Is this a wise configuration?

First, I apologize if this is slightly OT for this NG, but I was unable to find a more general "networking" NG on my nntp server. If it's any consolation, all of my computers run GNU/Linux...

Here is my situation:
A have a single DSL connection to the internet at my house. This connection goes through a router, supplied by the ISP. Behind this router is my LAN. I enjoy setting up various different servers (web, news, irc, bbs, etc.), and would like to be able to access them from the internet. With this many "test" servers running, however, there are many potential security threats. I would like to create a separate "zone" on my network, autonomous from the private LAN, to place these servers in in order to minimize the security risk to the rest of the LAN. (If one of the servers becomes compromised, the damage is isolated to the "server zone", thereby preventing further attacks to the private LAN). I would like the private LAN to be invisible to the "server zone", but still have access to the internet through the DSL router.

Here is my plan:
Configure the DSL router to foward the ports needed for the various servers to a single computer. This computer acts as a firewall between the two network zones. The firewall examines the destination port on incoming packets, and based on that, DNAT's the address to the appropriate physical server. (For example, redirect all packets destined to port 80 to 10.0.0.2, and all packets destined for port 21 to 10.0.0.3).

Also, in order to facilitate the "zone separation", this firewall will drop all packets coming from the "server zone", destined to the private LAN, and vice versa.

I will also configure the firewall to SNAT all packets coming from the "server zone", destined to the internet, with the private LAN IP address of the firewall.

Hopefully, this will behave as expected.

As a "networking neophyte", I would like to ask if this is a smart way to do this. Is there an easier, or more efficient alternative? Any other comments?

Thanks!
-None
.

Relevant Pages

  • Re: get IPaddress
    ... > is in a private LAN using the 192.168... ... Since DNS is aware of the querying client's IP address, ... Is this server a DNS server or a DC or both? ... times in this group), multihoming a DC/DNS, if it is that, is very ...
    (microsoft.public.win2000.dns)
  • Re: MSSQL Server Gateway
    ... I want a concentrator/gateway for all SQL Server connections from a big ... private LAN to a secured private LAN. ... Client in private LAN wants data from SQL Server DB in secure private LAN ... build a second hole in the wall) just in front of the existing firewall. ...
    (microsoft.public.isa)
  • Re: Dual NICs, Routing Problem
    ... If I set my default gateway to the .36 network's gateway, I can access any resource in that network I need to, but I am unable to respond to web requests over the other interface. ... If I change the default gateway to the .34 network's gateway, I have no problem answer requests, but can not resolve the database server on the .36 network to pull data from it. ... 1 between the internet and dmz and another one between dmz and private lan. ...
    (alt.os.linux.suse)
  • Re: Is this a wise configuration?
    ... "server zone", thereby preventing further attacks to the private LAN). ... the two network zones. ...
    (comp.os.linux.networking)
  • Re: IPSec VPN into XP Pro
    ... XP can act as an IPSEC server.. ... My Networking Blog: http://www.networkblog.net ... >any firewall/NAT/router at the server end to the private LAN IP of the PPTP VPN server. ... The SSH tunnel is encrypted end-to-end and is very easy to setup and use, ...
    (microsoft.public.windowsxp.work_remotely)