First, all networks must have a router at their edge. On the other side of the public IP are all the private IPs. It is unreasonable to have all IPs on the network public IPs. Since this means that there will be two networks, the public and the private, coming together, then by definition there must be a router. This is because a router bridges two networks. Since a router works on this level, layer 3 of the OSI model, it makes it a good place to implement a firewall as well as routing. This gives an added level of security protection. I have also heard this router referred to as an “edge router”. This too makes since because the router is at the edge of the private network. This is a common configuration with every network that I have every worked on. The word Bastion comes from the French work Bastille which means to fortify. The actual context means to have two lines coming from the main foreclosure in the front and two lines at each of the flanks. It is a term that has been used for defense and security. Since this term has been traditionally been used for two levels of defense it is well replicated in networks by having two levels defense. This is where the second router/firewall comes in. Putting a router/firewall behind the edge router now gives a second level of security. It also creates a true DMZ in that the systems in the DMZ are all truly not part of the internal, or external, network. The following is a picture that shows the setup: +--------+ Public IP +------+ DMZ +--------+ Private Network |Internet|---------->|Router|----->|Firewall|----------------> +--------+ +------+ +--------+ This design also gets us an extra level of security, which is always good when protecting a network. What makes this a very interesting situation is if the outside world needs to talk to a system on the private network. What this means is that the edge router needs to forward the request to the router/firewall, then the router/firewall needs to covert this request to the proper server IP on the internal network and pass it to the right server. All of this should be rather straight forward. But I have ran into a small problem I am not sure how to implement. I have the edge router configured to pass the request to the router/firewall. This was not hard to do. The router takes any request on a certain port and forwards that request to a DMZ network address. In this case that is 10.0.0.253. The route/firewall is a Sparc 5 running Debian 2.2 on it. The goal is to get the route/firewall to change this request from the DMZ address to the proper IP of the server on the internal network. My thought was that I would need to do some masquerading or forwarding. The only way I could think of doing this was to create an IP alias for the 10.0.0.253 on the NIC that services the DMZ. This works in that the request are passed from the router to the router/firewall. The problem this that the request is not coverted and passed to internal network. My reading shows that forwarding only works to the IP of the interface assigned to the NIC. This creates a problem since the internal router rules will send this request right back to the NIC on the router/firewall. I have tried everything to get this system to work, but I have been unable to get the requested coverted and passed to the internal network IP. Since I am trying to do nothing more than forward information to a different IP I only need to know how to covert one IP to a different one with ipchains. This should be a simle NAT but I have been unalbe to implement it. I am also locked into ipchains because, what the Debian SPARC list has said, is that the only stable kernel for the Sparc 5 is the 2.2 kernel right now. Since this is a production box I can not run the risk of not having something stable. I hope this gives a more complete picture of what I am doing so someone might be able to at least put me on the right track. Thank You, David -----Original Message----- From: plug-discuss-admin@lists.plug.phoenix.az.us [mailto:plug-discuss-admin@lists.plug.phoenix.az.us]On Behalf Of Craig White Sent: Friday, January 23, 2004 11:39 PM To: plug-discuss@lists.plug.phoenix.az.us Subject: Re: Question on ipchains On Fri, 2004-01-23 at 19:19, David Demland wrote: > I have an internal box being used as a router. I need to route an IP to a > different IP and I am not sure how to do this with ipchains. Here is what I > am trying to do: > > 10.0.0.253 +--------+ 192.168.0.200 > ------------->| Router |-----------------> > +--------+ > > The firewall converts the packets into an internal IP which is part of a > DMZ. The router handles the traffic from the DMZ to the internal network. I > need to get a path from the firewall to a server on the internal network. I > have the firewall converting packets into an address that is on the same > network as the DMZ, but the address does not exist. I want to have the > router convert this non-existing address into an address of an existing > server on the internal network. The route is a debian box running ipchains. > > How do I set the ipchains rules to convert the IP from one to another? --- Too little info - too little clear in the question. Generally, when I ask a question like this, in order to get a clear correct answer, I must demonstrate that I have made a significant effort to understand the issue enough to be able to ask questions clearly. It does seem that you are wanting to do either forwarding or masquerading. I can't tell and a router that is handing traffic from the DMZ to the internal network is such a confused concept - given my definition of a DMZ anyway - that it's simply not possible to figure out where you are going with this. ipchains requires ipmasqadm for 'forwarding' packets which you may already have compiled in if the router already does forwarding as it would appear to do with your description. That being said, the 2.4 kernel is now phasing out so using the 2.2 kernel on the router doesn't make much sense. Considering the performance and security enhancements of the 2.4 kernel / iptables, it definitely is easier to use it which makes it the obvious upgrade. David Ranch's IPMASQ html pages Craig --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss