I have 3 machines that have public IPs that I want to stick behind a firewall:

209.208.89.51
209.208.89.52
209.208.89.53

My firewall (RH 9 box) has 2 interfaces:

eth0 = 209.208.89.50
eth1 = ?

I've got the linux machine up and I'm able to surf the web. My question is how do I send the 3 above IPs through to their designated servers. I won't be doing any nat or masquerading because they will have real IPs. But I want to force their connections through the firewall (to filter).

What I've done is plugged the 3 machines (all with their designated IPs above) and eth1 into a switch.

1) What IP do I assign to eth1?


2) What IP tables command(s) will forward the connections through the firewall? I have already: echo 1 > /proc/sys/net/ipv4/ip_forward


3) What should my routing table look like?




Thanks for the help!

I would nat them. put them on the local network and have your firewall route the info you want to the specific computer. EX eth0 has several public IPs. if something comes in looking for 209.208.89.51 then nat it to 10.1.1.2. f something comes in looking for 209.208.89.52 then nat it to 10.1.1.3. And so on. You will have to do some configurations to all the PCs and use port forwarding on the firewall.
I know that's not what you wanted, but it is more secure in my opinion to do it that way. Plus you will only have one set of rules to handle.

if I were you I would do something like this

internet
|
rh firewall (eth 0 - 209.208.89.51 209.208.89.52 209.208.89.53) (eth1 - 10.1.1.1)
|
|
|
switch - goes to 3 servers or pcs or whatever
| | | (that's supposed to be 3 lines to 3 computers)
computer 1 - 10.1.1.2
computer 2 - 10.1.1.3
computer 3 - 10.1.1.4


And again, your rh firwall is reponsible for ipforwarding. You will have to write specific commands to forward the ports/IPs to the specific computers.

Thanks for the advice. NATing (like you said) was the alternative.

I still would like to know how the scenario I described would be done, regardless of whether I use it or NAT. It's bugging me that it didn't work!!

I'm confused on what I would set eth1's IP to.

Thanks again.

I don't really think it is possible with the 1st scenario. But then again it could be. I think you would have to assign a realworld IP address that you don't own to your eth1, and assign all 4 addresses to eth0 and forward everything that is appropriate but that is bad practice. We had some ass-clown create a network where I work w/ real IP addresses (we have a 10. network and also a 163.34.44. network) and now we have to set it up within our whole network to where we can never access those realworld IPs. It hasn't caused us anytrouble, yet. But if a business partner had those IPs we would have a hell of time communicating with them.

But like I said before. Using the RFC-compliant internal address and using NAT or something similar is the suggestion.

Also the way that I gave you the first time is much more flexible and scalable.

Holy..!..!!! what the?!!?!?

That is BAD. Never assign an IP you don't own to any of your devices. That is breaking a cardinal rule of the Internet. RFC1918 addresses exists specifically so that is never to happen.

What the original poster could do is bridge the two NICs so neither one has an IP, then put all your public IP boxes on a switch behind. Since the NICs are bridge, the traffic passes right through to the appropriate box on the inside. You can still put filtering rules on the firewall, but neither NIC has an IP.

So far as I know, the above is the only way to do it without NAT or advertising routes. If your ISP let you, you could configure the Linux box as a router and advertise your public IPs to your ISP letting them know they're reachable via your external firewall IP, then just put static routes for them on your firewall

Actually, come to think of it you can probably setup proxy-arp on your outside firewall interface to make your public IPs be announced on the outside interface when some host sends an ARP request for them. I'm not sure what IP you would give your internal interface, though. Read up on how to proxy arp.

Yeah, in my post I forgot to mention that using ips you don't own is very wrong. Sorry.
I wish we knew who did it to our network so we could ask them what the hell their problem was. And unfortunately it is too late to make any changes because it is a hospital and most of the equipment is specialized radiaology equipment and we can't just make changes ourselve. It would take the full collaboration of about 7 companies to help us change that problem in as little time as possible. I don't see it happening.

NAT, Routing, and IPtables is what you want. Here is a good how to:

http://eressea.pikus.net/~pikus/plug...all/page0.html