dmz, bridging question in linux

dmz, bridging question in linux

Post by James K » Thu, 08 May 2003 00:46:13



Please help!!!
I want to bridge a dmz using public ips and also a internal network
for masquerading.  So there will be 3 network cards installed.  One
for dmz and one for private network.  I know how to bridge 2 ethernet
cards, but what about a 3rd using private ips?  What would the general
setup be like, is this possible to bridge and route the private
network at the same time?  Anybody have an example of this
configuration?  I dont want to do static nat because that means I have
to run dual dns's in the dmz zone.

----->isp router---->bridge/firewall-----------------> eth2 dmz
 68.143.178.xxx/27   eth0 65.143.178.xxx/27          
65.143.178.xxx/27
                              |
                              |
                           eth1 192.168.1.xxx
                            internal network

 
 
 

1. Linux Firewall/Router w/DMZ setup questions

Hello all,

    Been searching archives for sometime now, and figured I should just ask
the question(s) and take my RTFM lumps (but please tell me which M ;)

    I have setup several IPChains Masq Firewalls in the past, but this is my
first with 3 NIC's.  Quick and dirty: eth0 is internal masq (10.0.0.1/24),
eth1 is the world (1.2.3.130), and eth2 is the dmz (1.2.3.131/27).  RH 6.2,
with 2.2.16 kernel (custom compile - not an rpm update) I am petty
confidante in the ipchain rules i have, but have problems with routing.  A
route -n shows (not quite thrilled with the ip route show version's output):

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
10.0.0.1        0.0.0.0         255.255.255.255 UH    0      0        0 eth0
1.2.3.129       0.0.0.0         255.255.255.255 UH    0      0        0 eth1
1.2.3.130       0.0.0.0         255.255.255.255 UH    0      0        0 eth1
1.2.3.128       0.0.0.0         255.255.255.224 U     0      0        0 eth2
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
1.2.3.0         0.0.0.0         255.255.255.0   U     0      0        0 eth1
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         1.2.3.129       0.0.0.0         UG    0      0        0 eth1

    I manually added the 1.2.3.129 route, so that it can find the default
gateway on eth1 - because it's in the eth2's network.  Problem is, once this
is running, I cannot ping anything (although using ping I can see that it is
trying to go out over the correct interface).  I cannot even ping the IPs
assingened to the cards, i.e. 1.2.3.130 - but I can ping the box from other
machines in the masq zone or dmz.  I have disabled the IPchains rules to
rule out any problems comming from there.  Taking down eth2, all is well
(and even masq'd correctly).

    On a side note, I would like to know if it is possible (and if so where
to get more info) to have this box be a "transparent gateway" - I would like
to have the DMZ boxes keep a GW of 1.2.3.129 if possible, so that should the
firewall fail, a quick changing of cables can have all the DMZ boxes online
without the need to reconfigure them.  Of course, the masq boxes would be
down...

Thanks,
Mike

2. Wait -Statement in Unix ShellScripts

3. Bridge: Linux as a bridge

4. arpresolve message after compiling kernel?

5. simple networking questions

6. Sherlock linux plug-ins / sherlock for linux?

7. XF86Config for ATI Rage + Gateway EV310 monitor

8. Browser Question (Plug-ins) m-w.com

9. Linux bridging questions

10. Subject: Ksh93 question: special built-ins: why are they special?

11. Linux software bridge question

12. Firwall/forward/redierct/ipchains question