| View previous topic :: View next topic |
| Author |
Message |
pgu
l33t
Joined: 30 Jul 2009
Posts: 721
Location: Oslo, Norway
|
 Posted: Wed Feb 20, 2013 7:10 am Post subject: iptables DMZ dual firewall howto? |
 |
|
I have a topology like this
| Code: |
eth1 eth0 eth1 eth0
WAN <----> FW1 <---- DMZ ---> FW2 <--- LAN --->
172.31.31.xxx 172.30.30.xxx
|
FW2 is also DHCP and DNS server for the two networks. The WAN will typically be some xDSL modem getting some dynamic IP, or it could be another router.
First step is to get the NAT running from the LAN and out to the WAN and the DNS server access the WAN so it can serve the LAN and the DMZ.
Are there any good tutorials and examples on how to set up iptables for such a topology? I would assume it's not that uncommon. |
|
| Back to top |
|
 |
pgu
l33t
Joined: 30 Jul 2009
Posts: 721
Location: Oslo, Norway
|
| Posted: Wed Feb 20, 2013 7:36 am Post subject: |
|
|
| I'm looking for information mostly on the NAT part, i.e. where do I NAT, one FW1 only (and forward using FW2), or do I NAT on both FW1 and FW2. |
|
| Back to top |
|
|
syn0ptik
Apprentice
Joined: 09 Jan 2013
Posts: 267
|
| Posted: Wed Feb 20, 2013 8:15 am Post subject: |
|
|
There looks like double PC? You can do with one PC and play with vlan's.
provide dmz in one vlan
and provide another net in the second vlan |
|
| Back to top |
|
|
pgu
l33t
Joined: 30 Jul 2009
Posts: 721
Location: Oslo, Norway
|
| Posted: Wed Feb 20, 2013 8:44 am Post subject: |
|
|
| Yes. I have two physically PC's. Each with two NIC's and running Gentoo with netfilter. |
|
| Back to top |
|
|
chiefbag
Guru
Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom
|
| Posted: Wed Feb 20, 2013 9:03 am Post subject: |
|
|
Is there a reason why you need to use 2 physical machines?
As mentioned above this can easily be accomplished with one box.
You could use 3 NICs so as to have a physical hardware running your DMZ. |
|
| Back to top |
|
|
papahuhn
l33t
Joined: 06 Sep 2004
Posts: 626
|
| Posted: Wed Feb 20, 2013 9:13 am Post subject: |
|
|
In enterprise environments it is a common design to have separate hardware firewalls (and even separate vendors) for DMZ(s) and the internal network. Sometimes even VLANs are discouraged. pgu, you don't need NAT on FW2, as your DMZ and LAN have different networks.
_________________
Death by snoo-snoo! |
|
| Back to top |
|
|
pgu
l33t
Joined: 30 Jul 2009
Posts: 721
Location: Oslo, Norway
|
| Posted: Wed Feb 20, 2013 9:15 am Post subject: |
|
|
I already have two PC's with integrated dual NIC's.
It seems like http://www.aboutdebian.com/firewall.htm describes my setup and it states "The outside firewall is set up to do the proxy/NAT stuff for your internal network" so that answer my most important question. |
|
| Back to top |
|
|
pgu
l33t
Joined: 30 Jul 2009
Posts: 721
Location: Oslo, Norway
|
| Posted: Wed Feb 20, 2013 9:18 am Post subject: |
|
|
| papahuhn wrote: | | pgu, you don't need NAT on FW2, as your DMZ and LAN have different networks. |
That's what I learned from the above link. I just have to make sure that packets are forwarded to the DMZ and translated there. |
|
| Back to top |
|
|
|
Networking & Security
