Hello everybody,
Please tell me if my approach for the following situation is correct. I want to have everything clear in my mind before starting to configure my linux box.

I have a dual NIC linux box witch will perform the following functions :a)NAT b)firewall c)http, ftp, dns etc server
I want my servers to be accessible both from the inside and from the outside.

I'll configure the servers to listen on my private IP. For the hosts which want to access them from the outside I'll configure DNAT (ex: connections to 195.x.x.x:80 will be translated to 10.x.x.x:80).

Is this approach good? Is there any other solution?


Thanks,
ddaas

Looks Ok to me.

you don't wanna do DNAT for daemons running on the gateway machine itself...

just set your daemons to listen on both interfaces, and create appropriate rules in the INPUT chain...

Thanks a lot !
Could you tell me why is your solution better than the one I was thinking about?
Is it just the router does't have to do DNAT or is something else, too?

Thanks,
ddaas

DNAT: Destination Network Address Translation

you use this when you need to change the destination address on a packet...

for example, if you want all tcp packets that hit the router on port 80 to be forwarded to a web server on you LAN, you'd use DNAT to change the destination address on the packets to the address of the web server on your LAN...

if the web server is running on the router itself, then you don't need to do any translation at all, because the destination address on the packets will already be the right one...

I understood.
Thanks a lot.

ddaas

A better setup would be to run the daemons (http,ftp,etc) on a seperate machine, rather than on the firewall itself. Then just forward packets from the firewall system to the server either in the LAN or ideally in a DMZ. Running them on the firewall itself can be dangerous (ie an Apache exploit could potentially compromise your entire LAN).

I have 2 agree with Capt. Caveman.