Very Computer

by **Kevin Truon** » Sat, 27 Jan 2001 09:25:21

Can this be done? I have 3 public static IP addresses. Here's the setup.
I am running a Linux firewall which uses one of the IP address to provide
internet access to machines on the internal network. I am also running a
web server and mail server, which will take up the remaining 2 IP
addresses. The web and mail machines are inside the firewall and one of
them is also the PDC for the NT network. So, both of the machines have
private IP addresses (192.168.100.99 & 192.168.100.100). How would I
assign the remaining 2 IP addresses to these two server machines? I still
want them to be protected by the firewall. Meaning any traffic going to
these machines has to pass through the firewall but the firewall shouldn't
perform any masquerade on it. Is this possible? If so, how? Any helpful
hints or links to helpful sites are very appreciated. Thanks..

-kevin

by **Bill Hudso** » Sat, 27 Jan 2001 10:30:42

> Can this be done? I have 3 public static IP addresses. Here's the setup.
> I am running a Linux firewall which uses one of the IP address to provide
> internet access to machines on the internal network. I am also running a
> web server and mail server, which will take up the remaining 2 IP
> addresses. The web and mail machines are inside the firewall and one of
> them is also the PDC for the NT network. So, both of the machines have
> private IP addresses (192.168.100.99 & 192.168.100.100). How would I
> assign the remaining 2 IP addresses to these two server machines? I still
> want them to be protected by the firewall. Meaning any traffic going to
> these machines has to pass through the firewall but the firewall shouldn't
> perform any masquerade on it. Is this possible? If so, how? Any helpful
> hints or links to helpful sites are very appreciated. Thanks..

> -kevin

Yes. Masquerading (which you're already doing) plus port forwarding via
the 'ipmasqadm portfw' utility. you may have to install ipmasqadm.

--
Bill Hudson

by **Eugen** » Sat, 27 Jan 2001 14:35:13

Of course it's possible. Just assign the real IP addresses to the other two
machines and configure the firewall to protect them. For info on how to do
that read ipchains howto.

You might not need to give them real IP addresses. You may want to try port
forwarding. Suppose the firewall's public IP is 1.2.3.4. You can configure
it to forward port 80 to the web server and port 25 to the mail server. So
that any connection from the outside to 1.2.3.4:80 would be forwarded to
192.168.100.99:80 (or whatever), and 1.2.3.4:25 -> 192.168.100.100:25. You
don't even have to use the same ports. That way you run mail and web server
*and* you still have 2 spare IP addresses. Obviously this will not work if
e.g. you want to run 2 web servers or something.

Eugene

> Can this be done? I have 3 public static IP addresses. Here's the setup.
> I am running a Linux firewall which uses one of the IP address to provide
> internet access to machines on the internal network. I am also running a
> web server and mail server, which will take up the remaining 2 IP
> addresses. The web and mail machines are inside the firewall and one of
> them is also the PDC for the NT network. So, both of the machines have
> private IP addresses (192.168.100.99 & 192.168.100.100). How would I
> assign the remaining 2 IP addresses to these two server machines? I still
> want them to be protected by the firewall. Meaning any traffic going to
> these machines has to pass through the firewall but the firewall shouldn't
> perform any masquerade on it. Is this possible? If so, how? Any helpful
> hints or links to helpful sites are very appreciated. Thanks..

> -kevin

by **Kevin Truon** » Sun, 28 Jan 2001 01:17:54

Eugene,

Thanks for the reply. I was just making sure that I am not drunk or
anything when I read the Linux docs. All docs say it's possible, and I
tried configuring it like you said. Doesn't seem to work for me for some
odd reason. Yes, I am aware of the port forwarding.. that's how it is
currently setup. But there's a good reason for these two machines to have
real IP addresses. Our current setup is only temporarily until I find a
way to get these two machines on real IP's. Any ideas why these machines
aren't being assigned their IP's? Does the fact that both of these
machines have 2 NIC's in load balancing mode has anything to do with this
problem? Thanks.

-kevin

> Of course it's possible. Just assign the real IP addresses to the other two
> machines and configure the firewall to protect them. For info on how to do
> that read ipchains howto.

> You might not need to give them real IP addresses. You may want to try port
> forwarding. Suppose the firewall's public IP is 1.2.3.4. You can configure
> it to forward port 80 to the web server and port 25 to the mail server. So
> that any connection from the outside to 1.2.3.4:80 would be forwarded to
> 192.168.100.99:80 (or whatever), and 1.2.3.4:25 -> 192.168.100.100:25. You
> don't even have to use the same ports. That way you run mail and web server
> *and* you still have 2 spare IP addresses. Obviously this will not work if
> e.g. you want to run 2 web servers or something.

> Eugene

> > Can this be done? I have 3 public static IP addresses. Here's the setup.
> > I am running a Linux firewall which uses one of the IP address to provide
> > internet access to machines on the internal network. I am also running a
> > web server and mail server, which will take up the remaining 2 IP
> > addresses. The web and mail machines are inside the firewall and one of
> > them is also the PDC for the NT network. So, both of the machines have
> > private IP addresses (192.168.100.99 & 192.168.100.100). How would I
> > assign the remaining 2 IP addresses to these two server machines? I still
> > want them to be protected by the firewall. Meaning any traffic going to
> > these machines has to pass through the firewall but the firewall shouldn't
> > perform any masquerade on it. Is this possible? If so, how? Any helpful
> > hints or links to helpful sites are very appreciated. Thanks..

> > -kevin

by **Kevin Truon** » Sun, 28 Jan 2001 01:41:58

Hi Bill,

Sorry to bother you. But at this point, I am desperate as I am out of
ideas. This is what I last came up with to add to the firewall script..

$mail_ip is the external IP address
$ntserver_ip is the internal NT server Ip address
$vpn1_ip is a static internet IP address
---------------------------------------------------------------
ipchains -A input -p tcp -y -s 0.0.0.0/0 -d $mail_ip 25 -m 1
ipchains -A input -p udp -s 0.0.0.0/0 -d $mail_ip 110 -m 1
ipchains -A input -p tcp -y -s 0.0.0.0/0 -d $mail_ip 110 -m 1
ipchains -A input -p udp -s $vpn1_ip -d $mail_ip 500 -m 1
ipchains -A output -p udp -d $vpn1_ip -d $mail_ip 500 -m 1
ipchains -A input -p 50 -s $vpn1_ip -d $mail_ip -m 1
ipchains -A output -p 50 -d $vpn1_ip -s $mail_ip -m 1
ipchains -A input -p 47 -s $vpn1_ip -d $mail_ip -m 1
ipchains -A output -p 47 -d $vpn1_ip -s $mail_ip -m 1
ipchains -A input -p tcp -y -s $vpn1_ip -d $mail_ip 1723 -m 1
ipchains -A output -p tcp -y -d $vpn1_ip -d $mail_ip 1723 -m 1

ipmasqadm mfw -A -m 1 -r $ntserver_ip
---------------------------------------------------------------

Does this make sense? In my script, I use 'mfw' instead of 'portfw', can
this be the problem? Thanks for the reply.

-kevin

Quote:
> Yes. Masquerading (which you're already doing) plus port forwarding via
> the 'ipmasqadm portfw' utility. you may have to install ipmasqadm.

> --
> Bill Hudson

Very Computer

Assign IP's to Internal network with Linux firewall.

Assign IP's to Internal network with Linux firewall.

Assign IP's to Internal network with Linux firewall.

Assign IP's to Internal network with Linux firewall.

Assign IP's to Internal network with Linux firewall.

Assign IP's to Internal network with Linux firewall.