Re: Liunx and DSL routing
From: Abdullah Ramazanoglu (ar018_at_yahoo.cöm)
Date: 07/08/04
- Next message: Ted Randall: "Re: newbie problems"
- Previous message: Ivan Marsh: "Re: GnuPGP"
- In reply to: Will Hall: "Re: Liunx and DSL routing"
- Next in thread: Abdullah Ramazanoglu: "Re: Liunx and DSL routing"
- Reply: Abdullah Ramazanoglu: "Re: Liunx and DSL routing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Thu, 08 Jul 2004 01:15:35 +0300
Will Hall wrote:
[snip]
>> > For server A:
>> > Public IPs are aaa.aaa.aaa.156-159 (I assume 156 is the network
>> > address, 157/158 are standard routeable addresses and 159 is
>> > the broadcast?)
>>
>> All of them are routable public adresses.
>>
>> > The modem is a Zyxel prestige 650R-31 with NAT/DHCP off and, as
>> > instructed by the ISP, has been configured to have a LAN
>> > address of aaa.aaa.aaa.158, subnet mask 255.255.255.252.
>> >
>> > The linux box (Slackware 9.1) is then configured to have:
>> > IPADDR[0]="195.168.1.100"
>> > NETMASK[0]"=255.255.255.0"
>> >
>> > IPADDR[1]="aaa.aaa.aaa.157"
>> > NETMASK[0]"=255.255.255.252"
>> >
>> > GATEWAY="aaa.aaa.aaa.158"
>> >
>> > Which gives the routing table as:
>> >
>> > aaa.aaa.aaa.156 0.0.0.0 255.255.255.252 U 0 0
>> > 0 eth1
>> > 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0
>> > 0 eth0
>> > 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
>> > 0
>> > lo
>> > 0.0.0.0 aaa.aaa.aaa.158 0.0.0.0 UG 1 0
>> > 0 eth1
>> >
>>
>> Waste of IP addresses though it works.
>
> From what I know, the basics are this: As I'm running a public
> mail server (amongst others) I need the public IP address aaa.157
> assigned to eth1 on the server. The modem/router is assigned
> aaa.158 so the 255.255.255.252 netmask will happily sit between
> the two. Where I am confused is the difference between the modem
> WAN and LAN addresses.
Each interface needs an IP address for addressability, so it is
normal that your modem will have 2 addresses (one for WAN if, other
for eth if), like the linux box with 2 eth cards.
ISPs usually choose the easiest, "one size fits all" approach and
recommend a separate public address for each interface (at least
here in Turkey). But this is almost always an unneeded waste of
public addresses, and also adds to complexity of customer site. In
your case, currently you have something like this:
ISP
[aaa.aaa.aaa.isp] (belongs to ISP)
|
[aaa.aaa.aaa.wan] (assigned by ISP)
MODEM (def route: aaa.aaa.aaa.isp, maybe dynamically gotten)
[aaa.aaa.aaa.158]
|
[aaa.aaa.aaa.157]
LINUX (default route: aaa.aaa.aaa.158)
[192.168.1.100]
/|\
/ | \
PC PC PC (default route: 192.168.1.100)
Modem is accessible from within LAN as aaa.aaa.aaa.158, from
internet as aaa.aaa.aaa.wan (which may be static as well as not).
In my previous post I was incorrect about usability of 4 address IP
block: As long as you use 255.255.255.252 as netmask, 156 and 159
becomes reserved addresses (network and broadcast) so you are left
with 2 addresses to use. If you use netmask 255.255.255.0 then all
4 addresses would be usable.
Considering your priorities, what I would suggest is either:
(with netmask 255.255.255.0 all over the place)
ISP
[aaa.aaa.aaa.isp]
|
[aaa.aaa.aaa.156] (static, can also be 157, 158 or 159)
MODEM (default route: aaa.aaa.aaa.isp)
[192.168.1.1]
|
------------------------ LAN
| | | | | | | |
|
[192.168.1.100]
LINUX (just eth0)
Every box on the LAN (including server) has 192.168.1.1 as default
route. On modem, certain ports are forwarded to 192.168.1.100
(server). All clients access internet through NAT on modem, and
they are not addressable from outside. This achieves good level of
security even if you use no firewall at all on the modem. Most
router/modems also provide built-in firewall rules for common DoS
attacks. If you enable them you would have a fairly tight ship in
terms of clients' security. As for the server, it is only
addressable on the forwarded ports, so you would have two layers of
protection (one at the modem, other at the server firewall). Always
the more layers the better. But ofcourse neither your current
setup, nor the ones I am describing above and below is recommended
for security: My preferred motto is "Never deliver any service to
internet from within LAN". This is where DMZ comes into play. But
since you are not interested in that, I skip it.
Or, (again netmask 255.255.255.0 all over the place) :
ISP
[aaa.aaa.aaa.isp]
|
[aaa.aaa.aaa.156] (fixed addr)
MODEM (default route: aaa.aaa.aaa.isp)
[192.168.1.1]
|
[192.168.1.2]
LINUX (default route: 192.168.1.1, routing enabled)
[192.168.1.100]
|
------------------------ LAN
| | | | | | | |
(All clients' default route: 192.168.1.100)
Server security is weakened as it now solely depends on your
firewall settings on the server. Any overlooking, forgetfulness,
self-confidence (I learned to be a humble paranoid when it comes to
security ;-), and you may be exposing yourself for months without
even being aware of it, until,.... boom!
Also reliability / availability / serviceability is weakened,
because you can't take the server offline easily (planned or not),
both from LAN-to-internet access point of view, and from
server-switching (switch load to a backup server and take the main
server down) point of view. But ofcourse these are all site
specific details and may or may not be worthwhile for your needs.
>> >
>> > Server B:
>> > Public IPs are bbb.bbb.bbb.76-79
>> > Modem is a DLink DSL-300G+ with NAT and DHCP turned off. The
>> > configuration is less flexible with this modem/router and fires
>> > up with the following information (which I cannot change!)
>> >
>> > IP Address bbb.bbb.bbb.77
>> > Gateway bbb.bbb.bbb.78
>> > Connection Type PPPoA
>> > Encapsulation VC Mux
>> >
>> > So in order to route to the modem I manually add the
>> > 192.168.0.1 route (see blow)
>> >
>> > The linux box (Slackware 9.1) is then configured as:
>> > IPADDR[0]="195.168.2.100"
>> > NETMASK[0]"=255.255.255.0"
>> >
>> > IPADDR[1]="bbb.bbb.bbb.77"
>> > NETMASK[0]"=255.255.255.252"
>> >
>> > GATEWAY="bbb.bbb.bbb.78"
>> >
>> > Which gives the routing table as:
>> > 192.168.0.1 0.0.0.0 255.255.255.255 UH 0 0
>> > 0 eth1
>> > bbb.bbb.bbb.76 0.0.0.0 255.255.255.252 U 0 0
>> > 0 eth1
>> > 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0
>> > 0 eth0
>> > 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
>> > 0
>> > lo
>> > 0.0.0.0 bbb.bbb.bbb.78 0.0.0.0 UG 1 0
>> > 0 eth1
>> >
I would suggest ditto setup for both sides, whatever that setup
might be.
[snip]
> I don't see any need for a DMZ. eth1 is "public" and eth0 is
> "private" with iptables doing the firewalling, port forwarding,
> syslogs etc. I'm happy that security is tight as only the required
> ports are visible to the outside world.
Please don't be happy with security. I'm no expert, but what they
say is: It never was, is, and never will be "good enough".
HTH
-- Abdullah | aramazan@ | Ramazanoglu | myrealbox | ________________| D O T cöm |
- Next message: Ted Randall: "Re: newbie problems"
- Previous message: Ivan Marsh: "Re: GnuPGP"
- In reply to: Will Hall: "Re: Liunx and DSL routing"
- Next in thread: Abdullah Ramazanoglu: "Re: Liunx and DSL routing"
- Reply: Abdullah Ramazanoglu: "Re: Liunx and DSL routing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
