3ethernets-multi_ip.txt --------------------------------------------------------------------------- REVISED. Introduction: ------------- I've been playing with this "floppyfw" for a few months. After I got it to work, I haven't spend much time with it. Just a few days ago, someone was asking for the configuration of a "three ethernets floppyfw" (outside, inside and DMZ). It just happen that I got this type of configuration running on my home network, so I posted serveral messages to help him out. He also asking about adding another IP address into the OUTSIDE interface. Multiple IP addresses, you may say. It was kind of messy to look thru those messages, so Thomas asked me if I can merge them together. As my contribution to the community, I put together this "3 ethernets and multiple outside IP" configuration. I hope it will help some of you out there. This is the sample network layout (by Luca Giugno): Internet 213.82.100.10 and 213.82.100.11 | ! ----------------------- | ffw |----- DMZ 10.10.1.1 ----------------------- | | Internal LAN 192.168.1.1 Requirment: -- 213.82.100.10:80 ---> 10.10.1.2:80 -- 213.82.100.11:80 ---> 10.10.1.3:80 10.10.1.2 and 10.10.1.3 are the two web servers on the DMZ subnet. The Configurations: ------------------- I'm going to organize these setup based on the floppyfw's configuration files. Most of the configuration are single line. It's word-wraped. 1/. "syslinux.cfg" file. Check to see "syslinux.cfg" is ready for 3rd NIC. If it doesn't have "ether=0,0,0,eth2" in the append line, add it to the end. The new lines should look like this: # Append stuff, usually the only stuff you might need to edit. append initrd=initrd.gz root=/dev/fd0 ether=0,0,0,eth0 ether=0,0,0,eth1 ether=0,0,0,eth2 2/. "config" file. You need another section in the "config" file called DMZ. This will help you assign and change IP address and such for the DMZ. # # DMZ network: # DMZ_DEV=eth2 DMZ_IP=10.10.1.1 DMZ_NETMASK=255.255.255.0 DMZ_NETWORK=10.10.1.0 DMZ_BROADCAST=10.10.1.255 Since you going to add another IP to the OUTSIDE interface, add this to the OUTSIDE section. OUTSIDE_DEV2=eth0:0 #or eth1:0 if you switch your interface around. OUTSIDE_IP2=213.82.100.11 OUTSIDE_NETMASK2=255.255.255.0 #(Class C mask, yours maybe diffenrent) OUTSIDE_NETWORK2=213.82.100.0 OUTSIDE_BROADCAST2=213.82.100.255 Also, web traffic need to be forwarded to the DMZ servers. You define these servers here by adding these into the "Misc" section. SERVER1_IP=10.10.1.2 SERVER2_IP=10.10.1.3 Note: Lately, Thomas put these in the firewall.ini. You may want to have them there instead of here. 3/. "network.ini" file. Add a section called DMZ as follow to "network.ini" file. I put it right after the "Inside" section. # # DMZ: # /bin/ifconfig ${DMZ_DEV} ${DMZ_IP} netmask ${DMZ_NETMASK} broadcast ${DMZ_BROADCAST} # # Brad wanted these next 5 lines. # echo "DMZ_DEVICE=${DMZ_DEV}" > /etc/dmz.info echo "DMZ_IP=${DMZ_IP}" >> /etc/dmz.info echo "DMZ_NETWORK=${DMZ_NETWORK}" >> /etc/dmz.info echo "DMZ_NETMASK=${DMZ_NETMASK}" >> /etc/dmz.info echo "DMZ_BROADCAST=${DMZ_BROADCAST}" >> /etc/dmz.info # # setting up /etc/hosts # echo "${DMZ_IP} ${HOSTNAME}.dmz" >> /etc/hosts # # End DMZ # For assigning the 2nd IP address into the OUTSIDE interface, add the below "Multi IP" section right after the "Outside" section. You will see these lines: fi # if EXTERNAL fi # if DHCP So add these after them. Note: work even your 1st IP is DHCP. # # Multi IP # if [ "$OUTSIDE_IP2" != "" ] then /bin/ifconfig ${OUTSIDE_DEV2} ${OUTSIDE_IP2} netmask ${OUTSIDE_NETMASK2} broadcast ${OUTSIDE_BROADCAST2} fi 4/. "firewall.ini" file. WARNING: Since I'm not an expert in this area, the setup that I have here is not the best and secure one. This is only the basic to get the requirement above working. That is routing between INSIDE and DMZ, NAT outbound traffic and forward inbound web traffic to DMZ servers. Please consult an expert to get a better filter rules. Add the dmz.info to firewall.ini as suggested in the newsgroup. Should look like this: # # Overriding the /etc/config and adding additional information. # . /etc/outside.info . /etc/inside.info . /etc/dmz.info There are 2 major versions of floppyfw, 1.X and 2.X. One using ipchains/masq and the later using iptables. Add these lines into "firewall.ini" depend on what version you are using. _ For ipchains/masq (floppyfw 1.X) # Accepting packets between Inside and DMZ ipchains -A forward -s ${INSIDE_NETWORK}/${INSIDE_NETMASK} -d ${DMZ_NETWORK}/${DMZ_NETMASK} -j ACCEPT ipchains -A forward -s ${DMZ_NETWORK}/${DMZ_NETMASK} -d ${INSIDE_NETWORK}/${INSIDE_NETMASK} -j ACCEPT # Accepting web traffic ipchains -A input -p TCP -d ${OUTSIDE_IP} 80 -j ACCEPT ipchains -A input -p TCP -d ${OUTSIDE_IP2} 80 -j ACCEPT # Forwarding web traffic ipmasqadm portfw -a -P tcp -L ${OUTSIDE_IP} 80 -R ${SERVER1_IP} 80 ipmasqadm portfw -a -P tcp -L ${OUTSIDE_IP2} 80 -R ${SERVER2_IP} 80 _ For iptables (floppyfw 2.X) # Keep state. (for DMZ) iptables -A FORWARD -m state --state NEW -i ${DMZ_DEVICE} -j ACCEPT # We don't like the NetBIOS and Samba leaking. (from DMZ) iptables -t nat -A PREROUTING -p TCP -i ${DMZ_DEVICE} --dport 135:139 -j DROP iptables -t nat -A PREROUTING -p UDP -i ${DMZ_DEVICE} --dport 137:139 -j DROP iptables -t nat -A PREROUTING -p TCP -i ${DMZ_DEVICE} --dport 445 -j DROP iptables -t nat -A PREROUTING -p UDP -i ${DMZ_DEVICE} --dport 445 -j DROP # Accepting packets between Inside and DMZ iptables -A FORWARD -s ${INSIDE_NETWORK}/${INSIDE_NETMASK} -d ${DMZ_NETWORK}/${DMZ_NETMASK} -j ACCEPT iptables -A FORWARD -s ${DMZ_NETWORK}/${DMZ_NETMASK} -d ${INSIDE_NETWORK}/${INSIDE_NETMASK} -j ACCEPT # Accepting web traffic iptables -A FORWARD -p tcp -d ${SERVER_IP1} --dport 80 -o ${DMZ_DEVICE} -j ACCEPT iptables -A FORWARD -p tcp -d ${SERVER_IP2} --dport 80 -o ${DMZ_DEVICE} -j ACCEPT # Forwarding web traffic iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 80 -j DNAT --to ${SERVER_IP}:80 iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP2} --dport 80 -j DNAT --to ${SERVER_IP2}:80 # And also, DHCP, but we can basically accept anything from the inside. (for DMZ) iptables -A INPUT -i ${DMZ_DEVICE} -j ACCEPT iptables -A OUTPUT -o ${DMZ_DEVICE} -j ACCEPT That's it. T3IV ----------------------------------------------------------------------------