Tags Tags

Network with Tri-homed firewall

October 17th, 2011 - 08:58 am ET by H Steenkamp | Report spam
Help Create a new topic
Hi there!

I trying to understand how one would to setup a small business network
using a tri-homed firewall using iptables. This is not for a real
network, but for my learning. I am still Linux newbie, so please be
kind to me :-)

Lets say I have some Cisco router that connects to my ISP (who
provided me with one IP number).
Also,I also have a computer with three network interface cards:

eth0 with 202.54.1.1 public IP address - WAN connected to router
eth1 with 192.168.1.1 private IP address - Internal LAN with
workstations
eth2 with 192.168.2.1 private IP address - DMZ connected to Mail, Web,
DNS and perhaps a FTP server


Here is where I need help with understanding.
1. Do I need two public IP addresses to make this work (one for the
router and one for eth0) or is there another way to configure this?
2. I obviously want NAT for the Internal and DMZ network to work. How
would the iptables command look to forward incoming mail to the mail
server. Do I use something like this:
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 202.54.1.1 --dport 25 -
j DNAT --to destination 192.168.2.x
3. What IP address goes into the DNS server for the Mail, Web, etc
servers in the DMZ. Do you specify the IP address of eth0 for each
server and then rely on NAT to point it to the correct server
depending on the destination port number? How does this work?
4. I have seen a few diagrams on the internet where a DNS caching
server is installed on the internal network. I assume the internal DNS
only have the entries of the servers on the internal network, and
lookups are forwarded to the DNS in the DMZ if it needs and IP address
for any other Internet servers. Is this the preferred reasonable
approach?
5. Some sites suggest a mail relay in the DMZ. I assume the actual
mail server then goes on the internal network. Does the mail relay
server still allow pop/imap access from outside. This obviously also
require a forwarding rule for port 25 to internal server. Is this how
it works?

Sorry, it's quite a handful of questions. Any help will be
appreciated!

Thx in advance.

Hein
email Follow the discussionReplies 3 repliesReplies Make a reply

Replies

#1 ibuprofin
October 17th, 2011 - 03:59 pm ET | Report spam
On Mon, 17 Oct 2011, in the Usenet newsgroup comp.os.linux.networking, in
article ,
H Steenkamp wrote:

NOTE: Posting from groups.google.com (or some web-forums) dramatically
reduces the chance of your post being seen. Find a real news server.

I trying to understand how one would to setup a small business network
using a tri-homed firewall using iptables. This is not for a real
network, but for my learning. I am still Linux newbie, so please be
kind to me :-)



http://www.netfilter.org/documentation/HOWTO/

[TXT] NAT-HOWTO.txt 18-Dec-2010 13:56 25K
[TXT] netfilter-double-nat-HOWTO.txt 18-Dec-2010 13:56 9.3K
[TXT] netfilter-extensions-HOWTO.txt 18-Dec-2010 13:56 80K
[TXT] networking-concepts-HOWTO.txt 18-Dec-2010 13:56 28K
[TXT] packet-filtering-HOWTO.txt 18-Dec-2010 13:56 51K

http://tldp.org/guides.html

* The Linux Network Administrator's Guide, Second Edition
version: 1.1
authors: Olaf Kirch and Terry Dawson
last update: March 2000
ISBN: 1-56592-400-2
available formats:
1. HTML (read online)
2. HTML (tarred and gzipped package, 690k)
3. PDF (1.5MB)

Here is where I need help with understanding.
1. Do I need two public IP addresses to make this work (one for the
router and one for eth0) or is there another way to configure this?



Depends on your ISP. Both sides of the cable modem/router may have
an RFC1918 (unroutable) address (real addresses are valuable, why
waste one on something no one outside will connect to), and do packet
forwarding only. Thus, you'd only have one "public" address - the box
that is directly connected to the router. There is nothing on the
router (and _should_ be nothing on the firewall) that the public can
connect to - all public connections go to NATed boxes inside or in the
DMZ. That's both a security and complexity issue.

2. I obviously want NAT for the Internal and DMZ network to work. How
would the iptables command look to forward incoming mail to the mail
server.



See the howtos above. Note that, unless you have a commercial or
business grade service from the ISP, that ISP may be blocking all
mail (and maybe other services) to residential addresses to prevent
spam and net abuse. Discuss that with your ISP.

3. What IP address goes into the DNS server for the Mail, Web, etc
servers in the DMZ.



Your DNS server - addresses are those of the DMZ hosts. If you have
a real public domain "out there", the A and MX records on the public
DNS server for the DMZ services point to the single public IP address
on the NAT box. The world can't find your 192.168.2.x addresses. As
far as the world can see, _everything_ you make reachable is on that
single "public" IP address.

4. I have seen a few diagrams on the internet where a DNS caching
server is installed on the internal network. I assume the internal DNS
only have the entries of the servers on the internal network, and
lookups are forwarded to the DNS in the DMZ if it needs and IP address
for any other Internet servers. Is this the preferred reasonable
approach?



It's old, but

-rw-rw-r-- 1 gferg ldp 91563 Dec 23 2001 DNS-HOWTO

Note that this is your _internal_ server - quite different from the
public DNS servers probably operated by your registrar and/or ISP.

5. Some sites suggest a mail relay in the DMZ. I assume the actual
mail server then goes on the internal network.



What is your threat model? What will your ISP allow?

Does the mail relay server still allow pop/imap access from outside.



How did you want to configure it.

This obviously also require a forwarding rule for port 25 to internal
server. Is this how it works?



POP/IMAP are not on 25 - see /etc/services and the documentation on
the servers. If you are referring to mail being delivered to the
public facing mail server in the DMZ, which then forwards the mail to
a server on the inside, no - this is an MTA (Mail Transport Agent)
configuration - the application like 'exim/postfix/sendmail'. But
again, note that your ISP may block access to these ports.

Sorry, it's quite a handful of questions. Any help will be
appreciated!



Start reading the guides at the LDP (second URL above), and at least
look at the HOWTO-INDEX (http://ibiblio.org/pub/linux/docs/HOWTO/ or
http://en.tldp.org/HOWTO/HOWTO-INDEX/howtos.html). There are 46
guides that are essentially full sized books, and over 450 HOWTOs on
many subjects. People have been there before, and written down a lot
of valuable information.

Old guy

Similar topics

Make your own search :