There have been several questions posted in debian-firewall and debian-user on this but no clear solutions. Can't find anything on slashdot or via google either.
I've got five public ip addresses from my ISP (recently upgraded to PacBell's "enhanced" dsl account). I'm trying to set up a firewall topology like the "serious example" in the HOW-TO (http://www.ibiblio.org/mdw/HOWTO/IPCHAINS-HOWTO-7.html). (The main difference is that my "external" interface is not ppp0.) It certainly appears like my small subnet from PacBell (x.y.z.24/29) should work exactly like the example. Compared to the the HOW-TO: External Network (BAD) | | ppp0| --------------- | 192.84.219.1| Server Network (DMZ) | |eth0 | |---------------------------------------------- | |192.84.219.250 | | | | | | | | |192.168.1.250| | | | --------------- -------- ------- ------- | eth1 | SMTP | | DNS | | WWW | | -------- ------- ------- | 192.84.219.128 192.84.219.129 192.84.218.130 | Internal Network (GOOD) I've got: External Network (BAD) [gateway to ISP is x.y.z.25] | | eth0| --------------- | x.y.z.26 | Server Network (DMZ) | |eth1 | |---------------------------------------------- | |x.y.z.27 | | | | | | | | |192.168.1.250| | | | --------------- -------- ------- ------- | eth2 | SMTP | | WWW | | other | | -------- ------- ------- | x.y.z.28 x.y.z.29 x.y.z.30 | Internal Network (GOOD) (ipmasqued) The Internal Network connects to the net fine, and I can ping between the DMZ and the Internal Network. However, just as others who have posted here, I can't get the DMZ outside. I can track a ping through the ipchains rules (from the Serious Example) out the dmz-bad chain, but I don't see anything coming back. I gather that the problem is not the ipchains rules but rather configuring the routing correctly given that the ip address of the "bad" interface is within the same subnet as the DMZ. Do I need to subnet my subnet? If so, how? Charles Steinkuehler (http://lists.debian.org/debian-user-0008/msg03919.html) makes it sound as if this isn't readily done. Do I need to instead ipmasq the DMZ instead of using the public IP addresses I have? Has anyone else figured out a solution for this? Many thanks in advance for any help!! Cheers, Stan
