[oclug] Nat? ipchains vs. iptables

King, Brian brian.king at xwave.com
Mon Mar 4 15:24:33 EST 2002 

With regards to comments 3 and 5. Not neccesarily. Some people recommend
running a DMZ in the following configuration:


INTERNET ----- FW#1 ---- DMZ ---- FW#2 ----- Internal Network



As opposed to what you are commenting on:

INTERNET ---- FW ------ Internal Network
               |
               |
              DMZ

The second design comes largely from a cost savings perspective. Less
software licencing (when not running linux), less hardware to purchase, and
higher utilization (more traffic) on the single firewall.

The first design gives arguably better security since 2 firewalls have to be
compromised to gain internal access, and it also means you can get away with
smaller hardware on each firewall to maintain the same throughput.

Brian

-----Original Message-----
From: Strosberg, Bill [mailto:bill.strosberg at rcpsc.edu]
Sent: Monday, March 04, 2002 15:02
To: 'oclug at lists.oclug.on.ca'
Subject: RE: [oclug] Nat? ipchains vs. iptables


> From: Alex @ Avantel Systems [mailto:alex at avantel.ca]
> Sent: Monday, March 04, 2002 1:13 PM
> To: oclug at lists.oclug.on.ca
> Subject: Re: [oclug] Nat? ipchains vs. iptables
> 
> 
> On March  4, 2002 10:02 am, you wrote:
> > Greetings to All,
> >
> > I have some straight forward questions that I haven't been 
> able to find
> > definitive answers. Help Please!
> >
> > 1)Can ipchains be used to redirect packets from the 
> firewall to a mail
> > server within the DMZ?
> 
> Not byitself, it needs a helper app.  
> 
> http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO/forwarders.html
> 
> >
> > 2)Do I have to run ipchains in conjuction with port forwarding to
> > accomplish this?
> 
> yes.there are several types to choose from. see the url above
> 
> >
> > 3)If no to the above. Generally is it possible to set up a DMZ with
> > ipchains?
> 
> Yes to above; but it's a lot easier with iptables.
> 
> >
> > 4)If so, How?
> 
> in iptables use dnat.
> 
> >
> > 5)I read some security paper somewhere that running a DMZ 
> is a good idea
> > and on each firewall you should run a different packet filtering(PF)
> > software. If ipchains won't work then where do I find a second PF
> > software besides iptables?
> 
> why not run ipchains as the pf between DMZ and your internal 
> stuff and 
> iptables between the DMZ and the big bad internet.


In regards to the above reply:

1)	ipchains has nothing to do with port forwarding.
2)	see point 1 above.
3)	A DMZ is a function of triple-homing the machine/router i.e. three
network interfaces and distinct subnets on two internal interfaces.
Implementing the DMZ in Linux is a function of the forwarding rules in
either ipchains or iptables.  If you only have one public IP address,
ipchains works fine.  If you have more than one public IP address, it is
easier in iptables.
4)	Read up on masquerading if you are looking at ipchains, otherwise
Aex is right about DNAT 
5)	You CAN NOT run ipchains and iptables on the same machine under any
circumstances!

--
Bill Strosberg
_______________________________________________
oclug mailing list
oclug at lists.oclug.on.ca
http://www.oclug.on.ca/mailman/listinfo/oclug

----------------------------------------------------------------------------

This communication (including all attachments) is intended solely for the
use of the person or persons to whom it is addressed and should be treated
as a  confidential xwave communication.  If you are not the intended
recipient, any use, distribution, printing, or copying of this email is
strictly prohibited.  If you received this email in error, please
immediately delete it from your system and notify the originator.  Your
cooperation is appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tux.oclug.on.ca/pipermail/oclug/attachments/20020304/0aff47e0/attachment.htm

More information about the OCLUG mailing list