Thanks very much for your help Charles. It doesn't really make any difference to me if I use port forwarding or a virtual DMZ... I just want it to work! :-) Obviously I'd like the most secure and best performance option available (in that order).
I haven't been able to find a whole lot of documentation on the implementation of the NAT 'virtual interface'. Is this the correct way to set this up? ############################################################################ ### # NAT 'virtual' interface (optional: required only for static-NAT DMZ systems) ############################################################################ ### # Configured as an interface to allow flexible handling of bringing the # routing rules up/down in conjunction with the physical interfaces # interface spec is an indexed list of IP address pairs and a base priority # number for ip rule creation nat0_BASE_PRI=100 # Unique base value for ip rules # Indexed list: <public IP> <private DMZ IP> nat0_PAIR0="206.127.77.50 192.168.10.50" nat0_PAIR1="206.127.77.51 192.168.10.70" nat0_PAIR2="206.127.77.52 192.168.10.52" nat0_PAIR3="206.127.77.53 192.168.10.53" nat0_PAIR4="206.127.77.54 192.168.10.101" nat0_PAIR5="206.127.77.55 192.168.10.55" nat0_PAIR6="206.127.77.56 192.168.10.71" If I do it this way, do I then set up the DMZ below in the script? Even though it's called a virtual interface, I still have to use a real ethernet adapter, right? One other thought that I had: Install another NIC with the secondary IP's, set my DMZ_SWITCH=YES and configure my internal interfaces to use BOTH 192.168.10.x AND 206.127.77.x Or should I set the switch to NAT and do port forwarding? I've read the "Instructions for configuring network.conf" that you wrote (thanks for that). Is there anywhere else I can find additional documentation on the DMZ stuff? Thanks, Ken > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Charles Steinkuehler > Sent: Thursday, March 13, 2003 10:46 AM > To: Ken Marshall > Cc: [EMAIL PROTECTED] > Subject: Re: [leaf-user] Adding Extra Static IP's on External > Interface > <snip old message> > > OK, so you want port-forwarding on the router, rather than > any sort of > DMZ setup. > > You can probably get this to work, but the configuration details may > require some experimentation. > > I know Dachstein can run with multiple networks on the same > interface, > as I have done that several times. I don't think you > actually have two > networks on your upstream link, but instead have one network with a > block of IP's routed to you. This has the potential to confuse the > equipment upstream if you assign the extra IP's directly to > the external > interface. > > The "normal" way to do this would be to assign public IP's to the > desired desktop systems, but this is not necessarily ideal > from either a > network topology (I'm assuming you have additional machines > you do *NOT* > which to connect to, and limited IP space), or a security standpoint. > > You're probably going to have to dig around some with tcpdump to make > sure whatever you configure is working properly, but the "cleanest" > quick solution I can think of is to create a "virtual" DMZ. If you > assign your extra public IP's to a third interface, the upstream > equipment will not be confused, your internal boxes will not > have public > IP's, and you should be able to setup port-forwarding from the public > IP's to your internal systems. > > You could probably also get everything to work with the IP's > assigned to > the external interace, but you'll likely have to do some sniffing to > figure out how to configure everything, and make sure nothing > strange is > happening behind the scenes (like ICMP redirect messages > being sent to > the upstream host). > > As previously mentioned, there are some tricks the 2.4 series kernels > can play with iptables that are not possible with the 2.2 series. I > think you can probably make this go with 2.2 if you want, but there > might be an easier solution with 2.4/iptables (bering). I don't know > enough about the changes for 2.4 to say for sure, however, and it > probably depends a lot on exactly how the current traffic is > showing up > at your router, and why simply adding extra IP addresses didn't work. > > Grab a tcpdump package (typically requires libpcap as well), > and take a > look at your trafffic... > > -- > Charles Steinkuehler > [EMAIL PROTECTED] ------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
