Re: How to establish connections to the servers inside a DMZ?
From: Michael W Cocke (cocke_at_catherders.com)
Date: 01/29/05
- Next message: Eric Haase: "Wireless internet concerns"
- Previous message: Michael W Cocke: "Re: I have 6 PC's with Linux installed and Cable modem with LAN connection, How can I hookup all these PC's to Internet??"
- In reply to: buck: "How to establish connections to the servers inside a DMZ?"
- Next in thread: buck: "Re: How to establish connections to the servers inside a DMZ?"
- Reply: buck: "Re: How to establish connections to the servers inside a DMZ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sat, 29 Jan 2005 17:58:32 -0500
On Sat, 29 Jan 2005 10:20:49 -0800, buck <buck@private.mil> wrote:
>We have a block of IPs and there is a mixture of operating systems
>connected to them. Each server is assigned one of those IPs.
>
>We want to create a [ firewall / DMZ / whatever you wanna call it ]
>Linux machine that passes the allowable packets to and from those
>computers in such a way that the external IP determines which host
>(inside the DMZ) is accessed.
>
>We hope that the DMZ machine can allocate bandwidth to the internal
>computers in such a way that no single internal machine hoggs the
>whole connection. It must be the firewall.
>
>The problem we are attempting to address right now is how to get the
>DMZ machine to listen to all the external IPs and to pass the packets
>on to the correct internal server. One of the internal computers
>presently serves as a transparent proxy for all our internet access.
>The rest are specialized, eg: an NNTP server, an internet demo machine
>and an HTTP server.
>
>How do we allow internet connections to each server?
>
>What keywords should I use in a google search?
>
>How many NICs does the DMZ computer need? Is there anything special
>about assigning IPs to them?
>
>What we have tried:
>ifconfig eth1:0 IP1
>ifconfig eth1:1 IP2
>Etc.
>SNAT these with the FORWARD chain set to ACCEPT.
>
>But although the DMZ can "talk" to the internet and to the internal
>computers, the internal computers cannot talk to the internet. They
>can talk to the DMZ but no packets get forwarded.
>
>DIAGRAM as currently (MIS)configured (I hope this displays correctly):
> ETHERNET DSL
> |
> dmz
> |
> ETHERNET SWITCH
> | | | |
>proxy nntp demo http
>
>Any help, examples and ideas will be sincerely appreciated.
Looking thru your plan, I don't see why you need a real DMZ. Load
balancing is relatively straightforward - see wondershaper. You can
route web requests thru a firewall/proxy without using a dedicated
DMZ. Ditto mail and so on, but I admit I just skimmed your plan - I'm
supposed to be writing a rebuild plan of my own for one of my clients
right now. 8-)>
Take a look thru here - it's written for the mid-level geek. This
guide is faily specific to shorewall, but it should give you the idea.
http://www.shorewall.net/three-interface.htm
Alternatively, try :
http://lartc.org/
http://linux-ip.net/html/routing-intro.html
Mike-
-- Mornings: Evolution in action. Only the grumpy will survive. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments.
- Next message: Eric Haase: "Wireless internet concerns"
- Previous message: Michael W Cocke: "Re: I have 6 PC's with Linux installed and Cable modem with LAN connection, How can I hookup all these PC's to Internet??"
- In reply to: buck: "How to establish connections to the servers inside a DMZ?"
- Next in thread: buck: "Re: How to establish connections to the servers inside a DMZ?"
- Reply: buck: "Re: How to establish connections to the servers inside a DMZ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
