Firewall/Masq/DMZ question

To: debian-user@lists.debian.org
Subject: Firewall/Masq/DMZ question
From: John Ackermann <jra@febo.com>
Date: Sun, 17 Sep 2000 14:12:22 -0400
Message-id: <[🔎] 200009171812.OAA02158@meow.febo.com>

I'm putting together a firewall system based on the Linux Router 
Project (using the EigerStein version of Materhorn, i.e., version 2.2 
kernel and network tools), but replacing the ipchains rules with a 
configuration based on that found in the IPCHAINS-HOWTO.  The system 
has 3 NICs one to the outside world, one to a private network, and one 
to a DMZ network.

I have the basic stuff working between the private network and the 
outside, and have several applications portforwarded to a server on the 
private network.  I'm now trying to fine-tune things and have a couple 
of questions.  I'd appreciate any help.

First, and most important -- I'm having trouble getting routing to work 
for the DMZ.  My ISP has delegated a /27 subnet to me, and I connect to 
him via an ISDN router at my end which has IP address x.x.x.193.  The 
external interface on the firewall box is x.x.x.194, and I'd like to be 
able to route the rest of my subnet out eth2 to the DMZ network 
(x.x.x.192/27, broadcast x.x.x.223).

This is what I'd like things to look like:

ISP<--ISDN-->Router<---->eth0-Firewall-eth2<---->x.x.x.192/27
             x.x.x.193   x.x.x.194     x.x.x.195  

I can't figure out the right settings for the netmask and broadcast on 
the firewall external interface to have eth0, gateway x.x.x.193 be the 
default route, while routing the rest of network x.x.x.192/27 out eth2. 
 I *thought* this was possible, but I can't get the right magic working.

If I can't do this, I need to use a private network on the DMZ, and 
masq it.  That's no problem, but I'm not sure what I need to do to 
allow unlimited connectivity between masq'd net 192.168.1.0 on the 
private interface, and masq'd net 192.168.2.0 on the DMZ interface.  
What is required to allow two masq'd networks to talk to each other?

Thanks for any pointers...

John Ackermann
jra@febo.com

-- 
John Ackermann   N8UR
Dayton, Ohio, USA
jra@febo.com --  http://www.febo.com

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3a

mQBtAzgI9hgAAAEDAMiMQDZTVVuVIS0AscJ0Wy63oK4+Q5xvtxbX/ZoG1qCOuYDI
Fph4/RqL9vVEItWBy6ISk+zbkATzPgy84nrI7+GBtld4F9DoHWARQXjC1I8cFZjY
TSe16ffqO/ba1ukLnQAFEbQlSm9obiBSLiBBY2tlcm1hbm4gTjhVUiA8anJhQGZl
Ym8uY29tPokAdQMFEDgI9hjqO/ba1ukLnQEBtYIC/AxJ2RqT0/9TqY8JGEkPx2sw
+W5Z6Tu4UI654t9diGdCcIEPjOG1qUvwH2Xop0Yj9QGoM4NnHIw6qUSN5VH7hHKA
bGnpuTxinuW/gKaI3bt2MC8QZZq0gy2de26907lE2A==
=UHWl
-----END PGP PUBLIC KEY BLOCK-----

Reply to:

Prev by Date: Re: Kernel panic (continuation)
Next by Date: How do I use setiathome package?
Previous by thread: Re: terminal emulator escape sequences -- was "linux"
Next by thread: How do I use setiathome package?
Index(es):
- Date
- Thread