This is what I'd do. You can achieve this by setting up different views in BIND. In this way, you can have one view of your world from the outside, and a completely different view for machines within the NAT area.
You don't need a firewall to bind multiple addresses to a NIC - you use IP aliasing.
So, for example, if your eth0 is currently on 1.2.3.4, you could execute
ifconfig eth0:0 5.6.7.8
and that ethernet interface will now respond to both 1.2.3.4 and
5.6.7.8.Natty, huh?
Vic.
Hi, I'm hoping someone else has seen this before...
I've got to machines, call them bar.foo.com and baz.foo.com. Both boxes run Debian stable, and the MTA on both is Sendmail. One is a primary mail server and the other is a secondary mail server for many of the same domains. These machines have real world addresses, call then
22.22.22.22 and 22.22.22.23, but since we've instituted IPCop as our firewall and used NAT, the machines don't really have these addresses any more, they're now really 192.168.1.22 and 192.168.1.23. They're on the same subnet and can talk to one another easily by address.I've set them up in each others /etc/hosts files so that from bar I can ping baz.foo.com and from baz I can ping bar.foo.com and that just works. But when they try to transfer mail to each other the connection times out, and when from the command line on bar I try
telnet baz.foo.com 25
it times out, although if I try
telnet 192.168.1.23
it works perfectly.
The IPCop is set up to allow traffic on port 25 both outbound and inbound to the two boxes, and each of the boxes have the IPCop box set up as their default gateway, so I don't understand why the SMTP traffic doesn't just get routed out to the IPCop box and back in again, but it doesn't: if I try
telnet 22.22.22.23 25
that doesn't get through either.
But the other thing I don't understand is why Sendmail (and telnet) are preferring addresses they're getting from DNS to addresses they're getting from the hosts file, while ping is preferring addresses from the hosts file.
So, please, can anyone suggest either
(i) a means of configuring IPCop so that it will pass this traffic;
or
(ii) a means of configuring the boxes so that sendmail uses the DMZ addresses to talk to each other rather than the real world ones;
or
(iii) a popular, reliable and reasonably well supported open source firewall which can bind multiple addresses to a single NIC (so Linux
2.4 or 2.6 and iptables, rather than 2.2 and ipchains) and which does not insist on NATting everything.
OK, that sounds useful. Can you point me to some documentation on how to do this? In particular does this work with bind 9?
Yup, I know this, but only on 2.4 and above kernels. My old home-brewed firewall was built on a 2.2 box and ipchains, and could not do this, which is why it has had to be replaced.
Works fine with bind 9.
HTH
Vic.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.