Re: using public ip addresses in DMZ: how to route in small subnet?
On Tue, May 15, 2001 at 10:22:44PM -0700, Stan Kaufman wrote:
[snip]
> I've got five public ip addresses from my ISP (recently
> upgraded to PacBell's "enhanced" dsl account). I'm trying to
> set up a firewall topology like the "serious example" in the
> HOW-TO
> (http://www.ibiblio.org/mdw/HOWTO/IPCHAINS-HOWTO-7.html). (The
> main difference is that my "external" interface is not ppp0.)
>
> It certainly appears like my small subnet from PacBell
> (x.y.z.24/29) should work exactly like the example. Compared
> to the the HOW-TO:
[snip]
>
> I've got:
>
> External Network (BAD) [gateway to ISP is x.y.z.25]
> |
> |
> eth0|
> ---------------
> | x.y.z.26 | Server Network (DMZ)
> | |eth1
> | |----------------------------------------------
> | |x.y.z.27 | | |
> | | | | |
> |192.168.1.250| | | |
> --------------- -------- ------- -------
> | eth2 | SMTP | | WWW | | other
> |
> | -------- ------- -------
> | x.y.z.28 x.y.z.29 x.y.z.30
> |
> Internal Network (GOOD) (ipmasqued)
>
> The Internal Network connects to the net fine, and I can ping
> between the DMZ and the Internal Network.
>
> However, just as others who have posted here, I can't get the
> DMZ outside. I can track a ping through the ipchains rules
> (from the Serious Example) out the dmz-bad chain, but I don't
> see anything coming back.
>
> I gather that the problem is not the ipchains rules but rather
> configuring the routing correctly given that the ip address of
> the "bad" interface is within the same subnet as the DMZ. Do I
> need to subnet my subnet? If so, how?
[snip]
If you subnet, you'll "lose" some IP addresses. You could use
proxy arp instead.
--
Michael Wood | Tel: +27 21 762 0276 | http://www.kingsley.co.za/
wood@kingsley.co.za | Fax: +27 21 761 9930 | Kingsley Technologies
Reply to: