Re: Question about DMZ & Firewall Router

Fri, 07 Jun 2002 08:08:38 -0700 

On Wed, Jun 05, 2002 at 05:09:44PM -0400, Gabriel Floyd wrote:
> 
> I have the following setup: 
> 
>                |Internet    
>                |ww.xx.yy.zz     
>                |                                   
>                |                   Production            Production  
>          |-----|----|                 WEB                    DB   
>          |  eth0    |             |----------|            |-------|
>          |          | 192.168.3.x |          |192.168.4.x |       |
>    |-----|eth1  eth2|-------------|eth0  eth1|------------|eth0   |
>    |  .1 |__________|.1        .2 |__________| .1      .2 |_______|
>    |                                 
>    |                                     
>    |                                           
>    |              Development             Development 
>    |                  WEB                     DB     
>    |              |----------|            |--------|
>    | 192.168.1.x  |          |192.168.2.x |        | 
>    |--------------|eth0  eth1|------------|eth0    | 
>                .2 |__________| .1      .2 |________|

> I'm not sure what I need to do to route packets from 'Dev Web' through the 
> firewall to the other webserver (Prod Web), and not the internet.  How 
> should the routing table look for this?

        provided your subnet, broadcast and network IPs are set properly for
each interface in the firewall, and "prodweb" and "devweb" both have
default gateways of eth2 and eth1's IP's on the firewall, respectively,

on the firewall/gateway, make sure port forwarding is on:

# cat /proc/sys/net/ipv4/ip_forward

it should return "0" or "1", indicating whether or not forwarding is
enabled.  you can change this by echoing a new value into the file:

# echo "1" > /proc/sys/net/ipv4/ip_forward

also, check your forward ruleset in iptables:

# iptables -nL FORWARD
Chain FORWARD (policy DROP)
target     prot opt source               destination         

if the default policy is set to DROP, you need to add a rule to the
iptables FORWARD chain to allow packets to be routed through the linux
box.

provided all these things are set correctly, your linux router should
understand which routes to 192.168.x.y are on which interfaces.

hope this helps.

> Secondly, how do I forward port 80 requests from the firewall to the 
> Production Web box (192.168.3.2)?  Do I need httpd running on the firewall 
> to receive the port 80 requests?  Right now it is closed.

        no, you don't need httpd.   add a rule to the NAT table:

# iptables -t nat -A PREROUTING -d [firewall ext. ip] \
--destination-port 80 -j DNAT --to-destination 192.168.3.2


i think that should do it..

have fun.

-- 
[ rich henning      ]                                             /"\
[ [EMAIL PROTECTED] ]                                             \ /
                                                                   X
support the ascii ribbon campaign against html e-mail             / \

pgp: http://diss0nance.lawngnome.org/pgp_public.txt

Attachment: msg07217/pgp00000.pgp
Description: PGP signature

Reply via email to