LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-24-2003, 02:32 AM   #1
jod
LQ Newbie
 
Registered: Jul 2003
Location: Bjerringbro, Denmark
Posts: 7

Rep: Reputation: 0
Question Iptables firewall with 4 NICs and nat


Hi,

Well after searching, without any luck, here i am begging you to help me..

I have a debian running with 4 NICs and kernel 2.4.21 (all iptables stuff already compiled into the kernel)
Heres the networks that i have:

eth0 Internal - Private network: 172.16.0.0
eth1 Internal Wireless - Private network: 10.20.0.0
eth2 External - Public /30 network (gateway)
eth3 DMZ - Public /26 network

From the internal eth0 int, i can access eth2 and eth3 - eth1 can access eth2 and eth3 and the DMZ(eth3) can only access eth2.

All the rules is already setup, but i have a minor problem with my nat.
The DMZ zone, where i have my mail, web, dns, etc servers, all this servers has a public ip, and it works fine. But when one of this servers access the internet via eth2, the servers own public ip is not shown.
The ip addy that is shown is the ip from eth2. This is not good when a DNS server connects to another DNS and wants to do an axfr, and the axfr security is setup on the servers IPs.

So, how do i get the DMZs servers IPs to be shown on the internet? Is there a nat rule that needed to be inserted once or for each ip?

Hope you can help me here...

/ Johnny
 
Old 07-24-2003, 03:50 AM   #2
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 46
don't enable Masquerading (POSTROUTING) for the IPs on the DMZ.
 
Old 07-24-2003, 05:16 AM   #3
jod
LQ Newbie
 
Registered: Jul 2003
Location: Bjerringbro, Denmark
Posts: 7

Original Poster
Rep: Reputation: 0
Well, i must say:
Give the man a cigar
It works - tanx man...

Now i just have one more thing.

The internal eth0 172.16.0.0 network connects to the internet via eth2(gateway) and is shown on the internet with the ip addy of eth2.
If there a way to make the internal network eth0 public shown by an ip from the DMZ(eth3) or the DMZ(eth3's) ip addy, so it would not use the ip on eth2.

Posible or not?

/ JOD

Last edited by jod; 07-24-2003 at 05:41 AM.
 
Old 07-24-2003, 11:54 AM   #4
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 46
Make one of the DMZ machines the gateway for the eth0 machines. and you will require forwarding, natting ...

with linux everything is possible.
 
Old 07-25-2003, 03:38 PM   #5
jod
LQ Newbie
 
Registered: Jul 2003
Location: Bjerringbro, Denmark
Posts: 7

Original Poster
Rep: Reputation: 0
Hi,

But, what if i want to be shown in the internet by the eth2 ip addy? - Or should i add an alias ip to the eth2 interface, and use this as public shown ip?

/ JOD
 
Old 07-26-2003, 01:24 PM   #6
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 46
Quote:
Originally posted by jod

If there a way to make the internal network eth0 public shown by an ip from the DMZ(eth3) or the DMZ(eth3's) ip addy, so it would not use the ip on eth2.

/ JOD
Didn't you want the eth3 "addy" to be shown?

Last edited by ppuru; 07-26-2003 at 01:25 PM.
 
Old 07-26-2003, 02:22 PM   #7
jod
LQ Newbie
 
Registered: Jul 2003
Location: Bjerringbro, Denmark
Posts: 7

Original Poster
Rep: Reputation: 0
Yep, i want the eth3 addy to be shown.

When i connect to the internet from my internal(eth0) network i currently use the ip of eth2. This ip is the wan ip, and i don't want to use this.

I would rather use the ip on eth3's interface, which is the DMZ interface. This ip is the default gateway for servers on the DMZ network.

Can i use the eth3(DMZ) ip addy to be shown on the internet when ever i use the net? if so', how do i do this with masq, postrouting, etc.?

Or is it easyer to use an alternative ip addy (not the ip on eth3) from the DMZ network to be shown on the internet when ever i come from the internal network(eth0)?


Hmm, im confused...

/ JODA
 
Old 08-06-2003, 05:14 AM   #8
garvald
LQ Newbie
 
Registered: Aug 2003
Posts: 2

Rep: Reputation: 0
iptables

I have a similar problem, would be glad if someone could help me, sorry for posting this as a reply, but you 2 seem obivous choices for this subject, so here goes:

my box:

eth0: 1.2.3.4
eth1: 192.168.1.1

eth2: 2.3.4.5
eth3: 192.168.2.1

masq'ing eth1 through eth0 works great, however no traffic is masq'd from eth3 through eth2. I can ping eth3 boxes from eth2, however no eth3 box gets out. This may have something to do with the default gateway on my box, but I dont know. My Q is, how do I get eth3 + eth2 runnin the same as eth1 + eth0 ? do I somehow need to route eth3 through eth0 ?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
NAT, iptables, forwading, firewall w3it Linux - Newbie 7 11-17-2005 02:15 AM
Iptables,firewall,nat,gnutella fortezza Linux - Security 1 05-15-2004 12:16 AM
NAT, iptables, firewall, and Windoze AWyant Linux - Newbie 7 09-23-2003 04:30 PM
router/firewall/nat/dhcp with 5 NICs? nicedreams Linux - Networking 13 06-21-2003 02:26 PM
IPTABLES, NAT & Firewall dsylvester Slackware 1 02-15-2003 07:14 PM


All times are GMT -5. The time now is 03:35 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration