Re: [TCLUG:10864] IP Masquerading

[^chewie <chewie@wookimus.net>]

Scott (dieman) wrote:
> > I would suggest a different approach.  Have a box with three
> > interfaces, One to the outside world, one to your "internet
> > servers", and one to your "clients".  (add a fourth if you want to
> > firewall the "servers" away from the "clients" on top of the
> > "outside world" and the "internet servers") Now mind you, keep this
> > all PCI and on a decent box, cause its gonna have a ton of ipchains
> > rules to parse per packet.

On Fri, 10 Dec 1999, Brian J. Ackermann wrote:
> I brought this idea to my boss, and he loved it.  I convinced him to
> modify our topology, so all our servers on the 205 subnet are on one
> hub, the 192 subnet on a second, and the world off the third.
> 
> I'm pumped....
> 
> Maybe I can get this Firewall up and running, now that I'll have a
> 'normal' topology to deal with....

I believe you will need to do a combination of the Bridging package to
forward requests to the 205 subnet from the secure gateway and IP
masquerading to forward to the 192 subnet.  IP Masquerading does not
route very well.  Instead it does Network Address Translation,
translating a public IP address to a private one.  Bridging, on the
other hand, connects two subnets together and allows filtering.  I'm not
really up to date on this, but I'm thinking of implementing the same
topology here.

Look for: Bridging+Firewall-HOWTO.txt.gz and IP-Chains-HOWTO.txt.gz for
more information.

----------------------------------------------------------------
Chad Walstrom                         mailto:chewie@wookimus.net 
a.k.a ^chewie, gunnarr               http://wookimus.net/~chewie

   Gnupg = B4AB D627 9CBD 687E 7A31  1950 0CC7 0B18 206C 5AFD
----------------------------------------------------------------