Here is what I am trying to accomplish conceptually. I have two ip addresses to correspond to two dns servers on my home office adsl like in the diagram below. I currently have one nic configured for these two ip addresses (eth0 and eth0:0). I can ping both of these public ip addresses from the internal network.

I have several questions. I would appreciate any references to how-to's.

1. Do I need a bridge?
2. Can my linux box act as a bridge and what would the firewall rules look like?

ADSL   ---------  Linux  ---------  DMZ segment
Modem             Server                 PUBLIC IPs (66.77.88.xx and 66.77.88.yy)
                                 |
                                +-------------  Internal net
                                                     private IPs

is something broke?
(nevermind just read that you said conceptually)

what would you need a firewal for in that kind of setup?

I think it would be more accurate to call the Linux box a router in this case, but yes, your Linux box can facilitate communication between all three networks.

You'll first need to make sure that ip forwarding is on on your system. You can do this by executing:

echo 1 > /proc/sys/net/ipv4/ip_forward

This should cause your kernel to start relaying packets that arrive on one interface and are destined for a network attached to another interface. The default is for this behavior to be off. Be warned that this change will not survive a reboot. To make the change persistent, you will have to either put the above command in rc.local or on most distributions you should have a /etc/sysctl.conf file. The preferred method would be to add

net.ipv4.ip_forward = 1

to that file.

After doing this your DMZ network should be able to communicate with the rest of the world. But your internal network has private, nonroutable IPs so you will have to do some NAT (network address translation). The iptables command you want would be something like:

iptables -t nat -A POSTROUTING -s <internal net/mask> -o <ADSL interface> -j MASQUERADE

This will cause all packets that are from your internal net and destined for the internet to have their source IPs swapped for the Linux box's public IP. Incoming replies to those packets then have their destination IPs swapped for the appropriate internal IP and are forwarded to the original sender.

Hope this helps!

--Brad

I had a bridge setup for a while and it works great.

I would probably use a bridge for the DMZ and masquerade the private LAN.

See the Bridge HOWTO or search the forums for some examples. I posted one quite a while back.

Dave: you have some great posts on this subject. I'm not sure how I missed them with the search "two public IP address eth0". The second URL has a great discussion of the interworkings of ARP and TCP/IP protocol.

Anyway, i've collected some of them here for future reference.

http://www.linuxquestions.org/questi...ghlight=bridge

http://www.linuxquestions.org/questi...ghlight=bridge

I do have a couple of questions referencing my network layout.

1. Could I simplify things by making the "linux server" one of my DNS servers, giving it one of the two public IP addresses? That way, my wife won't complain about me running yet another PC.

2. Does it matter if the private network is attached via a hub, switch, or a router. I'm currently using a wireless router with with a 4-Port Switch (that also handles my wife's need to have a wireless connection; i've had so many bad experiences with wireless that I was amazed that the netgear Netgear WGR614 works like a charm.) In one of your postings, you kept emphasizing that the questioner was using a hub and i'm not sure of the difference between a hub and a switch in this context.

3. Is there a good text book for issues like this?

The Linux server will handle all of the services without a problem. DNS is not going to cause any problem.


It should not matter how it is connected. However it may of course depend on the settings of the switch or router. I use a seperate interface for my wireless. Mainly due to the firewall setup. I am using openvpn over the wireless so only port 5000 is open.


I have not seen any books on this specific issue.

David: I am finally getting back to this long-delayed project. I have tried to make a script based on your posts that will allow a single network card to route two public IP addresses to two SOHO Apache/DNS/Mail Servers and masquerade PC's on a private SOHO network described above. I'm not a programmer so this probably needs extensive revision. Could you take a look at it?

#!/bin/sh
# A script called /etc/rc.d/rc.br0 to allow a single network card to route
# two public IP addresses to a pair of SOHO Apache/DNS/Mail servers
# based on a post by David Phillips at
# http://www.linuxquestions.org/questi...threadid=38890
#
# BEFORE RUNNING THIS SCRIPT, TAKE THE FOLLOWING FOUR STEPS
#
# STEP ONE: Back up network boot scripts and create replacements as follows:
# cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0
.bak
#
# STEP TWO: Create new files for the interfaces and make the srcipt run at boot:
#
# echo DEVICE=eth0 > /etc/sysconfig/network-scripts/ifcfg-eth0
# echo onBOOT=no >> /etc/sysconfig/network-scripts/ifcfg-eth0
# echo DEVICE=eth0:0 > /etc/sysconfig/network-scripts/ifcfg-eth0:0
# echo onBOOT=no >> /etc/sysconfig/network-scripts/ifcfg-eth0:0
# echo DEVICE=br0 > /etc/sysconfig/network-scripts/ifcfg-br0
# echo onBOOT=no >> /etc/sysconfig/network-scripts/ifcfg-br0
# echo "/etc/rc.d/rc.br0" >> /etc/rc.d/rc.local
#
# STEP THREE: Make this script executable, chmod 755 /etc/rc.d/rc.br0
#
# STEP FOUR: Take down the interface before running the script, ifconfig eth0 down
#
# Now the script starts:

echo "#!/bin/sh" > /etc/rc.d/rc.br0
echo "brctl addbr br0" >> /etc/rc.d/rc.br0
echo "brctl addif br0 eth0" >> /etc/rc.d/rc.br0
echo "brctl addif br0 eth0:0" >> /etc/rc.d/rc.br0

echo "ip link set br0 up" >> /etc/rc.d/rc.br0
echo "ip link set eth0 up" >> /etc/rc.d/rc.br0
echo "ip link set eth0:0 up" >> /etc/rc.d/rc.br0

echo "Starting up Interface br0" >> /etc/rc.d/rc.br0
echo "This will take 60 seconds" >> /etc/rc.d/rc.br0

# Now you have THREE OPTIONS.
# OPTION #1:
# Use this if there is dhcp on the network.
#
# echo "dhcpcd br0" >> /etc/rc.d/rc.br0
#
# OPTION #2:
# Use this if the network uses manually assigned ip
# addresses and routing where xxx=the ip of choice and yyy=the
# default gateway. Note: you will need nameservers in /etc/resolv.conf
# for dns to work on this machine.
#
echo "ifconfig br0 xxx.xxx.xxx.xxx" >> /etc/rc.d/rc.br0
echo "route add default gw yyy.yyy.yyy.yyy" >> /etc/rc.d/rc.br0
#
# OPTION #3:
# Don't set an ip, the computer will not have an ip and will be invisible.
#
# Now we are ready to run the script to setup the bridge. You can just
# issue the command, /etc/rc.d/rc.br0 &

You can use iptables I have posted an example at the following thread

http://www.linuxquestions.org/questi...hreadid=215175

Is there a reference in your script to eth0:0? I don't understand how the script routes the second IP address. Can you explain that?

Change your script into something like this

NAT_DNS_IP_1="66.77.88.xx"
DMZ_DNS_IP_1="192.168.31.xx"
NAT_DNS_IP_2="66.77.88.yy"
DMZ_DNS_IP_2="192.168.31.yy"


$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $NAT_DNS_IP_1 --dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP_1
$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $NAT_DNS_IP_1 --dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP_1
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $NAT_DNS_IP_2 --dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP_2
$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $NAT_DNS_IP_2 --dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP_2

Dont forget the following

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP_1 \
--dport 53 -j allowed
$IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP _1\
--dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP _1\
-j icmp_packets
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP _2\
--dport 53 -j allowed
$IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP _2\
--dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP _2\
-j icmp_packets

I am currently reading the book "Firewalls and Internet Security: Repelling the Wily Hacker"
You might want to pick it up, or read the first edition online at http://www.wilyhacker.com/1e . I don't have it at hand, but as I remember the recommended configuration is for one DNS outside the gateway which knows nothing about the computers inside, and one DNS inside the gateway ( local ) which knows nothing about outside computers.

i got this set up to work using shorewall.net firewall using the install instructions for a firewall with more than one public IP address as modified by the IP aliasing how-to at that same site. Shorewall basically configures standard iptables using a text file interface. Until I learn how to edit iptables directly, i will stick with the product.

Unfortunately for me, the shorewall how-to assumed at least 3 public IP addresses (one to spare for the firewall) so that the DMZ can be handled through proxy arp. I only had two IP's and had to use a more crude approach, essentially using DNAT for all external inquires for my DMZ servers and SNAT for outgoing traffic with the local network's outgoing traffic sharing the IP of my secondary server.

A further complication arises where all of my external http / dns / mail services are available on the internet but not internally. For the local machines to access the web, it will require a DNS split view on the DMZ servers or adding a third DNS server for local network PC's on the firewall to handle traffic from the local pc's. Since that seems like a separate issue, I will post a separate thread.