[Shorewall-newbies] A DMZ issue with private addresses

Matthew Pozzi matthew at ozpoz.com
Sat Jan 17 21:21:51 PST 2004

I have setup a new bering box where I have connected eth2 to a "DMZ" which
is in fact a DMZ connected to another leaf box with real public

This new leaf machine has ADSL on it with a single external
public address, the older one is on 128kbit ISDN and has a public subnet
allocated to it.

The issue is this, these machines have a public sub C address range they can
be accessed on by using the ISDN route and the tasks these machines
undertake is they pull data from external sites, but I would like to go out
second gateway, namely the ADSL service, for these particular needs. This in
fact the main task of these machines, they do little else externally.

As stated the main traffic to and from these machines is initiated from the
machines themselves and to save some money and get faster traffic throughput
I reasoned that they could be connected to the ADSL service using a third
(DMZ) interface on the ADSL service to the existing DMZ on thre ISDN
but apart from bringing up an interface to this subnet and accessing the DMZ
from the firewall I can only talk to it from the internal network (a
192.168 subnet) using NAT between eth1 (internal) and eth2 (DMZ). I cannot
successfully configure it to access this "DMZ" via DNAT from the single
public external address on the ADSL service externally. I have one DNAT
connection using a M$ PPTP server coming in from the ADSL external
interfaces that works, so its mainly an issue of understanding and
configuring shorewall correctly
to this eth2 connection.

The subnet is a 26 bit mask address network, it is connected to eth2 and is
just like the three interface example in the shorewall documentation. eth0
is the external internal interface, really it is ppp0 on an ADSL service,
eth1 is the internal network on and eth2 is to be connected
to the sub class C subnet.

Do we masq to this eth2 network from the internal eth1 subnet? I would
normally think
not as the leaf machine has a route to the subnet and traffic will get there
although shorewall needs to know of its existence for security. Should the
DMZ be
masqueraded to the external interface, I would think yes as we only have one
externally, bearing in mind the DMZ addresses are effectively a private DMZ
as their addresses belong to another ISP and cannot be routed through this
ADSL service.

I hope this is clear enough, I seek assitance on this as I have got no
further in connecting this up apart from getting it connected via eth2.

I continue to be amazed at how much there is to learn, regards

More information about the Shorewall-newbies mailing list