Hi all! Obscure ruleset problem... (YES i have RTFM on iptables, and assorted firewalling, but i dont get it together anyways...) Setup: Firewall (dhcp) | +------DMZ (192.168.2.0/24) | Internal (192.168.1.0/24) Ipnumbers: Firewall External (eth0) : dhcp Firewall Internal (eth2 ) : 192.168.1.254 Firewall DMZ (eth1) : 192.168.2.1 Firewall running XNTP to the rest of the internal and DMZ network Internal server : 192.168.1.2 (With WWW and ftp forwarded from the internet) Dmz server : 192.168.2.80 (running web and ftp) How do i (and can i) write rules so specific ftp accounts (authenticated internal users) end up on 192.168.1.2 and my external clients end up on the DMZ server I have personal webpages and home directories plus some NFS folders for the internal network on the internal server that i want to keep there,and i want the clients webpages, along with their respective ftp logins to end up on the DMZ. I know it's probably stupid to mix the webserver like this. But the users work both locally from the internal network using their homefolders, and the homepages from outside with theirftp logon. Any hints and suggestions would be of value. And again: YES i have RTFM on iptables, and assorted firewalling, but i dont get it together anyways... -- /Rikard ------------------------------------------------------------------------------------ Rikard Johnels email : rikjoh@norweb.se Web : http://www.rikjoh.com Mob : +46 735 05 51 01 ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >
On Tuesday 07 September 2004 16:00, Rikard Johnels wrote:
How do i (and can i) write rules so specific ftp accounts (authenticated internal users) end up on 192.168.1.2 and my external clients end up on the DMZ server
I have personal webpages and home directories plus some NFS folders for the internal network on the internal server that i want to keep there,and i want the clients webpages, along with their respective ftp logins to end up on the DMZ. I know it's probably stupid to mix the webserver like this. But the users work both locally from the internal network using their homefolders, and the homepages from outside with theirftp logon.
Any hints and suggestions would be of value.
My suggestion: let all users go to the DMZ machine when connecting from the internet, and then for each directory that you want to have on the internal machine, run a mirror job, rsync for example, periodically that pulls it over I don't think it's possible to do with iptables alone, but I hope I'll be corrected if I'm wrong
Rikard wrote regarding '[SLE] Iptables rule?' on Tue, Sep 07 at 09:01:
Hi all! Obscure ruleset problem...
(YES i have RTFM on iptables, and assorted firewalling, but i dont get it together anyways...)
Setup:
Firewall (dhcp) | +------DMZ (192.168.2.0/24) | Internal (192.168.1.0/24)
[...]
How do i (and can i) write rules so specific ftp accounts (authenticated internal users) end up on 192.168.1.2 and my external clients end up on the DMZ server [...]
You can't do that with iptables, since you want to do something at the application level. If you had an ftp proxy, you could forward stuff around after the login stage, but you'd probably still have to do some custom programming to connect them to the right machine. Probably easier would be to pick a different port on the outside machine, and forward that one to the regular ftp port on your internal machine. Then just tell the internal users to connect to a non-standard port when then initiate. --Danny
participants (3)
-
Anders Johansson
-
Danny Sauer
-
Rikard Johnels