[Techtalk] iptables DMZ and more :)

Fri Dec 21 14:13:58 EST 2001

Anyone have a good rundown on an iptables DMZ firewall?  I've read a few
premade-fill in the blank scripts for it, but does anyone have their own
they could share?  Preferably not entirely complicated with things I can
understand.  This is what I'm looking to do:

Cisco 2500 -------- | Firewall | 

				+ NIC1 - DMZ1 Web Servers (www, mail,
mysql etc)
				+ NIC2 - DMZ2 for MS ISA Proxy Server to
private 							network
(yuck, but not my decision)

Now what I should be doing is 1to1 NAT, right?

DMZ1 Servers:
207.127.75.179 <--> 192.168.1.179
207.127.75.180 <--> 192.168.1.180
207.127.75.181 <--> 192.168.1.181

And for DMZ2's proxy server...
207.127.75.244 <--> 192.168.2.244

And so on and so forth?

(Yes, I know I could do anything in RFC1918 for priv IPs and the last
octet doesn't need to correspond, I just do it for the sake that it is
easiest to remember and manage)

On to another issue...
This is my former school district I'm working.  They realize they can't
live without me (Since I've left, there has barely been two solid weeks
without something breaking).  And other stupid things they do, like the
District Systems Coordinator installing Win2k and IIS and not patching
for Nimda and being compromised in < 30 minutes.  Sigh :/  And he used
to think I was bsing about the number of CR/Nimda attempts we had on our
Linux servers.

Now, so far they've said "We're going to pay you."  But they haven't
named a number.  What should be the general start point?  This would
pretty much be like a semi-hourly thing (They'll say $x per hour and
probably just cut me the same check every week for the same amount).  My
tasks are... managing and maintaining Linux servers, Linux firewall,
doing web content and special projects in PHP/MySQL.  At my last tech
job (Silly Level1 tech support), I got $10 (First real tech position and
it was at a small company).  I'm really not looking to get rich of this
(obviously), but just a little money to feed a starving college student.
Heh, they know I'd probably do it without pay, as I enjoy abuse (I would
just have to get increasingly sardonic).  Any ideas/suggestions?

Final question :)
We're going to be (finally) doing a webmail system
(Linux/Apache/exim/uwimap/Horde IMP) for all teachers/staff.  However,
we need to make administration super easy.  Like point and click.  The
main district admin (The one who installed the vulnerable Win2k machine
and would rather spend several thousand dollars on a new server + MS ISA
instead of an existing machine with Squid...) would be doing day to day
chores on it.  Stuff like teacher forgets password, needs it changed.
Deleteing a user, adding a user.  Perhaps also the ability to read the
user's mail, if there was ever an 'issue'.  Are there any very
simplistic web-based tools for this?  

- James