Static Ip's and Routing
 

I have just recently gotten into managing some linux servers and have a question about one of the setups I've run into. Right now at one site they have a static dsl pppoe connection which one of the servers is setup to connect to. However they have a block of 4 static ip's none of which are being used right now....I phoned the internet company to find out about the configuration and they said that those 4 static ip's have to be routed using a router through the static dsl connection. What I was wondering about was what is the benefit of having these static ip's and what would I have to do to go about setting a router to route the 4 ip's to the dsl ip

A block of 4 addresses? Thats an interesting concept. IP address blocks come in powers of two i.e. 2,4,8,16,32 but you always lose two, the lowest address is always the generic network address and the highest is always the broadcast address. So if you have a block the number of free adresses should be 2,6,14 etc.

If you have a 4 block, then you have 2 useable hosts, these blocks are normally assigned to static addressed serial links.

You may have 4 free from a larger block, however if they are in the same subnet as the link you will have problems using them with a router. What address range do you have including subnet mask, and what are the assigned addresses of your PPP link.

That will tell you how free you are to play with the addresses you have.

If they are free and they are part of a real assigned internet subnet then you can set the host that is handling the PPP connection to route to the subnet on another nic.

Pete

the four ip's would be something like 210.240.231.x the ip for the dsl ppp connection inet 210.240.232.x p-t-p 10.10.1.10 subnet 255.255.255.255

I want to eventually do is have at least two servers up with static ip's so that I can setup dns and nis

OK,

as I'm sure you know 10.x.x.x is reserved address space, so this is what you are using internally? A mask of 255.255.255.255 is a host specific network mask which you would only see on an ISP assigned wan link, don't use it anywhere else. I'm guessing that the 213.240.231.x group is probably on a 255.255.255.240 or 248 subnet.

What you are probably looking for is something like this -

NAT
|
V
) --------------- |
ISP)-----DSL-------| FIREWALL |----------| Clean side 10.x.x.x net
) --------------- |
Dirty side |
| DMZ 172.16.1.x 255.255.255.0
____|_____
| |
---- ----
| S| | S |
---- ----

Running NAT on your firewall makes these servers appear to the outside world as members of your 213.240.231.x subnet.

You don't say how you are subnetting your 10. range but its not really relevant to the dirty side and DMZ. This is a pretty standard firewall setup, it should be running NAT to the outside using one of your 210.240.231.x addresses. Two others should be used to map from the Dirty side to the DMZ, so that the servers can be seen externally. I personally would drop the DMZ into another reserved range probably a 172.168.x.x network, then NAT in from the Dirty side using the two real addresses. This is a good way of doing things as it allows external access through the firewall but keeps the external traffic away from your internal network.

Another method (if servers are in short supply ) would be this -

NAT
|
V ____ |
) -------- |--------|Svr2 |------|
ISP)-----DSL-------| Svr1 |--- ----| ------- |
) -------- |

Dirty DMZ Clean


I would still use NAT on the 1st server plus some ip rules to only allow in stuff to the two servers, and I would put even stricter ip rules on the second server to prevent any incomming access.

This should have a similar effect. These are really the very minimum forms of network security, how far you go really depends on how hard someone is going to try to get your data.

Sod it, why didn't that come out? All the spacings have been stripped out of my post. :(

Lets try that again -

Is that any better?