[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: basic firewall question

Hi,

This approach works, but there is another way....
Have you considered using a bridging firewall?
All you need to do is bridge the external and internal NICS, apply the
bridge netfilter patch (or use etables). Then perform all of your
filtering on the bridged interface.
Some advantages of this approach:
- the firewall requires no ip of it's own and is harder to attack as a
result (also good if you only have a limited number of public IP's at
your disposal)
- no NAT required (NAT is well, ugly:)
- potentially, no reconfiguration of your existing servers is required

Check out :
http://www.tldp.org/HOWTO/Ethernet-Bridge-netfilter-HOWTO.html (older)

http://ebtables.sourceforge.net/ (far more up to date)

Hope this helps..


regards

charlie


On Thu, 2004-07-08 at 10:09, Nathan Barham wrote:
> Ognen Duzlevski wrote:
> > Hi,
> > 
> > we have several boxes with unique public IP addresses which are part of 
> > a big .edu namespace. I would like to put these
> > machines behind one single firewall and still keep their names. Is it 
> > possible to have all names point to the firewall
> > machine and then have the firewall direct the specific request to a 
> > specific box behind it?
> > 
> > So, if F is firewall.x.edu and I have A.x.edu, B.x.edu and C.x.edu I 
> > want to have A, B and C behind F. A, B and C
> > should now point to F and F will direct all outside requests to A, B or 
> > C based on the name.
> > 
> > Thanks,
> > Ognen
> > 
> > 
> 
> Ognen,
> 
> You could do it like this:
> 
> 1) Change the public IP's of the servers you want to protect to 
> something in a private range (192.168.x.x etc.).
> 
> 2) Create interface aliases for their existing public IP's on the 
> external interface of your firewall
> 
> 3) Forward incoming/outgoing traffic through your firewall with iptables.
> 
> You can assign interface aliases on a Debian box in /etc/network/interfaces.
> 
> As an example, lets say your firewall's external interface is eth0, and 
> it's public IP is 66.224.54.118.  Your firewall has another interface 
> (eth1) which is the gateway to your DMZ, and has IP 192.168.1.1.  You 
> have a web server in that DMZ with IP 192.168.1.2, and you want it to 
> handle incoming traffic for www.x.edu.  Your DNS A record for www.x.edu
> currently resolves to 66.224.54.117, and you don't want to change that.
> 
> To set this up, your /etc/network/interfaces file would look something 
> like the following:
> 
> auto eth0
> iface eth0 inet static
>          address 66.224.54.118
>          netmask 255.255.255.248
>          network 66.224.54.112
>          broadcast 66.224.54.119
>          gateway 66.224.54.113
> 
> auto eth0:1
> iface eth0:1 inet static
>          address 66.224.54.117
>          netmask 255.255.255.248
> 
> auto eth1
> iface eth1 inet static
>          address 192.168.1.1
>          netmask 255.255.255.0
>          network 192.168.1.0
>          broadcast 192.168.0.255
> 
> ( I don't know offhand what (or if) the limit is for the number of 
> aliases allowed per interface, but I think I recall doing three 
> successfully.  Also note that though eth0:1 will show up with ifconfig, 
> AFAIK iptables will only refer to that interface as eth0.)
> 
> 
> OK, now you want to get the incoming www traffic that is headed for 
> 66.224.54.117 through your firewall to your www server and back out. 
> The iptables rules would go something like this:
> 
> # VARIABLES
> IPTABLES=/sbin/iptables         # Path to iptables
> EXT_IP="66.224.54.118"          # eth0 IP
> EXT_IF="eth0"                   # External interface
> DMZ_IF="eth1"                   # DMZ interface
> DMZ_IP="192.168.1.1"           # eth1
> WWW_IP="66.224.54.117"          # Virtual external www IP
> DMZ_WWW_IP="192.168.1.2"       # WWW server in DMZ
> 
> 
> # PREROUTING CHAIN - DNAT the incoming tcp port 80 and 443
> # so it can be forwarded
> 
> 
> $IPTABLES -t nat -A PREROUTING -p tcp -i $EXT_IF -d $WWW_IP /
> --dport 80 -j DNAT --to-destination $DMZ_WWW_IP
> 
> $IPTABLES -t nat -A PREROUTING -p tcp -i $EXT_IF -d $WWW_IP /
> --dport 443 -j DNAT --to-destination $DMZ_WWW_IP
> 
> 
> # FORWARD CHAIN
> 
> # Let already established forwarded conversations continue.
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> # Now forward the DNAT'ed packets to your www machine
> # in the DMZ
> 
> $IPTABLES -A FORWARD -i $EXT_IF -o $DMZ_IF -p tcp -d $DMZ_WWW_IP /
> --dport 80:80 -j ACCEPT
> 
> $IPTABLES -A FORWARD -i $EXT_IF -o $DMZ_IF -p tcp -d $DMZ_WWW_IP /
> --dport 443:443 -j ACCEPT
> 
> 
> # POSTROUTING - Now SNAT outgoing packets from your www server to your
> # public WWW IP
> 
> $IPTABLES -t nat -A POSTROUTING -o $EXT_IF -s $DMZ_WWW_IP -j /
> SNAT --to $WWW_IP
> 
> # Make sure everything else going out eth0 is SNAT'ed to the
> # firewall's IP.
> $IPTABLES -t nat -A POSTROUTING -o $EXT_IF -j SNAT --to $EXT_IP
> 
> 
> Of course your firewall will likely also have a third interface for your 
> private LAN.  If so, and you want the machines on your LAN to use the 
> services provided in your DMZ, you will probably need to find a way for 
> them to resolve www.x.edu to 192.168.1.2 (instead of your public www IP) 
> and then provide access through your firewall for them as well.
> 
> You might want to look into Shorewall or other iptables frontends to 
> help you out if you don't like writing your own rule sets.
> 
> Hope that helps.
> 
> -Nathan
-- 
============================
Charles Kidson
Systems Administrator
General Pants Group
charlesk@generalpants.com.au
ph 02 9290 0813
fx 02 9299 6485
mb 0428 61 7766
============================
Reply to: