--- premstud@vsnl.com wrote:
Your ISP would actually assign you a (say) 4
address
IP subnet, of which of course one address would go
for
the network address, one for broadcast and you
would
then have two addresses left. One address of these would be used for your Windows box and one for the Linux box.
That was funny....
You would have to enable IP forwarding on your Windows box for this
to
work.
U dont have to enable ip forwarding on ur windows box, if ur having ur linux box with a static ip.
Pray tell me, how else would you connect the second Linux NIC to the Windows machine? You're forgetting that the Windows machine is the gateway to the system. Since the DSL modem presumably runs PPPOE, and PPP is a point to point protocol, you will be able to connect only one device to the DSL modem port (assuming that that is how DSL works). That will be the external subnet A, which will be a 2 address subnet, with one assigned to the ISP router port, and the other to the Windows external NIC. IP subnet B will comprise the Windows/ Linux box connection, which will route the Linux box access to the world. One thing I forgot to add here was that the Windows machine will laso have to have an additional NIC on it. You then set a static route from the external NIC (connected to the ISP) to the internal subnet (connected to the Linux box).
This will work this way:
ISP ________ ________ side | | | | --------|WinBox |-----|LinuxBox|----- To private |________| |________| network
Enable IP fwdg on Win
Setup ur services on ur linux box and have 2 nic's ,
one for the wan and one for ur internel lan, and don't ever enable ip forwarding on ur cards, unless u want outside people to access ur lan,and since it is with a static ip, firewall it properly..
If he does not enable IP forwarding on the Windows machine, how is he going to connect the Linux box to the outside world so that outside people have access to it? Remember, he wanted people to have web and POP3 access, so that obviously he needs the Linux server to advertise its services to the world.
I am not able to make any sense out of your suggestion, since you suggest two NIC's, one for the WAN and one for the internal LAN, and not to enable IP forwarding on Linux. You do not seem to have read my post correctly, since I had suggested that he enable IP forwarding on the gateway machine, which in fact is the Windows machine, and not on the Linux box. Granted, I forgot to add that he needed an additional LAN card to provide routing services for a public IP address for the Linux box.
There are two ways that the internal private network can be provided Internet access. One is to continue using Windows forwarding services - but that will mean an additional network card on the Windows gateway. Windows IP forwarding works between two NICs, but I have no idea if it will support multipoint forwarding services, with one being NAT'ed and one with full access. Windows Proxy Server ought to work, however.
Another - and proven method - is to use your bugbear - IP forwarding on the Linux box - and provide a restrictive NAT / firwall construction that will effectively block all unauthorised ingress to the network. The other option (which will also probably require Linux IP forwarding to be enabled) is to provide some sort of proxy server - with or without something like SOCKS.
IP forwarding per se is not evil - it is how you configure it that causes all the problems. Remember, you cannot access the outside world through a firewall unless it allows IP packets to be forwarded, whether it is on Windows or Linux or FreeBSD or whatever. That is what iptables, ipchains, ipfilter, ipfw, etc. are all about. The only way you can get away with not using direct IP forwarding services for an internal private network is to enable proxying - which does away with IP header rewriting and keeps things somewhat simpler.
Regards,
Krishnan
__________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/