Re: Is this a wise configuration?
- From: Unruh <unruh-spam@xxxxxxxxxxxxxx>
- Date: 28 Apr 2006 22:29:17 GMT
None <none@xxxxxxxxxxx> writes:
First, I apologize if this is slightly OT for this NG, but I was unable
to find a more general "networking" NG on my nntp server. If it's any
consolation, all of my computers run GNU/Linux...
Here is my situation:
A have a single DSL connection to the internet at my house. This
connection goes through a router, supplied by the ISP. Behind this
router is my LAN. I enjoy setting up various different servers (web,
news, irc, bbs, etc.), and would like to be able to access them from the
internet. With this many "test" servers running, however, there are many
potential security threats. I would like to create a separate "zone" on
my network, autonomous from the private LAN, to place these servers in
in order to minimize the security risk to the rest of the LAN. (If one
of the servers becomes compromised, the damage is isolated to the
"server zone", thereby preventing further attacks to the private LAN). I
would like the private LAN to be invisible to the "server zone", but
still have access to the internet through the DSL router.
It would depend on your router.
HOwever, you have the router forward all 10.0.x.x addresses to the net, put
your server subnet in 10.0.1.x and your other machines, with firewalls
exclucing all 10.0.1.x machines from everything on 10.0.0.x
Here is my plan:
Configure the DSL router to foward the ports needed for the various
servers to a single computer. This computer acts as a firewall between
the two network zones. The firewall examines the destination port on
It would need two network cards. It would also be a sinble point of
failure. Ie, if they break it, they break everything.
incoming packets, and based on that, DNAT's the address to the
appropriate physical server. (For example, redirect all packets destined
to port 80 to 10.0.0.2, and all packets destined for port 21 to 10.0.0.3).
Also, in order to facilitate the "zone separation", this firewall will
drop all packets coming from the "server zone", destined to the private
LAN, and vice versa.
I will also configure the firewall to SNAT all packets coming from the
"server zone", destined to the internet, with the private LAN IP address
of the firewall.
What kind of address does your IPS deliver Is it a routable or a
non-routable address (OK, public or private). You do not want to be doing
double NAT -- once at your end and once at your ISP.
Hopefully, this will behave as expected.
As a "networking neophyte", I would like to ask if this is a smart way
to do this. Is there an easier, or more efficient alternative? Any other
comments?
Thanks!.
-None
- References:
- Is this a wise configuration?
- From: None
- Is this a wise configuration?
- Prev by Date: Re: IP aliases and iptables forwarding
- Next by Date: Re: Is this a wise configuration?
- Previous by thread: Is this a wise configuration?
- Next by thread: Re: Is this a wise configuration?
- Index(es):
Relevant Pages
|
