I have a RedHat 7.2 router/firewall NATing packets onto my private 10.0.0.0/24 network. I was wondering if it would be possible to have a public IP address behind my router that would be directly accessible from the Internet?

Some routers have what's called a DMZ or demilitarized zone. If you place a computer in this zone then the router doesn't do anything but translate the public IP to the private IP of the computer. However, as far as I know the routers only allow one pc to be in this zone.
I don't know what you want it for but if what you want to do is run a webserver, all you have to do is forward port 80 to the machine that has the server and everytime someone tries to access your public IP on port 80 it'll be as if they were accessing the machine that you forwarded to directly. In the case of RedHat I think you'll have to use port forwarding rather than the demilitarized zone.

Joe

So, to have a DMZ you would need to have a third NIC in the router? Or could you have two NIC's and just forward packets back and forth from that box?

For example:

ISP (X.X.X.254)
|
Router (X.X.X.228)
|
_________ Switch __________
| | |
10.0.0.101 10.0.0.102 X.X.X.229

Would the router be able to forward packets from X.X.X.229 to the default gateway (X.X.X.254) on the outside network?

Oops, I guess that diagram didn't come out as well I had hoped.

Two nics are enough if all you have is the switch and the outside network. Of course if you want more than one connection directly to the router you'll need more nics but with the setup you have there two nics will do great. Note: I don't think you can setup a DMZ with a Linux router but I'm not sure, however, forwarding should be fine. You can forward any and all ports that you want to so I suppose if you wanted to you could create a DMZ by forwarding all ports to a particular machine. When I mentioned the DMZ I was thinking about certain commercial hardware routers that I've seen such as Linksys and D-Link.

Joe

Forget about the DMZ. ;)

What service(s) did you want to run on the "publicly accessible" computer? If it was just a web server, then do as Magueta is saying and forward port 80. If it was another service, then post it and someone will know what port(s) to forward to get it to work.

Oh, I've also added [code] tags around your original diagram, so that the spacing was saved, and changed the spacing a bit so that it works with a monospace font. ;)

The diagram looks much better that way. Wow!

Joe

My router has dynamic routing. So I just routed port 80, 22, etc to this computer, and then just left all the other ports closed.

Sounds great.

Joe

A couple things to think about with both models. IPtables port forwading is not alway the most robust when put under a high load, particularly with many fast connections, but on small to medium sites it works really well.

If you want to put a public IP on behind the router in the internal LAN then if regular machines on the internal LAN want to talk to the public IP machine they will need to send all their traffic via the router. Which once again is not alway the best model to use.

I'd probably recomend a proper DMZ segrageted from the internal LAN on it's own NIC and switch. It's always better and more stable in the long run.

Seeya,
Filp.

Here's a link to a graphic of how a DMZ works. I had actually pictured it differently but the graphic really clears up the concept quite well, however, it really isn't necessary in your case.

Graphic here (http://www.saintrochtree.com/zones/it/articles/2000-01-01-04-a.htm)


Joe