[oclug] Nat? ipchains vs. iptables

[Curtis Ireland]

Alex @ Avantel wrote:

> On March  4, 2002 02:01 pm, Strosberg, Bill wrote:
>>3)	A DMZ is a function of triple-homing the machine/router i.e. three
>>network interfaces and distinct subnets on two internal interfaces.
>>Implementing the DMZ in Linux is a function of the forwarding rules in
>>either ipchains or iptables.  If you only have one public IP address,
>>ipchains works fine.  If you have more than one public IP address, it is
>>easier in iptables.
> 
> As Brian King pointed out - that's only partially correct.  The triple-homed 
> router is often used by people trying to save a few pennies but it's not 
> necessarily the safest or the easiest to set up.
> 
> Also, perhaps you could clarify how you would use ipchains to forward traffic 
> to a bastion host . .   
> 

I have been looking into this in depth lately and here's something I 
noticed. It seems to be esier, cheaper and safer to have your internal 
networked firewalled by a machine on the DMZ than it is to set up a 
triple-homed firewall. If, by some chance, your firewall gets 
compromised, the intruder will not only see your DMZ, but your internal 
net as well. By using a DMZ machine as an internal firewall, you are 
also looking at simpler firewall rules.

Visual Aid:

		|
	-----------------
	|Firewall	|
	-----------------
		|
		+---------------| DMZ
	--------|--------
	|Int. Firewall	|
	-----------------
		|
		----------------| Internal Net


> 
>>4)	Read up on masquerading if you are looking at ipchains, otherwise
>>Aex is right about DNAT
>>5)	You CAN NOT run ipchains and iptables on the same machine under any
>>circumstances!
>>
> 
> But you can certainly run iptables on the Internet firewall and ipchains on 
> the internal firewall.  That's what I do and it works fine.
> 
> alex
> 
> _______________________________________________
> oclug mailing list
> oclug at lists.oclug.on.ca
> http://www.oclug.on.ca/mailman/listinfo/oclug
>