Results 1 to 8 of 8

Thread: Questions about Network Design

  1. #1

    Questions about Network Design

    Hey guys how are you all doing?

    Im trying to learn how to host websites, create a DNS server and a mail server. Right now I am doing this at home via cable modem, but this is just for learning purposes. When I have some money I hope to setup a datacenter. But anyways heres my question. How can I have my webserver, DNS, and mailserver on my internal network? Is it possible? Right now I have the internet directly connected to my Iptables firewall which also serves as a DHCP server, therefore it has a public IP address. I want my webserver, DNS, and mail server to have internal IP addresses, so I can provide these services while using only one public IP address. I would think that I just have to setup a portforwarding rule in iptables. However, it did not work. For the webserver, I setup a rule that everything entering port 80 to forward it to 192.168.0.0:80. And if I made a rule like this would this disconnect my other computers on the 192.168.0.x network from acessing the internet?

    I hope i didnt ramble on too much. I appreciate any help

    pEaCe
    kNoWLeDgE

  2. #2
    Senior Member
    Join Date
    Jan 2003
    Posts
    274
    Two things:
    1) Do you get a static IP address for your cable modem?
    2) Lets say your web server is x.x.x.1 and your workstation is x.x.x.50. IP tables has a rule that all port 80 traffic goes to the x.x.x.1 address. You are on your workstation and want to go to AO. So you send a request, on port 80 to AO, and it responds to you with the webpage on port.........do you see where this is going?

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    How can I have my webserver, DNS, and mailserver on my internal network? Is it possible?
    Yes, it is.

    You have to create nat rules on the firewall which will forward connections to those services to the relevant internal machines.

    That way you can have them appearing on the same external IP.

    Btw, I wouldn't recommend doing this for DNS. Instead set your DNS up ultra-secure directly on the external network, with no ports open except 53.

    By DNS, do you mean a primary or a resolver? You should of course keep a resolver on the internal network for client machines (including the mail server, etc) to use. However, you should not use the same machine as a resolver and primary/secondary.

    Of course if you have only one external IP, you have no choice but to NAT it all through the same box. However if that is the case, I'd recommend hosting the DNS offsite with an ISP (either a colo box, or get them to run the DNS for you. If you have less than 50 domains I'd recommend the latter)

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Btw, I wouldn't recommend doing this for DNS. Instead set your DNS up ultra-secure directly on the external network, with no ports open except 53.
    Yes, and to add to this, I would only use a *nix system to provide DNS in this environment.

    Now, will you be using your own DNS server for your internal network? If so, I'd use a split-DNS setup. If your run your own hosting service, chances are it will grow and you will want to have your own internal name server because I'm sure more and more machines will pop up in your rack.

    My two cents....

    Hope this helps.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    Junior Member
    Join Date
    Dec 2001
    Posts
    13
    You can also make your nat box doing a sort of DNS proxy. If you make your firewall/nat box the gateway and dns at the same time, you save some boxes that need to be on 24/24 at your home.

    If you don't know how to set up this yourself use some nice one floppy program to do it for you. Like freesco
    www.freesco.org

  6. #6
    Banned
    Join Date
    Mar 2002
    Posts
    968
    Coyote Linux is another good boot-floppy router program. Just take out an old 386 out of the closet/basement/attic and throw two network cards within. Then configure and go!

  7. #7
    Senior Member
    Join Date
    Nov 2002
    Posts
    382
    emPtYKnOw,
    all servers that u want to setup will have to face the world. As said previously NAT will provide u multiple addresses while your provider gives u only one.

    I highly recommand u to set up a DMZ to separate at a layer 2 level your servers and internal host. Your host don't have to face the world, It would be insecure!

    To do that u need at least
    - a switch (a basic one from 3com costs $100) and create 3 VLANs one for ur DMZ, one for your internal LAN & one to connect the internet.
    - A router (e.g. linux) with static routes & NAT. Connect it on a VLAN trunk port with 802.1q tagged frames.
    - A firewall in between the router and the switch

    And as extra, an IDS connected to a Mirror port of the router.
    To provide services to ur host u can use proxies located in ur DMZ.
    Therefore flows will source ur internal host, bounce on the DMZ & forwarded to the internet. (Firewall and IDS will provide a minimum of security to the network system)
    [shadow] SHARING KNOWLEDGE[/shadow]

  8. #8
    Junior Member
    Join Date
    May 2003
    Posts
    3

    you need to be allocated

    you need to be allocated an i address by your isp
    because if your server is running dns to get internet acces then the dhcp server is assigning to your in house network those ip addresses will not get you on the net as they are not members of your isp domain.

    But if they give you a static for you server the you can allow your server to allocate to your clients thus makeing all your machines a member also you will need to point and url you own to the static ip you recieve from your isp........

    hope that helps

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •