LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 11-27-2008, 02:54 PM   #1
hendrixx
Member
 
Registered: Aug 2003
Location: Netherlands
Distribution: SuSE 10 Pro
Posts: 43

Rep: Reputation: 15
Howto setup iptables firewall and DMZ with multiple public IP's ?


Hi,

We have a new Bussiness DSL line with 16 public addresses.
What we want is to setup a DMZ to run some services and internet to the LAN. Here's a schematic of what we want:


Code:
      Backup Internet           Main Internet
        connection                connection
            |                         |
            |                         |      
        SDSL Modem                BDSL Modem
            |                         |
            |                         |
         Firewall                  Firewall
     (linux router pc)         (linux router pc)
            |                         |
   DMZ-1----|                         |----DMZ-2
            |_________________________|
                          |
                          |
                    Main Firewall
                  (linux router pc)
                          |
                         LAN
Our backup internet connection is working perfectly.
The backup connection has a modem in bridge mode and our mail server wich is placed in the DMZ-1 with 16 IP's and is working perfectly.
The Main Firewall pc is working as a router/firewall and has a default route to the main internet connection for internet traffic. Email is routed to the SDSL modem.
However we have recently switched from provider for our Main internet connection and the modem can not work in bridge mode.
So it is now working in routering mode. One IP for the modem, the rest of the public IP's on the LAN side of the modem.
(one for the firewall and the rest for DMZ-2).
I have managed to get the internet connection working to the LAN. But i can not get the webserver working in the DMZ-2.

Here's another schematic with IP's (i have used fake ip's):


Code:
  ^       Backup Internet                       Main Internet
  |              |                                   |
  I              |                                   |
  n              |                                   |
  t              |                                   |
  e      .--------------.                     .-------------.
  r      |  SDSL modem  |                     | BDSL modem  | 
  n      `--------------'                     `-------------'
  e              |  (bridged)                        |  12.34.56.113
  t              |                                   |
  |              | 11.22.36.81          12.34.56.114 |
  v        .-----------.                       .-----------.
 ~~~~~~~~~ |   pc01    | ~~Perimter firewall~~ |   pc09    | ~~~~~~~~
  ^        `-----------'                       `-----------'
  |               \ 11.33.116.206      12.34.56.126 /
  |                \                               /
  |            _____\___________       ___________/_____
  D           /      DMZ 1      \     /      DMZ 2      \
  M          ( 11.33.116.192/28  )   (  12.34.56.120/28  )
  Z           \_________________/     \_________________/
  |                          \           /
  |                           \         /
  |              11.33.116.193 \       / 12.34.56.121
  v                          .-----------.
 ~~~~~~"Main" firewall~~~~~  |   pc02    | ~~~~~~~~~~~~~~~~~~~~~~~~~~
  ^                          `-----------'
  |                                | 10.24.8.254
  L                                |
  A                         _______|_______
  N                        / Local network \
  |                       (    10.0.0.0/8   )
  v                        \_______________/

The webserver has the following settings:
IP: 12.34.56.125
subnet: 255.255.255.240
gateway: 12.34.56.126

What IPTABLES rules do i need to setup to "see" all IP's in the DMZ-2 from the internet?
 
Old 11-29-2008, 12:46 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Basically you are asking about what rules to run on pc09, right? If so, you could assign the public IPs as aliases to the WAN side of pc09 and forward them to the respective servers on the DMZ. This would be done with something like:
Code:
iptables -t nat -A PREROUTING -i $WAN_IFACE -d 123.123.123.1 \
-j DNAT --to-destination 234.234.234.1

iptables -t nat -A PREROUTING -i $WAN_IFACE -d 123.123.123.2 \
-j DNAT --to-destination 234.234.234.2

iptables -t nat -A PREROUTING -i $WAN_IFACE -d 123.123.123.3 \
-j DNAT --to-destination 234.234.234.3

etc... etc... etc...
So now any packets which hit, for example, 123.123.123.1 (on pc09's WAN side) will be forwarded to 234.234.234.1 on its LAN side, and so forth. Let me know if this isn't what you meant cuz I'm not sure I understood your setup properly.

Last edited by win32sux; 11-29-2008 at 12:49 PM.
 
Old 11-30-2008, 08:03 AM   #3
hendrixx
Member
 
Registered: Aug 2003
Location: Netherlands
Distribution: SuSE 10 Pro
Posts: 43

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by win32sux View Post
Basically you are asking about what rules to run on pc09, right?
Yes indeed.

Quote:
Let me know if this isn't what you meant cuz I'm not sure I understood your setup properly.
Well almost right, but i do not want to use aliases.
I want to be able to use the real public addresses on the machines in the DMZ. So i can assign a public IP to for example a webserver in the DMZ and make it available to the WAN side of the pc09.
So that any packets wich arrive on the WAN side for the IP(s) in the DMZ will travel through the firewall on the pc09 and will reach the webserver (or other servers) in the DMZ and vice versa of course.

Hope this make any sense to what i want.

Last edited by hendrixx; 11-30-2008 at 08:04 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
banning multiple IP's with iptables cylarz Linux - Security 6 05-22-2006 03:42 PM
Multiple IP's iptables doublejoon Linux - Security 1 02-01-2006 03:00 PM
IPTables - Multiple Public IP's to private IP's matneyc Linux - Security 8 05-27-2005 12:23 PM
RH 9 Firewall/Router Iptables DMZ Dammas Linux - Software 0 03-30-2004 01:02 AM
IPTABLES - LAN can't get to DMZ with public IP dknell Linux - Security 4 02-28-2002 08:02 AM


All times are GMT -5. The time now is 08:40 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration