[Sussex] ipchains help please

Neil Ford neil at smudgypixels.net
Fri Feb 28 16:48:01 UTC 2003 

On Fri, 28 Feb 2003 10:23:51 -0500, Steve Dobson wrote:
> Neil
> 
> On 28 February 2003 at 14:40 Neil Ford wrote:
>>  On Fri, 28 Feb 2003 04:12:14 -0500, Steve Dobson wrote:
>>>  1). Your ISP has assigned to you a single [dynamic] IP address
>>>      for your network. (The configuration for a home user).
>>>      If so you cannot have a DMZ; as only one machine on your network
>>>      is given an address that the rest of the internet can talk to.
>>>      The connection machine must masquerade for all your other
>>>      machines.  From other parts of your posting this is what
>>>      I will assume.
>>  
>>  Not strictly true.
>>  
>>  IPCop manages quite well to have a DMZ on only one assigned static IP. 
>>  Incoming requests come into the IPCop box and it forwards them onto the 
>>  appropriate machine. Works quite well to. By not allowing machines in 
>>  your DMZ to initiate connections to your private network you keep 
>>  things nice and neat.
>>  
>>  Of course to some, this isn't necessarily what would be classified as a 
>>  DMZ.
> 
> And I would be one of them.  In the a "true" DMZ you could have two (or
> more)
> servers providing the same protocol (HTTP for example).  Both would be
> visible
> from the Internet at large.  With a single IP address how would IPCop (or
> any
> router) know which packets go to 10.0.0.1:80 and which go to 10.0.0.2.80?
> 
> My understanding is that IPCop can be used to set up a VPN.  This changes
> things
> because the other end of the VPN is "part" of your network.  The VPN acts as
> a private tied line between the two sites.  If you don't trust the other
> site
> then you may well install a DMZ between the VPN link and a firewall.  The
> DMZ would then be on a private network.
> 
> The original question talked about an ISP not a VPN - so I didn't even
> consider
> this.
> 
IPCop does indeed support VPNs, but you don't need that to do it.

The DMZ stuff does work, I have clients using it in exactly the 
situation we are discussing here, having a mail server sitting on the 
end of an ADSL link but not inside their private network.

One of their future plans is to include support for having multiple IPs 
on the external interface which will allow for forwarding to multiple 
servers on the DMZ. For now, if you want to run different servers on 
the same protocol, you have to have different ports forwarded, eg: 80 
and 8080.

>>  In answer to the original question, dump SuSE and install IPCop, it 
>>  will make life so much easier.
> 
> Why through the baby out with the bathwater?  Only two bits of an otherwise
> working system have to be upgraded: the kernel and iptables.  I don't like
> solution where when one little problem is encountered everything has to
> change.
> What should he do if something that works now on the SuSE box can't be
> configured on the IPCop box?  Should he write is own, complete new
> solutions?

My suggestion was based on the fact that I know it can do what is being 
asked and comes with an superb user interface (IMO) which makes setting 
up this kind of arrangement really easy. Yes, you can roll your own 
(and as Jon said, if your going to do that, use OpenBSD :-)) or you can 
use a solution that has already done most of the hard work.

Horses for courses really.
> 
> Steve
> 
> _______________________________________________
> Sussex mailing list
> Sussex at mailman.lug.org.uk
> http://mailman.lug.org.uk/mailman/listinfo/sussex
> 
-- 
Neil Ford
neil at smudgypixels.net
http://www.smudgypixels.net
http://www.binky.ourshack.org/weblog

More information about the Sussex mailing list