Re: basic firewall question
Ognen Duzlevski wrote:
Hi,
we have several boxes with unique public IP addresses which are part of
a big .edu namespace. I would like to put these
machines behind one single firewall and still keep their names. Is it
possible to have all names point to the firewall
machine and then have the firewall direct the specific request to a
specific box behind it?
So, if F is firewall.x.edu and I have A.x.edu, B.x.edu and C.x.edu I
want to have A, B and C behind F. A, B and C
should now point to F and F will direct all outside requests to A, B or
C based on the name.
Thanks,
Ognen
Ognen,
You could do it like this:
1) Change the public IP's of the servers you want to protect to
something in a private range (192.168.x.x etc.).
2) Create interface aliases for their existing public IP's on the
external interface of your firewall
3) Forward incoming/outgoing traffic through your firewall with iptables.
You can assign interface aliases on a Debian box in /etc/network/interfaces.
As an example, lets say your firewall's external interface is eth0, and
it's public IP is 66.224.54.118. Your firewall has another interface
(eth1) which is the gateway to your DMZ, and has IP 192.168.1.1. You
have a web server in that DMZ with IP 192.168.1.2, and you want it to
handle incoming traffic for www.x.edu. Your DNS A record for www.x.edu
currently resolves to 66.224.54.117, and you don't want to change that.
To set this up, your /etc/network/interfaces file would look something
like the following:
auto eth0
iface eth0 inet static
address 66.224.54.118
netmask 255.255.255.248
network 66.224.54.112
broadcast 66.224.54.119
gateway 66.224.54.113
auto eth0:1
iface eth0:1 inet static
address 66.224.54.117
netmask 255.255.255.248
auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.0.255
( I don't know offhand what (or if) the limit is for the number of
aliases allowed per interface, but I think I recall doing three
successfully. Also note that though eth0:1 will show up with ifconfig,
AFAIK iptables will only refer to that interface as eth0.)
OK, now you want to get the incoming www traffic that is headed for
66.224.54.117 through your firewall to your www server and back out.
The iptables rules would go something like this:
# VARIABLES
IPTABLES=/sbin/iptables # Path to iptables
EXT_IP="66.224.54.118" # eth0 IP
EXT_IF="eth0" # External interface
DMZ_IF="eth1" # DMZ interface
DMZ_IP="192.168.1.1" # eth1
WWW_IP="66.224.54.117" # Virtual external www IP
DMZ_WWW_IP="192.168.1.2" # WWW server in DMZ
# PREROUTING CHAIN - DNAT the incoming tcp port 80 and 443
# so it can be forwarded
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXT_IF -d $WWW_IP /
--dport 80 -j DNAT --to-destination $DMZ_WWW_IP
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXT_IF -d $WWW_IP /
--dport 443 -j DNAT --to-destination $DMZ_WWW_IP
# FORWARD CHAIN
# Let already established forwarded conversations continue.
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Now forward the DNAT'ed packets to your www machine
# in the DMZ
$IPTABLES -A FORWARD -i $EXT_IF -o $DMZ_IF -p tcp -d $DMZ_WWW_IP /
--dport 80:80 -j ACCEPT
$IPTABLES -A FORWARD -i $EXT_IF -o $DMZ_IF -p tcp -d $DMZ_WWW_IP /
--dport 443:443 -j ACCEPT
# POSTROUTING - Now SNAT outgoing packets from your www server to your
# public WWW IP
$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -s $DMZ_WWW_IP -j /
SNAT --to $WWW_IP
# Make sure everything else going out eth0 is SNAT'ed to the
# firewall's IP.
$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -j SNAT --to $EXT_IP
Of course your firewall will likely also have a third interface for your
private LAN. If so, and you want the machines on your LAN to use the
services provided in your DMZ, you will probably need to find a way for
them to resolve www.x.edu to 192.168.1.2 (instead of your public www IP)
and then provide access through your firewall for them as well.
You might want to look into Shorewall or other iptables frontends to
help you out if you don't like writing your own rule sets.
Hope that helps.
-Nathan
Reply to: