First, all networks must have a router at their edge. On the other side of
the public IP are all the private IPs. It is unreasonable to have all IPs on
the network public IPs. Since this means that there will be two networks,
the public and the private, coming together, then by definition there must
be a router. This is because a router bridges two networks. Since a router
works on this level, layer 3 of the OSI model, it makes it a good place to
implement a firewall as well as routing. This gives an added level of
security protection. I have also heard this router referred to as an edge
router. This too makes since because the router is at the edge of the
private network. This is a common configuration with every network that I
have every worked on.
The word Bastion comes from the French work Bastille which means to fortify.
The actual context means to have two lines coming from the main foreclosure
in the front and two lines at each of the flanks. It is a term that has been
used for defense and security. Since this term has been traditionally been
used for two levels of defense it is well replicated in networks by having
two levels defense. This is where the second router/firewall comes in.
Putting a router/firewall behind the edge router now gives a second level of
security. It also creates a true DMZ in that the systems in the DMZ are all
truly not part of the internal, or external, network. The following is a
picture that shows the setup:
+--------+ Public IP +------+ DMZ +--------+ Private Network
|Internet|---------->|Router|----->|Firewall|---------------->
+--------+ +------+ +--------+
This design also gets us an extra level of security, which is always good
when protecting a network.
What makes this a very interesting situation is if the outside world needs
to talk to a system on the private network. What this means is that the edge
router needs to forward the request to the router/firewall, then the
router/firewall needs to covert this request to the proper server IP on the
internal network and pass it to the right server. All of this should be
rather straight forward. But I have ran into a small problem I am not sure
how to implement.
I have the edge router configured to pass the request to the
router/firewall. This was not hard to do. The router takes any request on a
certain port and forwards that request to a DMZ network address. In this
case that is 10.0.0.253. The route/firewall is a Sparc 5 running Debian 2.2
on it. The goal is to get the route/firewall to change this request from the
DMZ address to the proper IP of the server on the internal network. My
thought was that I would need to do some masquerading or forwarding. The
only way I could think of doing this was to create an IP alias for the
10.0.0.253 on the NIC that services the DMZ. This works in that the request
are passed from the router to the router/firewall. The problem this that the
request is not coverted and passed to internal network. My reading shows
that forwarding only works to the IP of the interface assigned to the NIC.
This creates a problem since the internal router rules will send this
request right back to the NIC on the router/firewall.
I have tried everything to get this system to work, but I have been unable
to get the requested coverted and passed to the internal network IP. Since I
am trying to do nothing more than forward information to a different IP I
only need to know how to covert one IP to a different one with ipchains.
This should be a simle NAT but I have been unalbe to implement it.
I am also locked into ipchains because, what the Debian SPARC list has said,
is that the only stable kernel for the Sparc 5 is the 2.2 kernel right now.
Since this is a production box I can not run the risk of not having
something stable.
I hope this gives a more complete picture of what I am doing so someone
might be able to at least put me on the right track.
Thank You,
David
-----Original Message-----
From:
plug-discuss-admin@lists.plug.phoenix.az.us
[
mailto:plug-discuss-admin@lists.plug.phoenix.az.us]On Behalf Of Craig
White
Sent: Friday, January 23, 2004 11:39 PM
To:
plug-discuss@lists.plug.phoenix.az.us
Subject: Re: Question on ipchains
On Fri, 2004-01-23 at 19:19, David Demland wrote:
> I have an internal box being used as a router. I need to route an IP to a
> different IP and I am not sure how to do this with ipchains. Here is what
I
> am trying to do:
>
> 10.0.0.253 +--------+ 192.168.0.200
> ------------->| Router |----------------->
> +--------+
>
> The firewall converts the packets into an internal IP which is part of a
> DMZ. The router handles the traffic from the DMZ to the internal network.
I
> need to get a path from the firewall to a server on the internal network.
I
> have the firewall converting packets into an address that is on the same
> network as the DMZ, but the address does not exist. I want to have the
> router convert this non-existing address into an address of an existing
> server on the internal network. The route is a debian box running
ipchains.
>
> How do I set the ipchains rules to convert the IP from one to another?
---
Too little info - too little clear in the question. Generally, when I
ask a question like this, in order to get a clear correct answer, I must
demonstrate that I have made a significant effort to understand the
issue enough to be able to ask questions clearly.
It does seem that you are wanting to do either forwarding or
masquerading. I can't tell and a router that is handing traffic from the
DMZ to the internal network is such a confused concept - given my
definition of a DMZ anyway - that it's simply not possible to figure out
where you are going with this.
ipchains requires ipmasqadm for 'forwarding' packets which you may
already have compiled in if the router already does forwarding as it
would appear to do with your description.
That being said, the 2.4 kernel is now phasing out so using the 2.2
kernel on the router doesn't make much sense. Considering the
performance and security enhancements of the 2.4 kernel / iptables, it
definitely is easier to use it which makes it the obvious upgrade.
<
http://www.ecst.csuchico.edu/~dranch/LINUX/ipmasq/c-html/index.html>
David Ranch's IPMASQ html pages
Craig
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)