Hi, On Mon, 27 Jun 2005 13:09:44 -0400 Travis Osterman <[EMAIL PROTECTED]> wrote:
> My only concern is that while this will > work for my web server, it appears as though I would have to put all > my service-providing machines on different subnets and have rules for > each of them ... am I understanding that correctly? Hm, depends on the service. But I think fairly all could be placed in the same "DMZ" subnet. Only DNS-dependent access between the machines in the DMZ using the "external" DNS name wouldn't work. But clean design of the services should not allow to let such a situation arise. > Also, sadly, my > webserver is doubling as a samba server right now and I'm not overly > optimistic that windows will see it on the different subnet. OK, i agree. Probably setting up two networks on the webserver as well could easily solve this. I tend to now call our "DMZ" just "virtual other subnet" as there's no clear rule between them. so we have three networks: - WAN (ppp0) - LAN (eth1/192.168.1.x) - "virtual other subnet" (eth1/192.168.3.x) where the last share the medium. The webserver/samba machine should listen on 192.168.3.x for webserver requests and should serve Samba on the 192.168.1.x address. But it would work if both services listen on both addresses as well. > Is there a way to check and see is local traffic is (terminally) > destined for ppp0 and set up a chain to filter by port and reroute > that traffic to the appropriate lan computer? Hm, local traffic destined for ppp0 would show up on nat/POSTROUTING. > Could dnsmasq point > my-dynamic-name.no-ip.com to the address of eth1 instead of ppp0 to > make the routing easier (bypassing NAT)? Yes, of course. dnsmasq could answer with the _real_ IP address of the webserver. But if all services are to be distributed from the router to various other machines instead of (in the LAN) their real IPs, that wouldn't work as only one IP address can be answered by dnsmasq for one specific domain name. That's actually the problem's core (translated freely from German). You want to separate the traffic from the virtual service provider identified by the domain name transparently to other machines. So you will not only have to provide the way to the real machines hidden behind the router but also the way back. With the iptables approach only, the packets would even be sent back to the requesting machines. But there they wont (probably, maybe another network pro could be more clear on this? But I think we've lost most of the readers down here;-) ) be recognized as correct answers, I think, and such being dropped (because the request was made to $Router_Machine and the answer comes back from $Real_Service). Another possibility would be to setup proxy servers on the Router. But that scales far worser with the number of services. OTOH, this is needed if the service itself is not routable. > I'm still really green at network design issues, but this is a > fasinating problem to me. Thanks for your input so far. Well, it also is to me. Never thought that much on such issues before. Actually, the approach via routing to a "virtual other subnet" came to my mind when I finished a reply using only one additional rule in iptables. Only then I thought about the answers from the servers. -hwh -- gentoo-user@gentoo.org mailing list
