[Novalug] multihomed linux router with public ip addresses
Bryan J. Smith
b.j.smith at ieee.org
Tue Apr 27 08:38:46 EDT 2010
The DMZ servers, if all traffic goes through the security appliance,
will each only have one, private IP. The security appliance belongs
to the same, private subnet, connected to those DMZ servers on
eth1.
Your statement about the security appliance's eth2, connected to
the Internet, is correct. It has all public IPs. It then decides how to
forward to DMZ servers.
1:1 NAT would be an one public IP to one DMZ private IP.
DNAT would be any (or all) public IPs, on specific ports, to one (or
more, if load balanced) DMZ private IPs.
The Linux IP Masquerade HOWTO covers many things, and most of
the 2.4 info applies to 2.6. They both have the NetFilter stack, use
of ip/iproute/iptables, etc...
http://tldp.org/HOWTO/IP-Masquerade-HOWTO/
BTW, I should have mentioned, one can also use public IPs in the DMZ,
and use the security appliance as a direct, public router, instead of a 1:1
NAT or DNAT. But the DMZ can also be private IPs as well.
----- Original Message ----
From: Miguel González Castaños <miguel_3_gonzalez at yahoo.es>
So in a 1:1 NAT how would i configure my router interfaces?
eth1 would be a private network and then servers in the DMZ would have
two IPs (public and private)?
If so, then eth2 should have also aliases for all the public IP
addresses in the DMZ and forward to the proper servers?
Thanks for your clarifications, they have been very insightful and helpful
More information about the Novalug
mailing list