how can i have public IPs in the DMZ with SuSEfirewall2
subject: how can i have public IPs in the DMZ with SuSEfirewall2 deutscher text weiter unten / german text follows below ---------------- Hello all, i have been searching around quite a while and couldnt find a solution. i have 8 public ip addresses from our internet service provider (netmask is 255.255.255.248) i have a suse 8 linux box with 3 ethernet network cards. eth0 is external connected directly with crossover to the router of the ISP. eth1 is the dmz ethernet card. eth2 is the internal network. should be 192.168.200.x with netmask 255.255.255.0 ... something like that.. now i have read in the SuSEfirewall2 config file in secion 13, that the SuSEfirewall2 supports public IP in the DMZ zone.. even the EXAMPLE file is talking about a scenario with a webserver with ports 80 and 443 running with public ip 200.200.200.200 in the DMZ... in my case i want to run a mailserver in the DMZ with public ip, and it only needs port25 to the internet, and its getting mails only from secific hosts on the internet. so its not included in an mx record anywhere but gets mails from a virus detection/mailscanning companies mailservers there... now my question is how do i get traffic to that mailserver box in the DMZ... will my router forward the traffic for the ip of the mailserver? what should the IP for the DMZ ethernet card be and what netmask/gateways and do i need any static routing on the box... or how will SuSEfirewall2 script handle all this... this seems somehow weird to me and i dont find any explanation or discussions here in usenet where people succeeded with this... but this scenario should be quite common, shouldnt it? i also heard about proxy arp and other sorts, but since SuSEfirewall2 script and examples explicitly talk about this scenario, can someone explain this to me and what the DMZ card settings and netmasks, gateways should be? i also thought about adding the mailserver ip additionally to the external ethernet card (eth0:1 for the mailserver ip then) and then do portforwarding to the DMZ card, and run another private ip netzwork on the DMZ.. 192.168.300.x for the DMZ or something? what would be the best solution? but my actual question is, how do i make this work with the susefirewall2 scripts and settings since there is that scenario in the EXAMPLES with the webserver in the DMZ with public ip address... could anyone please give me some hints, howtows or detaild explanation... i get confused because i dont know what to set for the DMZ card in this case... thanks already for any help and hints. best regards, Andreas Bittner ------------------ german: hallo leute, ich hab schon eine weile herumgesucht aber keine wirkliche loesung oder erklaerung fuer mein scenario gefunden. ich habe von einem internet service provider einen 8er block oeffentlicher ip adressen bekommen (netzwerkmaske 255.255.255.248) ich hab eine suse linux 8 kiste mit 3 ethernet netzwerk karten. eth0 externes netz, eth1 dmz netz, eth2 internes netz. eth0 ist direkt per cross over kabel an den router des isp angeschlossen. eth2 ist ein netz mit privaten adressen, z.b. 192.168.200.x mit der maske 255.255.255.0 ich habe nun im SuSEfirewall2 config file unter punkt 13 gelesen, dass es oeffentliche ips in der DMZ unterstuetzt. es gibt sogar im EXAMPLE file einscenario mit einem webserver mit port80 und 443 in der DMZ der eine oeffentliche ip 200.200.200.200 hat. in meinem fall moechte ich nur einen einfache mailserver (port25) mit oeffentlicher ip adresse in der DMZ laufen haben. die ip des mailservers ist nicht in einem MX record festgehalten, und der mailserver bekommt nur von einem externen mailvirenscanner provider die mails zugeliefert, also ich will den verkehr genau auf ein paar ips im internet beschraenken, bzw kann das genau sagen woher der mailtraffic kommt... meine frage ist nun, wie schaffe ich es mit bloss 8 oeffentl. ip adressen mit der susefirewall2 die daten fuer die ip des mailservers auf meine DMZ ethernet netzwerkkarte zu routen etc... wasfuer eine IP adresse muss die DMZ netzwerkkarte haben, welche maske, gateway usw... ich habe ein problem mit dem verstaendis... ich kann die 8 ips die ich hab nicht weiter subnetten.. kann das susefirewall2 script die kiste so konfigurieren dass die daten fuer den mailserver mit oeffentlicher ip auf jedenfall dort auf der DMZ netzwerkkarte ankommen und an den weitergegeben werden? wie wird das gemacht? was muss ich fuer die DMZ karte einstellen usw... ich habe auch schon ueber ansaetze mit proxy-arp und auch mit portforwarding gelesen, aber ich weiss nicht was das beste waere, und wenn susefirewall2 das schon kann, dann hab ich bloss ein verstaendnisproblem damit.. vielleicht funtkioniert es ja einfach, aber was stelle ich fuer die DMZ karte ein?? oder soll ich die mailserver ip zusaetzlich noch als eth0:1 auf die externe karte nehmen und dann mit portforwarding das auf die DMZ karte leiten und dort auch private ips fahren? hat jemand ein paar hinweise und genaue schritte wie ich was am besten machen sollte? geht das so einfach mit dem susefirewall2 script? und was muss ich dann fuer die DMZ karte alles einstellen etc.... danke schonmal und gruesse, andreas bittner
* Andreas Bittner;
subject: how can i have public IPs in the DMZ with SuSEfirewall2
deutscher text weiter unten / german text follows below ----------------
Hello all,
i have been searching around quite a while and couldnt find a solution.
i have 8 public ip addresses from our internet service provider (netmask is 255.255.255.248)
i have a suse 8 linux box with 3 ethernet network cards. eth0 is external connected directly with crossover to the router of the ISP. eth1 is the dmz ethernet card. eth2 is the internal network. should be 192.168.200.x with netmask 255.255.255.0 ... something like that..
now i have read in the SuSEfirewall2 config file in secion 13, that the SuSEfirewall2 supports public IP in the DMZ zone.. even the EXAMPLE file is talking about a scenario with a webserver with ports 80 and 443 running with public ip 200.200.200.200 in the DMZ... in my case i want to run a mailserver in the DMZ with public ip, and it only needs port25 to the internet, and its getting mails only from secific hosts on the internet. so its not included in an mx record anywhere but gets mails from a virus detection/mailscanning companies mailservers there...
from the SuSEfirewall2 FAQ it should give you start Q: I have set a web server in my DMZ. How do I configure SuSEfirewall2 to let people on the internet access my pages? A: Same principle as above. Lets say your web server has got an official IP address of 1.1.1.1 which you received from your ISP. You would just configure FW_FORWARD_TCP like this: FW_FORWARD="0/0,1.1.1.1,tcp,80" HTH -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
helo there,
i read the FAQ but you didnt anser my question... what ip/settings do i give the DMZ ehternet card on my firewall box.. so eth0 is the ip x.x.x.67, my mailserver is currently x.x.x.66 ... and this .66 needs to connect to the dmz ethernet card eth1.... so my question still is what do you need to set to eth1 if you want to use section 13 with susefirewall2 if you have public ip boxes on your dmz ethernet...
does iptables translate the addresses our does the seusefw2 reroute packets to the dmz ethernet no matter what i set? how is this all working.. this is my question.. i read the FAQs but they didnt explain what to set for the DMZ interface when using public ips from the same subnet on the external eth0 and the dmz eth1...
thanks again,
andy
---- Original Message -----
From: "Togan Muftuoglu"
* Andreas Bittner;
on 19 Aug, 2002 wrote: subject: how can i have public IPs in the DMZ with SuSEfirewall2
deutscher text weiter unten / german text follows below ----------------
Hello all,
i have been searching around quite a while and couldnt find a solution.
i have 8 public ip addresses from our internet service provider (netmask is 255.255.255.248)
i have a suse 8 linux box with 3 ethernet network cards. eth0 is external connected directly with crossover to the router of the ISP. eth1 is the dmz ethernet card. eth2 is the internal network. should be 192.168.200.x with netmask 255.255.255.0 ... something like that..
now i have read in the SuSEfirewall2 config file in secion 13, that the SuSEfirewall2 supports public IP in the DMZ zone.. even the EXAMPLE file is talking about a scenario with a webserver with ports 80 and 443 running with public ip 200.200.200.200 in the DMZ... in my case i want to run a mailserver in the DMZ with public ip, and it only needs port25 to the internet, and its getting mails only from secific hosts on the internet. so its not included in an mx record anywhere but gets mails from a virus detection/mailscanning companies mailservers there...
from the SuSEfirewall2 FAQ it should give you start
Q: I have set a web server in my DMZ. How do I configure SuSEfirewall2 to let people on the internet access my pages? A: Same principle as above. Lets say your web server has got an official IP address of 1.1.1.1 which you received from your ISP. You would just configure FW_FORWARD_TCP like this: FW_FORWARD="0/0,1.1.1.1,tcp,80"
HTH --
Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
* Andreas Bittner;
helo there,
i read the FAQ but you didnt anser my question... what ip/settings do i give the DMZ ehternet card on my firewall box.. so eth0 is the ip x.x.x.67, my mailserver is currently x.x.x.66 ... and this .66 needs to connect to the dmz ethernet card eth1.... so my question still is what do you need to set to eth1 if you want to use section 13 with susefirewall2 if you have public ip boxes on your dmz ethernet...
well if you are just using one ip why don't you use x.x.x.66/32
does iptables translate the addresses our does the seusefw2 reroute packets to the dmz ethernet no matter what i set? how is this all working.. this is my question.. i read the FAQs but they didnt explain what to set for the DMZ interface when using public ips from the same subnet on the external eth0 and the dmz eth1...
-- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
i am not very good at these dmz/ip/routing nd iptables stuff.. and i simply dont understand what i would have to set for my dmz ip..
the mailserver is x.x.x.66 i agree i set/leave it like that.. i set x.x.x.67 for example to the external eth0 card that connects to the isp router that has x.x.x65. eth0 a has mask of 255.255.255.248 right? and what does the DMZ eth1 have? x.x.x.65 for eaxmple with same 255.255.255.248 mask? will susefirewall2 give the packets for .66 to that eth1 card? will this all work?
can anyone help how to set the DMZ ethernet card ip/mask/gateway ? isnt anyone using this scenario more frequently?
thanks again,
andy
----- Original Message -----
From: "Togan Muftuoglu"
* Andreas Bittner;
on 19 Aug, 2002 wrote: helo there,
i read the FAQ but you didnt anser my question... what ip/settings do i give the DMZ ehternet card on my firewall box.. so eth0 is the ip x.x.x.67, my mailserver is currently x.x.x.66 ... and this .66 needs to connect to the dmz ethernet card eth1.... so my question still is what do you need to set to eth1 if you want to use section 13 with susefirewall2 if you have public ip boxes on your dmz ethernet...
well if you are just using one ip why don't you use x.x.x.66/32
does iptables translate the addresses our does the seusefw2 reroute packets to the dmz ethernet no matter what i set? how is this all working.. this is my question.. i read the FAQs but they didnt explain what to set for the DMZ interface when using public ips from the same subnet on the external eth0 and the dmz eth1...
--
Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Firstly, I speak as a non-expert who has been wrestling with a similar
problem.
Let us say eth1 is *.*.*.68. It can't be *.*.*.65, because you have
already said that your router is *.65. Then your mailserver is *.66.
If the netmask is 255.255.255.248, then all this subnet (*.64 to *.71)
is routed to eth1. You then have the problem of getting any packets to
eth0, and the router. There is a way of getting unequal subnets, one
within the other, to route correctly but I don't understand it and I
think it needs kernel modification. In any case, the smallest subnet
you can usefully define is 4 IP addresses. I am NOT an expert, but I
don't think there is any way of separately routing just 2 IPs from
within your 8 IP subnet. There is no advantage in defining a 4 IP
subnet within your 8 IP subnet as you only have 4 left anyway. Perhaps
there is a slight advantage, as you would then have *68 available, but I
don't know how to do it!
I suggest you define two subnets, firstly *.64 to *.67, leaving *.65
and *.66 available for eth0 and your router, subnet mask
255.255.255.252. (64 is network address, 67 broadcast, these are not
available to you). Second subnet is *.68 to *.71, same subnet mask.
Then *.69 can be eth1 and *.70 your mailserver. *.68 and *.71 are now
network & broadcast address for this subnet. This should work, but uses
all your public IP addresses!!
The alternative is to forget eth1 altogether and have the mail server on
the same ethernet segment as eth0 and the router, the subnet mask being
255.255.255.248 as you originally suggested. This is less secure, and
the mail server would have to be protected from the Internet by its own
Iptables (firewall2) setup. But it would leave you with 3 spare IP
addresses on the subnet, for your future servers!
--
Roger Hayter
In message <1e8b01c247b3$21ad2a70$0100a8c0@stuwo.fhheilbronn.de>,
Andreas Bittner
i am not very good at these dmz/ip/routing nd iptables stuff.. and i simply dont understand what i would have to set for my dmz ip..
the mailserver is x.x.x.66 i agree i set/leave it like that.. i set x.x.x.67 for example to the external eth0 card that connects to the isp router that has x.x.x65. eth0 a has mask of 255.255.255.248 right? and what does the DMZ eth1 have? x.x.x.65 for eaxmple with same 255.255.255.248 mask? will susefirewall2 give the packets for .66 to that eth1 card? will this all work?
can anyone help how to set the DMZ ethernet card ip/mask/gateway ? isnt anyone using this scenario more frequently?
thanks again, andy
----- Original Message ----- From: "Togan Muftuoglu"
To: Sent: Monday, August 19, 2002 8:25 PM Subject: Re: [suse-security] how can i have public IPs in the DMZ with SuSEfirewall2 * Andreas Bittner;
on 19 Aug, 2002 wrote: helo there,
i read the FAQ but you didnt anser my question... what ip/settings do i give the DMZ ehternet card on my firewall box.. so eth0 is the ip x.x.x.67, my mailserver is currently x.x.x.66 ... and this .66 needs to connect to the dmz ethernet card eth1.... so my question still is what do you need to set to eth1 if you want to use section 13 with susefirewall2 if you have public ip boxes on your dmz ethernet...
well if you are just using one ip why don't you use x.x.x.66/32
does iptables translate the addresses our does the seusefw2 reroute packets to the dmz ethernet no matter what i set? how is this all working.. this is my question.. i read the FAQs but they didnt explain what to set for the DMZ interface when using public ips from the same subnet on the external eth0 and the dmz eth1...
--
Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
how about host routes? if you have control over the router yourself, or can talk someone at your ISP to reconfigure it, my prfered config would be host routes. if that fails, you can do arp bridging on the firewall. or use aliases on your firewall outside interface, and use private ips in the DMZ. HTH, lge
In message <20020820194455.C642@johann>, Lars Ellenberg
how about host routes?
I am interested in all your suggestions because I had a similar design problem to that of the OP. How can this work if the NIC that connects to the ISP has to have one of the IP addresses which are part of the whole subnet linked with another NIC on the same machine? (My ISP gave me a separate IP for this purpose.)
if you have control over the router yourself, or can talk someone at your ISP to reconfigure it, my prfered config would be host routes.
This is difficult if the ISP won't commit itself to a particular gateway at its end (mine has n routers, where n increases with time).
if that fails, you can do arp bridging on the firewall.
This sounds like a good idea, is it difficult if the firewall is also acting as a router for 2 different subnets and the ISP, though? (As in OP, and my setup!)
or use aliases on your firewall outside interface, and use private ips in the DMZ.
If you do this, are all packets transparently routed between the aliases, or do you have to use masquerading, with all the potential protocol problems, and port forwarding?
HTH, lge
Many thanks, when I was setting this up I couldn't find anyone in public lists who knew more about it than me! -- Roger Hayter
OK, now I am not doing this exactly every day, so I may be wrong, but iirc:
how about host routes?
I am interested in all your suggestions because I had a similar design problem to that of the OP. How can this work if the NIC that connects to the ISP has to have one of the IP addresses which are part of the whole subnet linked with another NIC on the same machine? (My ISP gave me a separate IP for this purpose.)
this is ugly, but it should work. ( If I am wrong, shout at me :) o.X: official, p.X: private :p.64---p.Y:private LAN / ISP----router o.1----o.2:firewall:p.1----o.3:DMZ host on router: default: ISP host o.2/32 via o.1 host o.3/32 via o.2 host o.4/32 via o.2 etc. host o.Proxy for LAN via o.2 ... last three lines could be replaced by a normal subnet route, net o.0/28 via o.1 since host routes take precedence, so the subnet route is not active for o.2 on firewall: [ LAN normal configuration ] defaul: o.1 host o.1 via o.2 host o.3 (DMZ) via p.1 on DMZ: default: p.1 host p.1 via o.3
if you have control over the router yourself, or can talk someone at your ISP to reconfigure it, my prfered config would be host routes.
This is difficult if the ISP won't commit itself to a particular gateway at its end (mine has n routers, where n increases with time).
maybe I did not understand this question. it is the routers job to cope with this, isn't it. regardless of the routing at your site, the ISP side is their problem.
if that fails, you can do arp bridging on the firewall.
This sounds like a good idea, is it difficult if the firewall is also acting as a router for 2 different subnets and the ISP, though? (As in OP, and my setup!) you can turn this on/off by interface.
or use aliases on your firewall outside interface, and use private ips in the DMZ.
If you do this, are all packets transparently routed between the aliases, or do you have to use masquerading, with all the potential protocol problems, and port forwarding? of course you have to NAT in this case. may or may not be easy...
cheers, lge
Hi,
If you do this, are all packets transparently routed between the aliases, or do you have to use masquerading, with all the potential protocol problems, and port forwarding?
I think iptables didn't work with interface aliases because a iptables command on a alias produces a warning like this: ~> iptables -A INPUT -j ACCEPT -i eth0:217 Warning: wierd character in interface `eth0:217' (No aliases, :, ! or *). So I use DNAT for my servers in the dmz. s.a. http://lists.suse.com/archive/suse-security/2002-May/0415.html so long... Kai
On Wednesday 21 August 2002 03:47 am, Kai-H. Weutzing wrote:
Hi,
If you do this, are all packets transparently routed between the aliases, or do you have to use masquerading, with all the potential protocol problems, and port forwarding?
I think iptables didn't work with interface aliases because a iptables command on a alias produces a warning like this:
~> iptables -A INPUT -j ACCEPT -i eth0:217 Warning: wierd character in interface `eth0:217' (No aliases, :, ! or *).
Hmmm, Kai, I think you are wrong. Shorewall specifically supports proxyarp which allows you to alias your external nic and handle multiple IPs there on. -- _________________________________________________ No I Don't Yahoo! And I'm getting pretty sick of being asked if I do. _________________________________________________ John Andersen / Juneau Alaska
* Andreas Bittner wrote on Mon, Aug 19, 2002 at 19:43 +0200:
does iptables translate the addresses our does the seusefw2 reroute packets to the dmz ethernet no matter what i set? how is this all working.. this is my question.. i read the FAQs but they didnt explain what to set for the DMZ interface when using public ips from the same subnet on the external eth0 and the dmz eth1...
The firewall does not need to translate addresses here. Of course the routing must work. Can you access your server in the DMZ without firewalling? If not, your routing is configured wrong, for instance, the providers router does not know your router (firewall) and tries ARP for it. Make sure routing works before setting up firewalling. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (7)
-
Andreas Bittner
-
John Andersen
-
Kai-H. Weutzing
-
Lars Ellenberg
-
Roger Hayter
-
Steffen Dettmer
-
Togan Muftuoglu