/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
|-----Original Message-----
|From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf
|Of Ben Mitchell
|Sent: Friday, June 30, 2000 1:03 PM
|To: [EMAIL PROTECTED]
|Subject: [Masq] MASQ alias support?
|
|
|/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
|/* ALSO: Don't quote this header. It makes you look lame :-) */
|
|
|Hi folks,
|
|I'm something of a novice to this whole network administration bit, and I'm
|trying to set up a reasonably complicated (for me anyway) network at home.
|
|Here's what I (think I) want to do. (Suggestions for totally divergent
|strategies now being accepted).
|
|I've got a linux machine (RH 6.1 w/ appropriate security patches) with 3
|NICs in it.
|ETH0 is the outside world
|ETH1 is my internal network of PCs, linux machines, and Macs
|ETH2 is my DMZ, where I'm putting an SMPT/HTTP/POP/FTP/SSH/telnet server
|that's going to host 2 domains.
|
|The idea is that ETH1 will be 10.10.10.1, ETH2 will be 10.10.20.1, and the
|do-it-all server in the DMZ will be 10.10.20.2. Traffic destined for the
|server in the DMZ will reach it via port forwarding of packets apparently
|destined for the external interface ETH0.
A little weird, you are not really gaining anything by putting the server on
the third subnet...
| The problem I envision I'll run
|into with this strategy is that if I just forward inbound packets
|to ETH0 on
|(say) port 80 to the 10.10.20.2 server, then all return packets for HTTP
|connections from machines on the 10.10.10.0 network will get redirected off
|to the wrong location (10.10.20.2). (Please clarify if I've misconceived
|this problem - like I said, I'm still really new at this.)
|
Eh, you don't need port forwarding or masq for your two subnets.
You can merely route packets between the two subnets.
Remember that OUTBOUND and INBOUND packets get masq'd from the linux box,
but routed packets do not have to be. You port forward packets to the
server, but you do NOT masq it's packets.
Then you turn on routing (which must be "on" for Masq anyway) and set up a
path between the two subnets.
Packets going between the two never appear on the internet.
Furthermore the thing you do sorta gain, is that the server is accessable
from all of your internal machines directly. However you could merely place
the server on the same subnet as your other machines and just port forward
to it anyway...
|So what I think I need to do is alias ETH0.
|ETH0:0 would be the normal firewall address
|ETH0:1 would be the virtual address for the server in the DMZ
|
Why? You just said you were going to port forward requests?
|Then, all inbound traffic apparently to ETH0:1 (on an accepted list of
|ports) would be forwarded to the same port on 10.10.20.2, but all traffic
|apparently to ETH0:0 would be deMASQed back to the correct machine on the
|10.10.10.0 network.
|
I think you have port forwarding and masq'ing confused. They are not the
same thing.
Inbound packets to your protected lan do not have to be forwarded. Rather
they get masq'd.
The only packets which might have to be forwarded would be that to the
server...
... assuming the server will use private IP's as you indicated.
|The question I have is how to set up MASQing so that traffic from the
|10.10.10.0 network appears to come from ETH0:0, and traffic from the
|10.10.20.0 network appears to come from ETH0:1?
|
You mean traffic from eth1 appears to come from eth0. This is a standard
Masq setup.
Traffic "into" eth2 gets port forwarded via Masq.
Traffic into and out from eth1 to eth2 gets routed, not masq'd.
Since both subnet's use reserved IP's and you turn of routing of those IP's
(a MUST) to the internet... nothing from those two subnets "leak" out to the
world.
|But like I said, if there's a better, and more accepted way of doing this,
|by all means let me know.
|
-JMS
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
