Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Another IP forwarding Problem

Status
Not open for further replies.
prairieseahorse

prairieseahorse

IS-IT--Management
Jun 18, 2001
12
CA
Hi all. Here's my situation.

I'm setting up a firewall with RedHat 7.1. I have 3 network cards installed and working.

eth0 address 64.1.1.1/27 points to internet
eth1 address 64.1.1.27/27 points to DMZ network
eth2 address 10.0.0.76/8 points to internal network

route table says: (my internet gateway is 64.1.1.30

Destination GW Mask Iface
64.1.1.30 * 255.255.255.255 eth0
64.1.1.0 * 255.255.255.224 eth1
10.0.0.0 * 255.0.0.0 eth2
127.0.0.0 * 255.0.0.0 lo
default 64.1.1.30 0.0.0.0 eth0

ipchains is set to masquerade anything from the 10. network and everything else is set to ACCEPT (for now).

What happens is:
Can ping each interface from inside the firewall and from 10. network and DMZ network, so I know the interfaces are alive.

Can see the internet from the 10. network, so I know IP forwarding is working.

BUT DMZ can't see outside the firewall. I suspect that I'm confusing it by splitting a subnet across the two interfaces, but was hoping I could get away with specifying specific hosts to the one interface and letting the others follow a lower level route.

Any comments or suggestions would be appreciated.
 
Sort by date Sort by votes
Hello,

I have the same problem, but intwo card and SuSE 7.1 Version.

I think the problems is.. find a server that allow connect the service TCP wuth other user connected to Server.

If you have a solutions please send me to

casistel@cantv.net

 
Upvote 0 Downvote
This config is not workable.
You should use private ip addresses for your dmz
machines and if you need access to services in the dmz
use rinetd or a generic proxy of some kind.
Think about dynamic routing. Routed or zebra.
(Use ripv2 or ospf.)
Static routing with three interfaces can be messy
even without masquerading.

Thats my two cents.
Good Luck.
 
Upvote 0 Downvote
Thanks Marsd

You confirmed my suspicions about the attempt. Unfortunately rinetd won't work in my case. The DMZ contains multilple web and FTP servers. I think I'll probably break the external IP block into two subnets. I can put one subnet in the DMZ (providing some protection) and leave one subnet exposed.

Thanks again for your advice.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

malpa
  • Locked
  • Question
block incoming snmp traps from ip
Replies
1
Views
240
malpa
malpa
TSch
  • Locked
  • Question
Problem with NFS automount
Replies
1
Views
137
iggsterman
iggsterman
Agent0007
  • Locked
  • Question
HELP Traffic Control of IP
Replies
2
Views
131
Agent0007
Agent0007
Agent0007
  • Locked
  • Question
Problem Configuring Kerberos
Replies
0
Views
168
Agent0007
Agent0007
eliogabalus
  • Locked
  • Question
apache and IP oddities
Replies
0
Views
112
eliogabalus
eliogabalus

Part and Inventory Search

Sponsor

Back
Top