Firewall/Masq/DMZ question
I'm putting together a firewall system based on the Linux Router
Project (using the EigerStein version of Materhorn, i.e., version 2.2
kernel and network tools), but replacing the ipchains rules with a
configuration based on that found in the IPCHAINS-HOWTO. The system
has 3 NICs one to the outside world, one to a private network, and one
to a DMZ network.
I have the basic stuff working between the private network and the
outside, and have several applications portforwarded to a server on the
private network. I'm now trying to fine-tune things and have a couple
of questions. I'd appreciate any help.
First, and most important -- I'm having trouble getting routing to work
for the DMZ. My ISP has delegated a /27 subnet to me, and I connect to
him via an ISDN router at my end which has IP address x.x.x.193. The
external interface on the firewall box is x.x.x.194, and I'd like to be
able to route the rest of my subnet out eth2 to the DMZ network
(x.x.x.192/27, broadcast x.x.x.223).
This is what I'd like things to look like:
ISP<--ISDN-->Router<---->eth0-Firewall-eth2<---->x.x.x.192/27
x.x.x.193 x.x.x.194 x.x.x.195
I can't figure out the right settings for the netmask and broadcast on
the firewall external interface to have eth0, gateway x.x.x.193 be the
default route, while routing the rest of network x.x.x.192/27 out eth2.
I *thought* this was possible, but I can't get the right magic working.
If I can't do this, I need to use a private network on the DMZ, and
masq it. That's no problem, but I'm not sure what I need to do to
allow unlimited connectivity between masq'd net 192.168.1.0 on the
private interface, and masq'd net 192.168.2.0 on the DMZ interface.
What is required to allow two masq'd networks to talk to each other?
Thanks for any pointers...
John Ackermann
jra@febo.com
--
John Ackermann N8UR
Dayton, Ohio, USA
jra@febo.com -- http://www.febo.com
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3a
mQBtAzgI9hgAAAEDAMiMQDZTVVuVIS0AscJ0Wy63oK4+Q5xvtxbX/ZoG1qCOuYDI
Fph4/RqL9vVEItWBy6ISk+zbkATzPgy84nrI7+GBtld4F9DoHWARQXjC1I8cFZjY
TSe16ffqO/ba1ukLnQAFEbQlSm9obiBSLiBBY2tlcm1hbm4gTjhVUiA8anJhQGZl
Ym8uY29tPokAdQMFEDgI9hjqO/ba1ukLnQEBtYIC/AxJ2RqT0/9TqY8JGEkPx2sw
+W5Z6Tu4UI654t9diGdCcIEPjOG1qUvwH2Xop0Yj9QGoM4NnHIw6qUSN5VH7hHKA
bGnpuTxinuW/gKaI3bt2MC8QZZq0gy2de26907lE2A==
=UHWl
-----END PGP PUBLIC KEY BLOCK-----
Reply to: