Re: IP ranges with linux firewalls?

From: Ulrich Keil (ulrich@der-keiler.de)
Date: 02/13/02


Date: Wed, 13 Feb 2002 17:53:27 -0000
To: <security-discuss@linuxsecurity.com>
From: "Ulrich Keil" <ulrich@der-keiler.de>

Hi Jan!

On 11/27/01, Benjamin Stocker posted nearly the same question to this list (read these threads to get into the topic):

http://www.der-keiler.de/Mailing-Lists/linuxsecurity/2001-11/0082.html
http://www.der-keiler.de/Mailing-Lists/linuxsecurity/2001-11/0093.html

Question 1)
It is no problem to do nat both for the DMZ and for your internal net. Configure your staff like this:

Provider

       | ext-IP-Range: 1.1.1.224-239 (NIC_0)
      NAT
  +----+-----+

  | dmz-IP: 192.168.1.1 (NIC_1)
  | fw +------- DMZ 192.168.1.2-x (Gateway: dmz-IP)

  +----+-----+

       | int-IP: 192.168.0.1

     Intranet: 192.168.0.2-255 (Gateway: int-IP)

This is a very robust setup. You do not lost the advantage of a DMZ (an attacker who broak into a Computer on the DMZ don't has easy access to the internal machines). If you need an extra level of security, you may also put a second firewall between fw1 and the Intranet.

Question 2)
You have to split the class C-Net into 2 Networks with 128 IPs each and route the traffic.
See: http://www.der-keiler.de/Mailing-Lists/linuxsecurity/2001-11/0081.html

Ulrich
Searching for an archive of the most important Security Mailing-Lists?
http://www.der-keiler.de

On Wednesday 13 February 2002 04:00 pm, Jan Stifter wrote:

> hello,
> I have two questions regarding the configuration of network
> interfaces:
>
> Question 1)
> -----------
>
> Provider
>
> | ext-IP
>
> +----+-----+
>
> | dmz-IP
> | fw +------- DMZ
>
> +----+-----+
>
> | int-IP
>
> Intranet
>
> My Provider gives me an official address range 1.1.1.224-239.
> I would like to use for the intranet the 192.168.x.y range.
>
> So I thought, that I would give the dmz-IP the address 1.1.1.224, the
> int-IP 192.168.0.1.
>
> Can I use for the ext-IP also 1.1.1.224 and configure the firewall
> somehow as a bridge? If yes, where do I find more information
> regarding this issue (ifconfig, route commands, kernel configuration)?
> If no, what other options do I have?
>
> Question 2)
> -----------
> Assume that I would like to build a firewall inside of a larger
> network:
>
> 1.1.1.0-255 (excluding .224 - .239)
>
> eth0| ext-IP
> +----+-----+
>
> | dmz-IP
> | fw +------- DMZ: 1.1.1.224-239
> |
> | |eth1
>
> +----------+
>
> So, outside, towards ext-IP, I have all IPs 1.1.1.0-255 excluding .224
> - .239, in the DMZ, I have IPs 1.1.1.224-239
>
> From the point of network configuration, this should work, but I just
> don't know how to set up the ifconfig and route commands in order to
> be able to configure this correctly.
>
> Thanks for reading this!
> Any hints are greatly appreciated
>
> Jan
------------------------------------------------------------------------
     To unsubscribe email security-discuss-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.