > It seems to be possible to install two NIC's in the firewall and point > one of them to the Net, the other to the webservers, but both configured > for the same subnet. But that configuration seems to be rare and I > cannot find documentation about it. > > What's your opinion? > Many thanks, Benjamin Hi Benjamin, The problem with the configuration you want to install is that you can not set up the firewall with two IPs (from the same C-Net) on two different NICs, because the computer has to sent the packets depending on their destination net to his NICs. If the FW would be configured like this: eth0: 210.1.1.2, eth1: 210.1.1.129, and you send an packet from the internet to (lets say) 210.1.1.180, it has to go the following way: Internet --> Router (210.1.1.1) --> Firewall (eth0:210.1.1.2) --> ... .. and here comes the trick: The firewall receives a Packet for 210.1.1.180 on eth0 and "should" sent it to the destination ip (or better: destination net) through eth1. Because eth0 is allready on the destination net, there is no need for the FW to route here, because routing is only possible between networks. Another reason why this is impossible is the fact that the FW never knows on which NIC local packets (e.g. to 210.1.1.1) have to be send, because both NICs are in the same local net, so local packets would be sent on both NICs, which generates lots of errors. A possible solution for you could be an internal splitting of your C-Net: FW: eth0: 210.1.1.2 /25 (255.255.255.128); eth1: 210.1.1.129/25 (255.255.255.128) Hosts: Default GW: 210.1.1.129; IP > 210.1.1.128 (Netmask: 255.255.255.128) This config fits your nedds but has several disadvantages: You loose 127 IPs, and the configuration of the FW in this case is not to easy (you have to enable ARP-forwarding, etc.). I would suggest you do 1:1 NAT (Network Adress Translation) with your FW: FW: eth0: 210.1.1.2, 210.1.1.3, ..., 210.1.1.254 (all Public IPs on eth0) eth1: 192.168.0.1 Hosts: Private IPs (e.g. 192.168.0.5) This configuration is easy to set up, has (nearly) no disadvantages, and there exists lots of documentation. The outer world (the internet) would not recognize that the hosts have private IPs. Ulrich Searching for an archive of the most important Security Mailing-Lists? http://www.der-keiler.de ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.
