Re: using public ip addresses in DMZ: how to route in small subnet?
On Wed, May 16, 2001 at 09:17:42AM -0400, Jeremy T. Bouse wrote:
> I appear to be in the same situation as you as I have PacBell's
> Enhanced DSL package with the 5 IPs as well... What I am doing currently
> is having all 5 IPs aliasesd to eth0 on my firewall and then using iptables
> SNAT and DNAT to make it appear as my machines inside have static addresses
> when in fact they are static private (192.168.0/24) IPs.
> If you would like I'd be happy to share some of my setup specifics
> with you off-list if they help.
Static NAT is definitely a good solution. But you might also consider
Bridging and do packet filtering on the briding box.
Another alternative is tunneling; that is, use private IP addresses on
the "DMZ" interfaces and tunnel the public addresses to the servers. Of
course, the firewall box has to do arp for the public addresses.