Timothy Wilson wrote:
> Our new Web server sits in a DMZ outside our school's main firewall
> and has a regular IP address. The rest of the district is NAT'd
> behind the firewall using a 10.*.*.* block. We have a tape library
> set up inside to back up all the file servers.
>
> Since we have a BackupExec setup, I'd like to install the Unix agent
> and backup the Web server files to the internal tape library. The
> firewall makes that more complicated.
>
> Here's the question: How 'bout putting a 2nd NIC in the Webserver
> and putting that NIC on the internal network? The 2nd one would get
> a 10.* IP address and shouldn't have any trouble accessing the tape
> library.
Generally a bad idea. Plus, you compromise the whole idea of a DMZ
that way. However, I think the solution you desire is found in mere
routing tables and standard IPChains (assuming that you're running a
2.2.x kernel). Masquerading is only as important as the outside
world. Your web server, however, is another matter. You control that
network, those IP's. You know who the source is and what the
destination is. You probably know which ports are needed under which
protocols.
Remember this: you do not have to masquerade to the DMZ...
#!/bin/sh
IPCN=/usr/sbin/ipchains
WEBSVR=AAA.BBB.CCC.DDD
TAPESVR=10.0.0.2
PROTO=udp
SPORT=555
DPORT=555
# Allow udp traffic to/from the tapeserver and webserver.
$IPCN -${1:='D'} forward -j ACCEPT -p $PROTO -b -s $TAPESVR $SPORT \
-d $WEBSVR $DPORT
If you want even tighter control on when this rule is allowed, place a
crontab entry for this script. Use a parameter variable to specify an
add ('A') or delete ('D').
# m h dom m dow command
00 05 * * * tape-rule A
15 05 * * * tape-rule D
--
^chewie
Sorry about not signing my email...I can't get access to my
home workstation today. CCW-20010320