using public ip addresses in DMZ: how to route in small subnet?

To: debian firewall <debian-firewall@lists.debian.org>
Subject: using public ip addresses in DMZ: how to route in small subnet?
From: Stan Kaufman <sekfmn@pacbell.net>
Date: Tue, 15 May 2001 22:22:44 -0700
Message-id: <[🔎] 3B020EA4.7089FE97@pacbell.net>

There have been several questions posted in debian-firewall and
debian-user on this but no clear solutions. Can't find anything on
slashdot or via google either.

I've got five public ip addresses from my ISP (recently upgraded to
PacBell's "enhanced" dsl account). I'm trying to set up a firewall
topology like the "serious example" in the HOW-TO
(http://www.ibiblio.org/mdw/HOWTO/IPCHAINS-HOWTO-7.html). (The main
difference is that my "external" interface is not ppp0.)

It certainly appears like my small subnet from PacBell (x.y.z.24/29)
should work exactly like the example. Compared to the the HOW-TO:

   External Network (BAD)
                |
                |
            ppp0|
         ---------------
         | 192.84.219.1|             Server Network (DMZ)
         |             |eth0
         |             |----------------------------------------------
         |             |192.84.219.250 |             |              |
         |             |               |             |              |
         |192.168.1.250|               |             |              |
         ---------------          --------       -------        -------
                | eth1            | SMTP |       | DNS |        | WWW |
                |                 --------       -------        -------
                |              192.84.219.128  192.84.219.129 
192.84.218.130
                |
        Internal Network (GOOD)

I've got:

   External Network (BAD) [gateway to ISP is x.y.z.25]
                |
                |
            eth0|
         ---------------
         |   x.y.z.26  |             Server Network (DMZ)
         |             |eth1
         |             |----------------------------------------------
         |             |x.y.z.27       |             |              |
         |             |               |             |              |
         |192.168.1.250|               |             |              |
         ---------------          --------       -------        -------
                | eth2            | SMTP |       | WWW |        | other
|
                |                 --------       -------        -------
                |                 x.y.z.28      x.y.z.29        x.y.z.30
                |
        Internal Network (GOOD) (ipmasqued)

The Internal Network connects to the net fine, and I can ping between
the DMZ and the Internal Network.

However, just as others who have posted here, I can't get the DMZ
outside. I can track a ping through the ipchains rules (from the Serious
Example) out the dmz-bad chain, but I don't see anything coming back.

I gather that the problem is not the ipchains rules but rather
configuring the routing correctly given that the ip address of the "bad"
interface is within the same subnet as the DMZ. Do I need to subnet my
subnet? If so, how? 

Charles Steinkuehler
(http://lists.debian.org/debian-user-0008/msg03919.html) makes it sound
as if this isn't readily done. Do I need to instead ipmasq the DMZ
instead of using the public IP addresses I have? Has anyone else figured
out a solution for this?

Many thanks in advance for any help!!

Cheers, Stan

Reply to:

Follow-Ups:
- Re: using public ip addresses in DMZ: how to route in small subnet?
  - From: Michael Wood <wood@kingsley.co.za>
- Re: using public ip addresses in DMZ: how to route in small subnet?
  - From: "Jeremy T. Bouse" <undrgrid@Toons.UnderGrid.net>

Prev by Date: Re: pingd >> Should it be ported on Debian??
Next by Date: Re: using public ip addresses in DMZ: how to route in small subnet?
Previous by thread: Re: pingd >> Should it be ported on Debian??
Next by thread: Re: using public ip addresses in DMZ: how to route in small subnet?
Index(es):
- Date
- Thread