Network with Tri-homed firewall

Hi there!

I trying to understand how one would to setup a small business network
using a tri-homed firewall using iptables. This is not for a real
network, but for my learning. I am still Linux newbie, so please be
kind to me :-)

Lets say I have some Cisco router that connects to my ISP (who
provided me with one IP number).
Also,I also have a computer with three network interface cards:

eth0 with 202.54.1.1 public IP address - WAN connected to router
eth1 with 192.168.1.1 private IP address - Internal LAN with
workstations
eth2 with 192.168.2.1 private IP address - DMZ connected to Mail, Web,
DNS and perhaps a FTP server


Here is where I need help with understanding.
1. Do I need two public IP addresses to make this work (one for the
router and one for eth0) or is there another way to configure this?
2. I obviously want NAT for the Internal and DMZ network to work. How
would the iptables command look to forward incoming mail to the mail
server. Do I use something like this:
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 202.54.1.1 --dport 25 -
j DNAT --to destination 192.168.2.x
3. What IP address goes into the DNS server for the Mail, Web, etc
servers in the DMZ. Do you specify the IP address of eth0 for each
server and then rely on NAT to point it to the correct server
depending on the destination port number? How does this work?
4. I have seen a few diagrams on the internet where a DNS caching
server is installed on the internal network. I assume the internal DNS
only have the entries of the servers on the internal network, and
lookups are forwarded to the DNS in the DMZ if it needs and IP address
for any other Internet servers. Is this the preferred reasonable
approach?
5. Some sites suggest a mail relay in the DMZ. I assume the actual
mail server then goes on the internal network. Does the mail relay
server still allow pop/imap access from outside. This obviously also
require a forwarding rule for port 25 to internal server. Is this how
it works?

Sorry, it's quite a handful of questions. Any help will be
appreciated!

Thx in advance.

Hein

On Mon, 17 Oct 2011, in the Usenet newsgroup comp.os.linux.networking, in
article <06605a1c-90d1-44ed-8184-(E-Mail Removed)>,
H Steenkamp wrote:

NOTE: Posting from groups.google.com (or some web-forums) dramatically
reduces the chance of your post being seen. Find a real news server.

>I trying to understand how one would to setup a small business network
>using a tri-homed firewall using iptables. This is not for a real
>network, but for my learning. I am still Linux newbie, so please be
>kind to me :-)

http://www.netfilter.org/documentation/HOWTO/

[TXT] NAT-HOWTO.txt 18-Dec-2010 13:56 25K
[TXT] netfilter-double-nat-HOWTO.txt 18-Dec-2010 13:56 9.3K
[TXT] netfilter-extensions-HOWTO.txt 18-Dec-2010 13:56 80K
[TXT] networking-concepts-HOWTO.txt 18-Dec-2010 13:56 28K
[TXT] packet-filtering-HOWTO.txt 18-Dec-2010 13:56 51K

http://tldp.org/guides.html

* The Linux Network Administrator's Guide, Second Edition
version: 1.1
authors: Olaf Kirch and Terry Dawson
last update: March 2000
ISBN: 1-56592-400-2
available formats:
1. HTML (read online)
2. HTML (tarred and gzipped package, 690k)
3. PDF (1.5MB)

>Here is where I need help with understanding.
>1. Do I need two public IP addresses to make this work (one for the
>router and one for eth0) or is there another way to configure this?

Depends on your ISP. Both sides of the cable modem/router may have
an RFC1918 (unroutable) address (real addresses are valuable, why
waste one on something no one outside will connect to), and do packet
forwarding only. Thus, you'd only have one "public" address - the box
that is directly connected to the router. There is nothing on the
router (and _should_ be nothing on the firewall) that the public can
connect to - all public connections go to NATed boxes inside or in the
DMZ. That's both a security and complexity issue.

>2. I obviously want NAT for the Internal and DMZ network to work. How
>would the iptables command look to forward incoming mail to the mail
>server.

See the howtos above. Note that, unless you have a commercial or
business grade service from the ISP, that ISP may be blocking all
mail (and maybe other services) to residential addresses to prevent
spam and net abuse. Discuss that with your ISP.

>3. What IP address goes into the DNS server for the Mail, Web, etc
>servers in the DMZ.

Your DNS server - addresses are those of the DMZ hosts. If you have
a real public domain "out there", the A and MX records on the public
DNS server for the DMZ services point to the single public IP address
on the NAT box. The world can't find your 192.168.2.x addresses. As
far as the world can see, _everything_ you make reachable is on that
single "public" IP address.

>4. I have seen a few diagrams on the internet where a DNS caching
>server is installed on the internal network. I assume the internal DNS
>only have the entries of the servers on the internal network, and
>lookups are forwarded to the DNS in the DMZ if it needs and IP address
>for any other Internet servers. Is this the preferred reasonable
>approach?

It's old, but

-rw-rw-r-- 1 gferg ldp 91563 Dec 23 2001 DNS-HOWTO

Note that this is your _internal_ server - quite different from the
public DNS servers probably operated by your registrar and/or ISP.

>5. Some sites suggest a mail relay in the DMZ. I assume the actual
>mail server then goes on the internal network.

What is your threat model? What will your ISP allow?

>Does the mail relay server still allow pop/imap access from outside.

How did you want to configure it.

>This obviously also require a forwarding rule for port 25 to internal
>server. Is this how it works?

POP/IMAP are not on 25 - see /etc/services and the documentation on
the servers. If you are referring to mail being delivered to the
public facing mail server in the DMZ, which then forwards the mail to
a server on the inside, no - this is an MTA (Mail Transport Agent)
configuration - the application like 'exim/postfix/sendmail'. But
again, note that your ISP may block access to these ports.

>Sorry, it's quite a handful of questions. Any help will be
>appreciated!

Start reading the guides at the LDP (second URL above), and at least
look at the HOWTO-INDEX (http://ibiblio.org/pub/linux/docs/HOWTO/ or
http://en.tldp.org/HOWTO/HOWTO-INDEX/howtos.html). There are 46
guides that are essentially full sized books, and over 450 HOWTOs on
many subjects. People have been there before, and written down a lot
of valuable information.

Old guy

On Oct 18, 5:59*am, ibupro...@painkiller.example.tld.invalid (Moe
Trin) wrote:
> On Mon, 17 Oct 2011, in the Usenet newsgroup comp.os.linux.networking, in
> article <06605a1c-90d1-44ed-8184-f0f9b60d3...@v8g2000pro.googlegroups.com>,
>
> H Steenkamp wrote:
>
> NOTE: Posting from groups.google.com (or some web-forums) dramatically
> reduces the chance of your post being seen. *Find a real news server.
>
> >I trying to understand how one would to setup a small business network
> >using a tri-homed firewall using iptables. This is not for a real
> >network, but for my learning. I am still Linux newbie, so please be
> >kind to me :-)
>
> http://www.netfilter.org/documentation/HOWTO/
>
> * *[TXT] NAT-HOWTO.txt 18-Dec-2010 13:56 25K
> * *[TXT] netfilter-double-nat-HOWTO.txt 18-Dec-2010 13:56 9.3K
> * *[TXT] netfilter-extensions-HOWTO.txt 18-Dec-2010 13:56 80K
> * *[TXT] networking-concepts-HOWTO.txt 18-Dec-2010 13:56 28K
> * *[TXT] packet-filtering-HOWTO.txt 18-Dec-2010 13:56 51K
>
> http://tldp.org/guides.html
>
> * ** The Linux Network Administrator's Guide, Second Edition * * *
> * *version: 1.1
> * *authors: Olaf Kirch and Terry Dawson
> * *last update: March 2000
> * *ISBN: 1-56592-400-2
> * *available formats:
> * * * * *1. HTML (read online)
> * * * * *2. HTML (tarred and gzipped package, 690k)
> * * * * *3. PDF (1.5MB)
>
> >Here is where I need help with understanding.
> >1. Do I need two public IP addresses to make this work (one for the
> >router and one for eth0) or is there another way to configure this?
>
> Depends on your ISP. * Both sides of the cable modem/router may have
> an RFC1918 (unroutable) address (real addresses are valuable, why
> waste one on something no one outside will connect to), and do packet
> forwarding only. *Thus, you'd only have one "public" address - the box
> that is directly connected to the router. *There is nothing on the
> router (and _should_ be nothing on the firewall) that the public can
> connect to - all public connections go to NATed boxes inside or in the
> DMZ. *That's both a security and complexity issue.
>
> >2. I obviously want NAT for the Internal and DMZ network to work. How
> >would the iptables command look to forward incoming mail to the mail
> >server.
>
> See the howtos above. * Note that, unless you have a commercial or
> business grade service from the ISP, that ISP may be blocking all
> mail (and maybe other services) to residential addresses to prevent
> spam and net abuse. *Discuss that with your ISP.
>
> >3. What IP address goes into the DNS server for the Mail, Web, etc
> >servers in the DMZ.
>
> Your DNS server - addresses are those of the DMZ hosts. If you have
> a real public domain "out there", the A and MX records on the public
> DNS server for the DMZ services point to the single public IP address
> on the NAT box. * The world can't find *your 192.168.2.x addresses. *As
> far as the world can see, _everything_ you make reachable is on that
> single "public" IP address.
>
> >4. I have seen a few diagrams on the internet where a DNS caching
> >server is installed on the internal network. I assume the internal DNS
> >only have the entries of the servers on the internal network, and
> >lookups are forwarded to the DNS in the DMZ if it needs and IP address
> >for any other Internet servers. Is this the preferred reasonable
> >approach?
>
> It's old, but
>
> -rw-rw-r-- * *1 gferg * *ldp * * * * 91563 Dec 23 *2001DNS-HOWTO
>
> Note that this is your _internal_ server - quite different from the
> public DNS servers probably operated by your registrar and/or ISP.
>
> >5. Some sites suggest a mail relay in the DMZ. I assume the actual
> >mail server then goes on the internal network.
>
> What is your threat model? *What will your ISP allow?
>
> >Does the mail relay server still allow pop/imap access from outside.
>
> How did you want to configure it.
>
> >This obviously also require a forwarding rule for port 25 to internal
> >server. Is this how it works?
>
> POP/IMAP are not on 25 - see /etc/services and the documentation on
> the servers. *If you are referring to mail being delivered to the
> public facing mail server in the DMZ, which then forwards the mail to
> a server on the inside, no - this is an MTA (Mail Transport Agent)
> configuration - the application like 'exim/postfix/sendmail'. *But
> again, note that your ISP may block access to these ports.
>
> >Sorry, it's quite a handful of questions. Any help will be
> >appreciated!
>
> Start reading the guides at the LDP (second URL above), and at least
> look at the HOWTO-INDEX (http://ibiblio.org/pub/linux/docs/HOWTO/*orhttp://en.tldp.org/HOWTO/HOWTO-INDEX/howtos.html). * There are 46
> guides that are essentially full sized books, and over 450 HOWTOs on
> many subjects. *People have been there before, and written down a lot
> of valuable information.
>
> * * * * Old guy

Thank you very much Old guy. You have given me heaps of good links to
excellent resources. So this is where all the documentation is ;-)

Thanks again.