Setting up DMZ

lejzer · #1 (**permalink**) 02-11-2004, 10:24 AM

Hi,

I'm about to set up a DMZ for one of my servers (FTP).

I wonder if it will work, even though i only have one external IP from my ISP?

My thoughts:

eth0: 192.168.0.*** (LAN)
eth1: 217.***.***.*** (ISP)
eth2: 192.168.4.*** (DMZ)

Is the above possible? If i have one server. Should i set the local ip for that server to the same as eth2 above?

What if i want 2 servers (FTP and WEB) . What ip would the second server use?

Thanks in advance

/ Martin

Overnet · #2 (**permalink**) 02-11-2004, 10:29 AM

Yes you should set up static ip fot both servers you wan´t in dmz like 192.168.4.1 192.168.4.2 for an ex. And you must set up dnat rules for you servers and some filters to get it works. Hope you have more now.

lejzer · #3 (**permalink**) 02-11-2004, 10:43 AM

Hi,

I get it. But if i use 192.168.4.1 and 192.168.4.2 for the servers in the DMZ. What ip and subnet should the interface for the DMZ be like?

Thank you!

Overnet · #4 (**permalink**) 02-11-2004, 10:52 AM

The ip for DMZ can be like 192.168.4.100 and netmask 255.255.255.0 but you can use with ip for DMZ you like so long it not use same ip like you´r web or ftp servers in same subnet

AJo · #5 (**permalink**) 02-11-2004, 11:15 AM

these document might help you out:
A_NAT_Primer.pdf
Guidebook-US-ASL-V4_dnat_web-server.pdf

step-by-step are decribed here:
portforwarding

lejzer · #6 (**permalink**) 02-11-2004, 01:43 PM

Thank you both for your answers. I will try this when i come home and post back if i manage to get it to work [img]/images/graemlins/smile.gif[/img]

lejzer · #7 (**permalink**) 02-11-2004, 07:29 PM

So i followed the guide, guess what. It worked! [img]/images/graemlins/smile.gif[/img]

Thanks alot. But i have one question though. In the step-by-step guide you refered to, there's one thing i don't really understand:

1. Setting up masqeurading for clients
a) There should'nt be any need to define the internal network since it ought to be defined as static if the int nic is configured and up.

Network -> nat/masq
b) Create a new masq rule under
Rule type: masq
Network: int_network__
Interface: ext_interface__

What does this masq do? I can see no difference if i delete this masq or not? And the last one, ext_interface, is this eth1 or dmz?

Thank you

AJo · #8 (**permalink**) 02-11-2004, 10:32 PM

Regarding your ASL setup for FTP server on DMZ you should only use the FTP part of the step-by-step. The MASQ for clients refers to how you allow workstations to access the outside. (one way to allow ws to access the outside)

Masqeurading (MASQ) is a special form of SNAT, that will make all host behind the internal NIC (ie. all host defined for the MASQ rule ex. your workstations) look like they where the external NIC ip (ie. look like the ASL external ip to the outside world). You can use either MASQ or SNAT to translate the source address.

ext_interface would be the ASL NIC connected to the outside (ie. your public ip). Assuming you named the external NIC ext in the interface definition/config.