DNAT-Port forward to internal servers with parallel firewalls

To: debian-isp <debian-isp@lists.debian.org>
Subject: DNAT-Port forward to internal servers with parallel firewalls
From: Yves Junqueira <yves.junqueira@gmail.com>
Date: Thu, 24 Mar 2005 13:50:18 -0300
Message-id: <[🔎] 763f93c80503240850439b9bf@mail.gmail.com>
Reply-to: Yves Junqueira <yves.junqueira@gmail.com>

Hi,

First, the scenario:

I have two internet connections. One is a cheap adsl, and the other is
a an expensive good quality link.

My proxy server runs squid to serve local requests, and also acts as a
firewall for all traffic passing the adsl. This server is setup as the
default gateway for my local machines.

It also deals with forwading packages to WAN networks.

I have another firewall in the other link, which is in a different location.

No DMZ or alike structures are currently used.

The requirements:

I need to redirect (DNAT) a few ports to local  servers using the
expensive internet link to local servers. TCP ports, by the way.

The problem:

As the route to the internet, for my local boxes, is to pass by my
"cheap link" firewall instead of the "expensive link" firewall , the
DNAT won't work, since when those local servers try to reply to the
requests, they try to go through the cheap path. That won't work even
also because "cheap link firewall" only allow restrictive NAT access
to the internet. I believe it couldn't route those packets back -
besides, I don't know if that would work at all, sending a packat to a
different route from the one it came.

Reference: http://www.shorewall.net/troubleshoot.htm

"Reply packets do NOT automatically follow the reverse path of the one
taken by the original request. All packets are routed according to the
routing table of the host at each step of the way. This issue commonly
comes up when people install a Shorewall firewall parallel to an
existing gateway and try to use DNAT through Shorewall without
changing the default gateway of the system receiving the forwarded
requests. Requests come in through the Shorewall firewall where the
destination IP address gets rewritten but replies go out unmodified
through the old gateway."


Possible solutions?

A possible solution I thought was to "proxy" those TCP requests to the
local server, just like mod_proxy, pound and other software can do for
HTTP connections. I believe the magic there is changing the source
address in the package, and somehow let the firewall "intermediate"
that.

Sorry if I was not clear enough. I'm a bit confused here.


Do you have any ideas? I can't think of a good solution, besides
re-thinking the whole infrastructure again - I'm planning for the near
future to put the local servers that runs public services in a DMZ.
That's what I'd have done if I had designed the network myself.
 
-- 
Yves Junqueira
Goiânia, Brasil

Reply to:

Follow-Ups:
- Re: DNAT-Port forward to internal servers with parallel firewalls
  - From: Maximilian Wilhelm <max@rfc2324.org>

Prev by Date: Re: Shell accounts for multiple domains on one box
Next by Date: Re: Shell accounts for multiple domains on one box
Previous by thread: Re: Postfix dnsbl and virtual domains
Next by thread: Re: DNAT-Port forward to internal servers with parallel firewalls
Index(es):
- Date
- Thread