Re: Problem behind my DMZ

Re: Problem behind my DMZ

[Martin Leduc]

Thanks for help Mr. Brenton,

But I dont understand something.  You tell me to use my public address for 
each server on my DMZ.  How can I use public IP on my server who are behind 
my firewall?  I want the server to stay behind the Firewall.

I have one IP range /28, and I dont think my ISP will give me another IP 
range.  My 20.0.0.1 is my gateway.  How can I attribute 20.0.0.4 to my mail 
server behind my Firewall and proceed with filtring?

Did I need proxy_arp?, do you have an example?

Do you want see my IPTABLE script?

Thanks in advance

Martin


>From: Chris Brenton <cbrenton@chrisbrenton.org>
>To: Martin Leduc <marled3@hotmail.com>
>CC: netfilter@lists.netfilter.org
>Subject: Re: Problem behind my DMZ
>Date: Wed, 07 Jan 2004 21:27:42 -0500
>
>Greetings!
>
>On Wed, 2004-01-07 at 19:19, Martin Leduc wrote:
> >
> > One of my server is DNS.  My trouble is if I tried to send Email FROM
> > one of this third server, my DNS return to sender server the public IP
> > and my Email as send to my firewall, not my internal Server.
>
>Common problem. You have two potential solutions:
>
>1) Use public IPs on your DMZ/service network. This will also give you a
>performance boost as you will drop the NAT overhead. You don't mention
>how many legal IPs you have, but if you have enough address space to
>carve off a /29 or /28 for your DMZ, this would be your best bet.
>
>2) Use split DNS. Setup another name server that is accessible only from
>internal systems and populate it with your private addresses.
>
>HTH,
>C
>
>

_________________________________________________________________
MSN Search, le moteur de recherche qui pense comme vous !  
http://fr.ca.search.msn.com/

Re: Problem behind my DMZ

[Antony Stone]

On Thursday 08 January 2004 3:53 pm, Martin Leduc wrote:

> Thanks for help Mr. Brenton,
>
> But I dont understand something.  You tell me to use my public address for
> each server on my DMZ.  How can I use public IP on my server who are behind
> my firewall?  I want the server to stay behind the Firewall.
>
> I have one IP range /28, and I dont think my ISP will give me another IP
> range.

The suggestion was that if you have a large enough public IP block, you subnet 
it so that part is used for your DMZ and part is used for everything else.   
You can then route the DMZ subnet to machines on the DMZ which genuinely have 
the public addresses assigned to them without using NAT.

All that is involved is to assign one of the /28 addresses to the DMZ 
interface on your firewall, choosing the addresses for the 'external' and the 
'DMZ' interfaces (as well as the netmasks) so that the DMZ is a clearly 
identified subnet of its own, with a sensible routing table entry (which gets 
set up automatically by Linux as soon as you assign the address and the 
netmask to the interface).

All you need to remember is that Linux consults its routing table from most 
specific to least specific, therefore a /29 subset of a /28 will take 
precedence over the more general /28 entry.

Since you have a /28 subnet (=16 addresses) it's certainly possible to do this 
in your case, and clearly a /29 subnet for the DMZ would be the simplest 
arrangement (although not the only one by any means).

Antony.

-- 
It is also possible that putting the birds in a laboratory setting 
inadvertently renders them relatively incompetent.

 - Daniel C Dennet

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Problem behind my DMZ

[Antony Stone]

On Thursday 08 January 2004 6:10 pm, Ramin Dousti wrote:

> Dividing the /28 to 2x /29's is a waste.

I agree (and it wasn't what I meant to suggest - sorry if it seemed that I 
had).

I proposed one /29 for the DMZ, which therefore has its own network address 
and broadcast address, but leaving the existing /28 on the external 
interface, so that only one additional network address is used (both 
broadcast addresses will be the same, if the /29 is the upper half of the 
existing /28).

> - Set up the IP on the FW nics:
>         ip addr add 192.168.1.2/28 dev eth0   # external
>         ip addr add 192.168.1.2/28 dev eth1   # DMZ
>         ip addr add a.b.c.d/x      dev eth2   # internal
>
> - Enable proxy-arp on these interfaces:
>         echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
>         echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
>
> - Remove the local route on eth0:
>         ip ro del 192.168.1.0/28 dev eth0
>
> - Add a /32 route for the router:
>         ip ro add 192.168.1.1/32 dev eth0

This solution is better than mine by one IP address (which is well worth 
having if you only have a /28 to begin with), but forces all except the two 
public IPs involved in the point-to-point /32 link between the firewall and 
the external router to be on the DMZ.   If that is what is required, then it 
is a good solution.

Antony.

-- 
Christmas is an opportunity to upgrade to kernel 2.6 while no-one's around to 
notice the downtime.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Problem behind my DMZ

[Ramin Dousti]

On Thu, Jan 08, 2004 at 04:16:08PM +0000, Antony Stone wrote:

> The suggestion was that if you have a large enough public IP block, you subnet 
> it so that part is used for your DMZ and part is used for everything else.   
> You can then route the DMZ subnet to machines on the DMZ which genuinely have 
> the public addresses assigned to them without using NAT.
> 
> All that is involved is to assign one of the /28 addresses to the DMZ 
> interface on your firewall, choosing the addresses for the 'external' and the 
> 'DMZ' interfaces (as well as the netmasks) so that the DMZ is a clearly 
> identified subnet of its own, with a sensible routing table entry (which gets 
> set up automatically by Linux as soon as you assign the address and the 
> netmask to the interface).
> 
> All you need to remember is that Linux consults its routing table from most 
> specific to least specific, therefore a /29 subset of a /28 will take 
> precedence over the more general /28 entry.

Dividing the /28 to 2x /29's is a waste. You can have the /28 on both the
external interface and the DMZ interface with some adjustments to the
routing table.


Let's say you have been given 192.168.1.0/28:


                            External       DMZ
ROUTER                        [eth0] FW [eth1]             SERVERS
192.168.1.1/28         192.168.1.2/28  192.168.1.2/28    192.168.1.3-14/28
                                   [eth2]
                             Internal a.b.c.d/x


Steps to take:

- Set up the IP on the FW nics:
        ip addr add 192.168.1.2/28 dev eth0   # external
        ip addr add 192.168.1.2/28 dev eth1   # DMZ
        ip addr add a.b.c.d/x      dev eth2   # internal

- Enable proxy-arp on these interfaces:
        echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
        echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp

- Remove the local route on eth0:
        ip ro del 192.168.1.0/28 dev eth0

- Add a /32 route for the router:
        ip ro add 192.168.1.1/32 dev eth0


This should work.

Ramin



> 
> Since you have a /28 subnet (=16 addresses) it's certainly possible to do this 
> in your case, and clearly a /29 subnet for the DMZ would be the simplest 
> arrangement (although not the only one by any means).
> 
> Antony.
> 
> -- 
> It is also possible that putting the birds in a laboratory setting 
> inadvertently renders them relatively incompetent.
> 
>  - Daniel C Dennet
> 
>                                                      Please reply to the list;
>                                                            please don't CC me.
> 

Re: Problem behind my DMZ

[Ramin Dousti]

On Thu, Jan 08, 2004 at 05:17:52PM +0000, Antony Stone wrote:

> On Thursday 08 January 2004 6:10 pm, Ramin Dousti wrote:
> 
> > Dividing the /28 to 2x /29's is a waste.
> 
> I agree (and it wasn't what I meant to suggest - sorry if it seemed that I 
> had).

No worries. The above statement about wasting IP's is a general
statement and wasn't directed to you, sorry if it seemed that
it was :-)

Ramin

Re: Problem behind my DMZ

[Martin Leduc]

[-- Attachment #1: Type: text/plain, Size: 1960 bytes --]

Good morning folks,
 
I resend you my last message using corrected design.  Hope this time, it
will be ok!
 
How can I built that using route and ip?
 
            LAN1            ----------
192.168.1.1---- 192.168.1.2 |  BOX 1 |  192.168.1.3
                            ----------             
                                           |
                                           |  LAN 2
                                           |
                                      192.168.1.4
 
 
I know I can use Ramin solution, but can we? it is possible?
 
It is possible to create this topology using Linux BOX?  I have already
do 
it using CISCO Router with the IGRP protocol.  I know I can use RIP too.
 
           LAN            ----------
192.168.1.X---192.168.1.1 |  BOX 1 |----10.0.0.1 |
                          ----------             |   
                                                 |
                                                 |
                                            NET  |

                                                 |
           LAN            ----------             |          
192.168.2.X---192.168.2.1 |  BOX 2 |----10.0.0.2 |
                          ----------             |
                                                 |
                                                 |
                                             10.0.0.3
                                           -----------
                                           | BOX  3  |
                                           -----------
                                                 |
                                                 |
                                             INTERNET 
                                             PUBLIC IP
 
192.168.1.X PING 192.168.2.X PING INTERNET PUBLIC IP
192.168.2.X PING 192.168.1.X PING INTERNET PUBLIC IP
 
I guess I need routed deamon to do that, no? RIP is supported by routed?
 
Thanks in advance
 
Martin

[-- Attachment #2: Type: text/html, Size: 20545 bytes --]

Re: Problem behind my DMZ

[Martin Leduc]

On Friday 09 January 2004 9:54 am, Martin Leduc wrote:

>The /32 and /28 netmasks operate quite simply:
>On one interface you use a /32 netmask, which means there is only one 
>accessible IP on that network - that of the router leading to the Internet.

>On the other interface you use a /28 netmask, which means there are 16 IP 
>addresses (14 usable) accessible on that network.

>Linux uses its routing table entries from most specific to least specific, 
>so if a packet for the one IP address on the /32 network needs to be 
>routed, it will go in the direction of the Internet.   If a packet for any 
>other address in your public IP range needs to be routed, it won't match 
>the /32 but it will match the /28, so it will go to the internal network.

Ok,  so if I understand correctly, my home internet ISP who provide me the 
route:

67.68.181.1     0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
0.0.0.0         67.68.181.1     0.0.0.0         UG    0      0        0 ppp0

have is 67.68.181.1 on his internet network and we are all connect into a 
master switch behind this router, i'm able to ping 67.68.181.2, .3, .4, .5, 
etc...

It is possible to do something like

                     LAN1                       ---------------
192.168.1.1--------------192.168.1.2 |  BOX 1 |  192.168.1.3
                                                 ---------------             
  |
                                                                             
  |  LAN 2
                                                                             
  |
                                                                 192.168.1.4

I know I can use Ramin solution, but can we? it is possible?

It is possible to create this topology using Linux BOX?  I have already do 
it using CISCO Router with the IGRP protocol.  I know I can use RIP too.

                     LAN                       ---------------
192.168.1.X--------------192.168.1.1 |  BOX 1 |  10.0.0.1 |
                                                 ---------------             
  |
                                                                             
  |
                                                                             
|   NET
                                                                             
  |
                     LAN                       ---------------              
|
192.168.2.X--------------192.168.2.1 |  BOX 2 |  10.0.0.2 |
                                                 ---------------             
  |
                                                                             
  |
                                                                             
  |  10.0.0.3
                                                                        
-------------
                                                                       | BOX 
3  |
                                                                       
--------------
                                                                             
|
                                                                             
|
                                                                   INTERNET 
PUBLIC IP

192.168.1.X PING 192.168.2.X PING INTERNET PUBLIC IP

I guess I need routed deamon to do that, no? RIP is supported by routed.

>The fact that the two network ranges overlap does not matter (despite what 
>you may read in introductory networking books - this is beyond introductory 
>networking).

>Regards,

Best regards, and thanks for your time and help, I appreciate it.

>Antony.

Martin

_________________________________________________________________
MSN Messenger : discutez en direct avec vos amis !  
http://messenger.fr.msn.ca/

Re: Problem behind my DMZ

[Martin Leduc]

> > >Is your IP forwarding turned on?
> >
> > Yes, it is.
>
>OK. Then is proxy_arp turned on?

Yes it is.  I guess the answer was provided by Antony.  The /32 address on 
my eth0 will force all packets to the destination address.  That why I cant 
ping from/behind my router the other computer before my firewall and thats 
why no body can ping my router, other than the specified address.

>
> > Can you explain to me why /32 against /28 netmask, or tell me
> > where I can get the documentation?
>
>Take a look at lartc.org.

Thank

>
> > >Please use the "ip" utility instead of ifconfig/route/arp/... It's much
> > >easier
> > >and more powerful...
> >
> > Ok I will tried, but is not installed by default with slackware.  I will
> > search where I can get it.
>
>You might be required to recompile the kernel with the Advanced Routing
>features.

Ok.  I found the iproute2 package, on lartc.org.  My Kernel is already able 
to take care about the advance routing, i have build it last upgrade.

>
>Ramin
>

Ramin, thank you very much for your help.  I realy appreciat it, your 
solutions work fine.

_________________________________________________________________
MSN Messenger : discutez en direct avec vos amis !  
http://messenger.fr.msn.ca/

Re: Problem behind my DMZ

[Ramin Dousti]

On Fri, Jan 09, 2004 at 09:54:42AM +0000, Martin Leduc wrote:

> >Is your IP forwarding turned on?
> 
> Yes, it is.

OK. Then is proxy_arp turned on?

> Can you explain to me why /32 against /28 netmask, or tell me 
> where I can get the documentation?

Take a look at lartc.org.

> >Please use the "ip" utility instead of ifconfig/route/arp/... It's much 
> >easier
> >and more powerful...
> 
> Ok I will tried, but is not installed by default with slackware.  I will 
> search where I can get it.

You might be required to recompile the kernel with the Advanced Routing
features.

Ramin

Re: Problem behind my DMZ

[Antony Stone]

On Friday 09 January 2004 9:54 am, Martin Leduc wrote:

> > Is your IP forwarding turned on?
>
> Yes, it is.  Can you explain to me why /32 against /28 netmask, or tell me
> where I can get the documentation?

The /32 and /28 netmasks operate quite simply:

On one interface you use a /32 netmask, which means there is only one 
accessible IP on that network - that of the router leading to the Internet.

On the other interface you use a /28 netmask, which means there are 16 IP 
addresses (14 usable) accessible on that network.

Linux uses its routing table entries from most specific to least specific, so 
if a packet for the one IP address on the /32 network needs to be routed, it 
will go in the direction of the Internet.   If a packet for any other address 
in your public IP range needs to be routed, it won't match the /32 but it 
will match the /28, so it will go to the internal network.

The fact that the two network ranges overlap does not matter (despite what you 
may read in introductory networking books - this is beyond introductory 
networking).

Regards,

Antony.

-- 
Documentation is like sex.
When it's good, it's very very good.
When it's bad, it's still better than nothing.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Problem behind my DMZ

[Martin Leduc]

> > Good evening folks,
> >
> > Sorry to answer you so late, and thank you for your informations.  I'm 
>so
> > exited, I have make test and, basicly, it's working.  Tomorow is the
> > official test.  I keep you informed.
> >
> > The only thing I can't figure out is the /32 netmask address for an 
>address
> > having a /28.  Why dont put the /28?
> >
> > Of course I try it but the route program have reject this entries.  Can 
>you
> > explain to me?
> >
> > Other thing.  It is possible than I can't reach other machine placed 
>before
> > the firewall BOX having address IP in the same range than my firewall 
>box
> > after having put the /32 host in my route table?
> >
> > Example:
> > 192.168.1.1  ISP GAteway
> > 192.168.1.2  Server (Any kind)
> > 192.168.1.3  Firewall BOX (Eth0)
> > 192.168.1.3  Firewall BOX (eth1)
> > 192.168.1.4  Server Behind Firewall BOX
> >
> > Ping Test result
> > ---------------------------
> > 192.168.1.4 can reach 192.168.1.3
> > 192.168.1.4 can reach 192.168.1.1
> > 192.168.1.4 can't reach 192.168.1.2
> >
> > In the same test
> >
> > 192.168.1.2 can reach 192.168.1.1
> > But not 1.3 and 1.4
> >
> > I ask that because if I check my DSL route table, I see the same
> > configuration like
> >
> > Destination     Gateway         Genmask         Flags Metric Ref    Use
> > Iface
> > 67.68.140.1     0.0.0.0         255.255.255.255 UH    0      0        0 
>ppp0
> > 192.168.1.1   0.0.0.0         255.255.255.0   U     0      0        0 
>eth0
> > 127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 
>lo
> > 0.0.0.0         67.68.140.1     0.0.0.0         UG    0      0        0 
>ppp0
> >
> > I can ping 67.68.140.1, .2, .3, .4, .5, etc....
> >
> > Can you explain?
>
>Is your IP forwarding turned on?

Yes, it is.  Can you explain to me why /32 against /28 netmask, or tell me 
where I can get the documentation?

>
> >
> >
> > Now the configuration :D
>
>Please use the "ip" utility instead of ifconfig/route/arp/... It's much 
>easier
>and more powerful...

Ok I will tried, but is not installed by default with slackware.  I will 
search where I can get it.

>
>Ramin

Regards and thanks in advance

Martin

_________________________________________________________________
MSN Search, le moteur de recherche qui pense comme vous !  
http://fr.ca.search.msn.com/

Re: Problem behind my DMZ

[Ramin Dousti]

On Fri, Jan 09, 2004 at 02:19:54AM +0000, Martin Leduc wrote:

> Good evening folks,
> 
> Sorry to answer you so late, and thank you for your informations.  I'm so 
> exited, I have make test and, basicly, it's working.  Tomorow is the 
> official test.  I keep you informed.
> 
> The only thing I can't figure out is the /32 netmask address for an address 
> having a /28.  Why dont put the /28?
> 
> Of course I try it but the route program have reject this entries.  Can you 
> explain to me?
> 
> Other thing.  It is possible than I can't reach other machine placed before 
> the firewall BOX having address IP in the same range than my firewall box 
> after having put the /32 host in my route table?
> 
> Example:
> 192.168.1.1  ISP GAteway
> 192.168.1.2  Server (Any kind)
> 192.168.1.3  Firewall BOX (Eth0)
> 192.168.1.3  Firewall BOX (eth1)
> 192.168.1.4  Server Behind Firewall BOX
> 
> Ping Test result
> ---------------------------
> 192.168.1.4 can reach 192.168.1.3
> 192.168.1.4 can reach 192.168.1.1
> 192.168.1.4 can't reach 192.168.1.2
> 
> In the same test
> 
> 192.168.1.2 can reach 192.168.1.1
> But not 1.3 and 1.4
> 
> I ask that because if I check my DSL route table, I see the same 
> configuration like
> 
> Destination     Gateway         Genmask         Flags Metric Ref    Use 
> Iface
> 67.68.140.1     0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
> 192.168.1.1   0.0.0.0         255.255.255.0   U     0      0        0 eth0
> 127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
> 0.0.0.0         67.68.140.1     0.0.0.0         UG    0      0        0 ppp0
> 
> I can ping 67.68.140.1, .2, .3, .4, .5, etc....
> 
> Can you explain?

Is your IP forwarding turned on?

> 
> 
> Now the configuration :D

Please use the "ip" utility instead of ifconfig/route/arp/... It's much easier
and more powerful...

Ramin

Re: Problem behind my DMZ

[Martin Leduc]

Good evening folks,

Sorry to answer you so late, and thank you for your informations.  I'm so 
exited, I have make test and, basicly, it's working.  Tomorow is the 
official test.  I keep you informed.

The only thing I can't figure out is the /32 netmask address for an address 
having a /28.  Why dont put the /28?

Of course I try it but the route program have reject this entries.  Can you 
explain to me?

Other thing.  It is possible than I can't reach other machine placed before 
the firewall BOX having address IP in the same range than my firewall box 
after having put the /32 host in my route table?

Example:
192.168.1.1  ISP GAteway
192.168.1.2  Server (Any kind)
192.168.1.3  Firewall BOX (Eth0)
192.168.1.3  Firewall BOX (eth1)
192.168.1.4  Server Behind Firewall BOX

Ping Test result
---------------------------
192.168.1.4 can reach 192.168.1.3
192.168.1.4 can reach 192.168.1.1
192.168.1.4 can't reach 192.168.1.2

In the same test

192.168.1.2 can reach 192.168.1.1
But not 1.3 and 1.4

I ask that because if I check my DSL route table, I see the same 
configuration like

Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
67.68.140.1     0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
192.168.1.1   0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         67.68.140.1     0.0.0.0         UG    0      0        0 ppp0

I can ping 67.68.140.1, .2, .3, .4, .5, etc....

Can you explain?


Now the configuration :D

This is the prompt command I have and will do, for other who using Slackware 
(and for me is a test to see if I understand correctly ;) ):

We asume my ISP router is 20.0.0.14/28

On the Firewall BOX

1- Connect your ISP gateway RJ-45 cable to your eth0 NIC
2- Connect your Server Switch in your eth1 NIC

On the Firewall shell

#Clean your interface and the route table
ifconfig eth0 down
ifconfig eth1 down

#Configure the both NIC using your public address you choose
ifconfig eth0 20.0.0.1 netmask 255.255.255.240 broadcast 20.0.0.15
ifconfig eth1 20.0.0.1 netmask 255.255.255.240 broadcast 20.0.0.15

#Change your route setting
route del -net 20.0.0.0/28 eth0
route add -host 20.0.0.14/32 eth0

#Set your firewall your ISP default Gateway
route add default gw 20.0.0.14

#Test
ping 20.0.0.14

(Should Work)

#On your server shell

#Clean your interface and the route table
ifconfig eth0 down

#Configure with your other public ip address
ifconfig eth0 20.0.0.2 netmask 255.255.255.240 broadcast 20.0.0.15

#Configure the default route
route add defaut gw 20.0.0.1

#Test
ping 20.0.0.14

(Should Work)

I'll tell you tomorow if it's work!, it's work on public address 
(192.168.0.1).  I dont think that will not work.

All the rest is done by the FORWARD filter rule, use the state rules to 
allow on each machine only what you want.

Martin

_________________________________________________________________
MSN Messenger : discutez en direct avec vos amis !  
http://messenger.fr.msn.ca/

Re: Problem behind my DMZ

[Antony Stone]

On Thursday 08 January 2004 5:46 pm, Martin Leduc wrote:

> >So where are the local client machines?
>
> No one, it's my dedicate server network.  My server are on a metal box with
> one RJ-45 cable from my ISP.  That's it!

> Example:
>
> My Server 1 (192.168.0.2) tried to send Email to abcd.com.  abcd.com are
> resolved by my internal DNS server.  The MX of the domain abcd.com is
> 20.0.0.4, but this address is, from the server 1 point of view my Firewall.
> So I lost the email.

Okay, so what I was calling your "client machines" are actually just the other 
servers on your network.

In this case if you want to continue using NAT then I cannot see an 
alternative solution to split DNS, so that machines within your network 
receive DNS replies containing the private addresses, and machines outside 
your network receive the public addresses.

If on the other hand you use the suggestion of putting genuine public IPs onto 
your servers (and Ramin Dousti's detailed answer is definitely the best 
solution given your network topology - mine assumed you might want other 
public IPs for some other purpose, but with only one internal network this is 
obviously not the case) then everyone (internal and external) will use public 
IPs and the problem goes away.

Regards,

Antony.

-- 
In Heaven, the police are British, the chefs are Italian, the beer is Belgian, 
the mechanics are German, the lovers are French, the entertainment is 
American, and everything is organised by the Swiss.

In Hell, the police are German, the chefs are British, the beer is American, 
the mechanics are French, the lovers are Swiss, the entertainment is Belgian, 
and everything is organised by the Italians.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Problem behind my DMZ

[Martin Leduc]

I have clean a bit of text.


>So where are the local client machines?

No one, it's my dedicate server network.  My server are on a metal box with 
one RJ-45 cable from my ISP.  That's it!

My Corporate Lan is provide by an other ISP using an other iptables box.

>>So I have rules
>>iptables -t nat -A PREROUTING -p tcp/udp --port X -s 20.0.0.2 \
>>-j DNAT --to-destination 192.168.0.2:X
>>
>>And my postrouting
>>
>>iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.2 -j SNAT --to-source
>>20.0.0.2

>I still don't understand where the local client machines are on your 
>network.   What you have described above should work fine for clients which 
>are out on the Internet.

See previous

>>My FORWARD rules are WideOpen

>UGH!

I know but I will DROP all after test be done

>>Spliting my DNS is not an option.

>Why not?

Currently, my DNS is already behind my FIREWALL, but answer my public 
address.  Currently, i have more than 600 domain name in my DNS.  So to 
add/remove a domain to my network, I have to register it in my DNS Master, 
DNS slave and my split DNS?  All of my server are behind the Firewall and 
send Email to my mail server who is behind my firewall too.

Example:

My Server 1 (192.168.0.2) tried to send Email to abcd.com.  abcd.com are 
resolved by my internal DNS server.  The MX of the domain abcd.com is 
20.0.0.4, but this address is, from the server 1 point of view my Firewall.  
So I lost the email.

>Regards,

Regards and thanks for Help

>Antony.

Martin

_________________________________________________________________
MSN Search, le moteur de recherche qui pense comme vous !  
http://fr.ca.search.msn.com/

Re: Problem behind my DMZ

[Antony Stone]

On Thursday 08 January 2004 5:12 pm, Martin Leduc wrote:

> Good morning Mr Stone,
>
> I'm sorry, I guess I dont explain correctly.
>
> I have a IP range about /28 Public IP.  I have 2 NIC in my Linux BOX, one
> for the Internet and the other for my servers Switch.

Oh.   If you do not have a DMZ network then the suggestion made earlier to 
subnet your /28 will not work.   We thought you had a genuinely separate DMZ 
with the publicly-accessible servers on it.

> My Topology:
>
> 192.168.0.2 (WEB) <---|
> 192.168.0.3 (DNS) <---|
> 192.168.0.4 (MAIL)<---|
> 		    eth1
> 		192.168.0.1 (GW)
> 		   -------
> 		   | BOX |
> 		   -------
> 		      ^
> 	eth0   : 20.0.0.1
> 	eth0:0 : 20.0.0.2  (DNAT 192.168.0.2)
> 	eth0:1 : 20.0.0.3  (DNAT 192.168.0.3)
> 	eth0:2 : 20.0.0.4  (DNAT 192.168.0.4)
> 		      ^
> 		   INTERNET

So where are the local client machines?

> So I have rules
> iptables -t nat -A PREROUTING -p tcp/udp --port X -s 20.0.0.2 \
> -j DNAT --to-destination 192.168.0.2:X
>
> And my postrouting
>
> iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.2 -j SNAT --to-source
> 20.0.0.2

I still don't understand where the local client machines are on your network.   
What you have described above should work fine for clients which are out on 
the Internet.

> My FORWARD rules are WideOpen

UGH!

> Spliting my DNS is not an option.

Why not?

Regards,

Antony.

-- 
Normal people think "If it ain't broke, don't fix it".
Engineers think "If it ain't broke, it doesn't have enough features yet".

Re: Problem behind my DMZ

[Martin Leduc]

Good morning Mr Stone,

I'm sorry, I guess I dont explain correctly.

I have a IP range about /28 Public IP.  I have 2 NIC in my Linux BOX, one 
for the Internet and the other for my servers Switch.

I only have my server on this Network, nothing else, but I need having a 
firewall to monitor, snort, LOG and analyst all what is appening on my 
network.  I have several OS behing my firewall, not only Linux.  That why I 
need a firewall.

Actualiy, I PREROUTING -DNAT all my traffic from my public IP address to my 
private segment, and if I understant correctly, it's possible to have public 
IP on my server, Filtred by my linux firewall box?

I know that NAT lost performance, but actualy, is the only way I know how to 
do that.

My Topology:

192.168.0.2 (WEB) <---|
192.168.0.3 (DNS) <---|
192.168.0.4 (MAIL)<---|
		      |
		      |
                                      |
		    eth1
		192.168.0.1 (GW)
		   -------
		   | BOX |
		   -------
		      ^
		      |
	eth0   : 20.0.0.1
	eth0:0 : 20.0.0.2  (DNAT 192.168.0.2)
	eth0:1 : 20.0.0.3  (DNAT 192.168.0.3)
	eth0:2 : 20.0.0.4  (DNAT 192.168.0.4)
		      ^
		      |
		      |
		   INTERNET


So I have rules
iptables -t nat -A PREROUTING -p tcp/udp --port X -s 20.0.0.2 \
-j DNAT --to-destination 192.168.0.2:X

And my postrouting

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.2 -j SNAT --to-source 
20.0.0.2

My FORWARD rules are WideOpen

Spliting my DNS is not an option.

Thanks in advance and sorry for the mistake explanation.

Martin


>Thanks for help Mr. Brenton,
>
>But I dont understand something.  You tell me to use my public address for
>each server on my DMZ.  How can I use public IP on my server who are behind
>my firewall?  I want the server to stay behind the Firewall.
>
>I have one IP range /28, and I dont think my ISP will give me another IP
>range.

The suggestion was that if you have a large enough public IP block, you 
subnet
it so that part is used for your DMZ and part is used for everything else.
You can then route the DMZ subnet to machines on the DMZ which genuinely 
have
the public addresses assigned to them without using NAT.

All that is involved is to assign one of the /28 addresses to the DMZ
interface on your firewall, choosing the addresses for the 'external' and 
the
'DMZ' interfaces (as well as the netmasks) so that the DMZ is a clearly
identified subnet of its own, with a sensible routing table entry (which 
gets
set up automatically by Linux as soon as you assign the address and the
netmask to the interface).

All you need to remember is that Linux consults its routing table from most
specific to least specific, therefore a /29 subset of a /28 will take
precedence over the more general /28 entry.

Since you have a /28 subnet (=16 addresses) it's certainly possible to do 
this
in your case, and clearly a /29 subnet for the DMZ would be the simplest
arrangement (although not the only one by any means).

Antony.

--
It is also possible that putting the birds in a laboratory setting
inadvertently renders them relatively incompetent.

- Daniel C Dennet

                                                     Please reply to the 
list;
                                                           please don't CC 
me.

_________________________________________________________________
MSN Search, le moteur de recherche qui pense comme vous !  
http://fr.ca.search.msn.com/

Re: Problem behind my DMZ

[Michael Gale]

Hello,

	I suggest you use the split DNS :) or route mail for your domain via IP.

Example ... I have a postfix box on my DMZ which has it's own network address. Any mail sent to my domain to my postfix box is delivered via smtp to my exchange server via IP.

Michael.

On Wed, 07 Jan 2004 21:27:42 -0500
Chris Brenton <cbrenton@chrisbrenton.org> wrote:

> Greetings!
> 
> On Wed, 2004-01-07 at 19:19, Martin Leduc wrote:
> >
> > One of my server is DNS.  My trouble is if I tried to send Email FROM
> > one of this third server, my DNS return to sender server the public IP
> > and my Email as send to my firewall, not my internal Server.
> 
> Common problem. You have two potential solutions:
> 
> 1) Use public IPs on your DMZ/service network. This will also give you a
> performance boost as you will drop the NAT overhead. You don't mention
> how many legal IPs you have, but if you have enough address space to
> carve off a /29 or /28 for your DMZ, this would be your best bet.
> 
> 2) Use split DNS. Setup another name server that is accessible only from
> internal systems and populate it with your private addresses.
> 
> HTH,
> C
> 
> 
> 


-- 
Michael Gale
Network Administrator
Utilitran Corporation

Re: Problem behind my DMZ

[Chris Brenton]

Greetings!

On Wed, 2004-01-07 at 19:19, Martin Leduc wrote:
>
> One of my server is DNS.  My trouble is if I tried to send Email FROM
> one of this third server, my DNS return to sender server the public IP
> and my Email as send to my firewall, not my internal Server.

Common problem. You have two potential solutions:

1) Use public IPs on your DMZ/service network. This will also give you a
performance boost as you will drop the NAT overhead. You don't mention
how many legal IPs you have, but if you have enough address space to
carve off a /29 or /28 for your DMZ, this would be your best bet.

2) Use split DNS. Setup another name server that is accessible only from
internal systems and populate it with your private addresses.

HTH,
C

Problem behind my DMZ

[Martin Leduc]

Good afternoon,

For resume my situation, I have 3 servers behind my NetFilter BOX
(iptables 1.2.9 Nov 02, 2003) PREROUTING DNATed using each a public IP.
Each of my public IP was old by my firewall eth0: public gateway,
eth0:0: first server,  eth0:1: second server eth0:2: third server and my
second NIC is the DMZ.

One of my server is DNS.  My trouble is if I tried to send Email FROM
one of this third server, my DNS return to sender server the public IP
and my Email as send to my firewall, not my internal Server.

I explain:

This is my netconfig.  I change address IP, you will understand why ;)



192.168.0.2 (WEB) -------->|                   -------
192.168.0.3 (DNS) -------->|-------192.168.0.1 | BOX |  ------> eth0   :
20.0.0.1
192.168.0.4 (MAIL) -------->|                  -------          eth0:0 :
20.0.0.2  (DNAT 192.168.0.2)
	
eth0:1 : 20.0.0.3  (DNAT 192.168.0.3)
	
eth0:2 : 20.0.0.4  (DNAT 192.168.0.4)

DMZ
INTERNET


All request FROM internet work fine, no mather with that.  The trouble
Is from my DMZ.

Example:  When 192.168.0.2 try to send Email, my DNS (192.168.0.3) tell
that the mail server is 20.0.0.4.  I have put LOG target and I SEE my
packets pass the PREROUTING chain and that's it!

I have make a test, I have open a HTTP server on my BOX and if I tried
to reach 20.0.0.2 from my internal DMZ I reach the BOX not 192.168.0.2

I have tried to put this PREROUTING rules

Iptables -t nat -A PREROUTING -s 192.168.0.0/24 -d 20.0.0.2 -j DNAT
--to-destination 192.168.0.2.

When I make iptables -t nat -nvL PREROUTING I see the packets count, but
noting else.

Before put this rule, the nmap report 80 open (BOX).  After this, nmap
report filtred.

Can some one help me, please.

Martin