[oclug] Nat? ipchains vs. iptables
cireland at in-works.net
Tue Mar 5 22:38:43 EST 2002
Alex @ Avantel wrote:
> On March 4, 2002 02:01 pm, Strosberg, Bill wrote:
>>3) A DMZ is a function of triple-homing the machine/router i.e. three
>>network interfaces and distinct subnets on two internal interfaces.
>>Implementing the DMZ in Linux is a function of the forwarding rules in
>>either ipchains or iptables. If you only have one public IP address,
>>ipchains works fine. If you have more than one public IP address, it is
>>easier in iptables.
> As Brian King pointed out - that's only partially correct. The triple-homed
> router is often used by people trying to save a few pennies but it's not
> necessarily the safest or the easiest to set up.
> Also, perhaps you could clarify how you would use ipchains to forward traffic
> to a bastion host . .
I have been looking into this in depth lately and here's something I
noticed. It seems to be esier, cheaper and safer to have your internal
networked firewalled by a machine on the DMZ than it is to set up a
triple-homed firewall. If, by some chance, your firewall gets
compromised, the intruder will not only see your DMZ, but your internal
net as well. By using a DMZ machine as an internal firewall, you are
also looking at simpler firewall rules.
|Int. Firewall |
----------------| Internal Net
>>4) Read up on masquerading if you are looking at ipchains, otherwise
>>Aex is right about DNAT
>>5) You CAN NOT run ipchains and iptables on the same machine under any
> But you can certainly run iptables on the Internet firewall and ipchains on
> the internal firewall. That's what I do and it works fine.
> oclug mailing list
> oclug at lists.oclug.on.ca
More information about the OCLUG