Howto setup iptables firewall and DMZ with multiple public IP's ?

hendrixx · 11-27-2008, 02:54 PM

Hi,

We have a new Bussiness DSL line with 16 public addresses.
What we want is to setup a DMZ to run some services and internet to the LAN. Here's a schematic of what we want:

Code:

      Backup Internet           Main Internet
        connection                connection
            |                         |
            |                         |      
        SDSL Modem                BDSL Modem
            |                         |
            |                         |
         Firewall                  Firewall
     (linux router pc)         (linux router pc)
            |                         |
   DMZ-1----|                         |----DMZ-2
            |_________________________|
                          |
                          |
                    Main Firewall
                  (linux router pc)
                          |
                         LAN

Our backup internet connection is working perfectly.
The backup connection has a modem in bridge mode and our mail server wich is placed in the DMZ-1 with 16 IP's and is working perfectly.
The Main Firewall pc is working as a router/firewall and has a default route to the main internet connection for internet traffic. Email is routed to the SDSL modem.
However we have recently switched from provider for our Main internet connection and the modem can not work in bridge mode.
So it is now working in routering mode. One IP for the modem, the rest of the public IP's on the LAN side of the modem.
(one for the firewall and the rest for DMZ-2).
I have managed to get the internet connection working to the LAN. But i can not get the webserver working in the DMZ-2.

Here's another schematic with IP's (i have used fake ip's):

Code:

  ^       Backup Internet                       Main Internet
  |              |                                   |
  I              |                                   |
  n              |                                   |
  t              |                                   |
  e      .--------------.                     .-------------.
  r      |  SDSL modem  |                     | BDSL modem  | 
  n      `--------------'                     `-------------'
  e              |  (bridged)                        |  12.34.56.113
  t              |                                   |
  |              | 11.22.36.81          12.34.56.114 |
  v        .-----------.                       .-----------.
 ~~~~~~~~~ |   pc01    | ~~Perimter firewall~~ |   pc09    | ~~~~~~~~
  ^        `-----------'                       `-----------'
  |               \ 11.33.116.206      12.34.56.126 /
  |                \                               /
  |            _____\___________       ___________/_____
  D           /      DMZ 1      \     /      DMZ 2      \
  M          ( 11.33.116.192/28  )   (  12.34.56.120/28  )
  Z           \_________________/     \_________________/
  |                          \           /
  |                           \         /
  |              11.33.116.193 \       / 12.34.56.121
  v                          .-----------.
 ~~~~~~"Main" firewall~~~~~  |   pc02    | ~~~~~~~~~~~~~~~~~~~~~~~~~~
  ^                          `-----------'
  |                                | 10.24.8.254
  L                                |
  A                         _______|_______
  N                        / Local network \
  |                       (    10.0.0.0/8   )
  v                        \_______________/

The webserver has the following settings:
IP: 12.34.56.125
subnet: 255.255.255.240
gateway: 12.34.56.126

What IPTABLES rules do i need to setup to "see" all IP's in the DMZ-2 from the internet?

win32sux · 11-29-2008, 12:46 PM

Basically you are asking about what rules to run on pc09, right? If so, you could assign the public IPs as aliases to the WAN side of pc09 and forward them to the respective servers on the DMZ. This would be done with something like:

Code:

iptables -t nat -A PREROUTING -i $WAN_IFACE -d 123.123.123.1 \
-j DNAT --to-destination 234.234.234.1

iptables -t nat -A PREROUTING -i $WAN_IFACE -d 123.123.123.2 \
-j DNAT --to-destination 234.234.234.2

iptables -t nat -A PREROUTING -i $WAN_IFACE -d 123.123.123.3 \
-j DNAT --to-destination 234.234.234.3

etc... etc... etc...

So now any packets which hit, for example, 123.123.123.1 (on pc09's WAN side) will be forwarded to 234.234.234.1 on its LAN side, and so forth. Let me know if this isn't what you meant cuz I'm not sure I understood your setup properly.

hendrixx · 11-30-2008, 08:03 AM

Quote:

Originally Posted by win32sux

Basically you are asking about what rules to run on pc09, right?

Yes indeed.

Quote:

Let me know if this isn't what you meant cuz I'm not sure I understood your setup properly.

Well almost right, but i do not want to use aliases.
I want to be able to use the real public addresses on the machines in the DMZ. So i can assign a public IP to for example a webserver in the DMZ and make it available to the WAN side of the pc09.
So that any packets wich arrive on the WAN side for the IP(s) in the DMZ will travel through the firewall on the pc09 and will reach the webserver (or other servers) in the DMZ and vice versa of course.

Hope this make any sense to what i want.