raghuni
asked on
How to configure Firewall/router without aliasing
I have more than one Public IP from my ISP (ex: aaa.aaa.aaa.aaX, aaa.aaa.aaa.aaY, aaa.aaa.aaa.aaZ) and i am having two NICs for my firewall machine in which eth0 is external device and eth1 is internal device.
On external device initially i have assigned one of my public IP (aaa.aaa.aaa.aaX) and for that i am masquerading all my traffic from internal network (eth1). In other words i am using the public IP aaa.aaa.aaa.aaX for accessing Internet from my internal network) and also i have implemented firewall using IPTables.
Up to this everything is normal... i hope.
I am running, a server internally (With a private IP), which will be accessed by my client from remote (outside of my Network or Organisation). In this case, generally we will write a DNAT rule for my public IP (aaa.aaa.aaa.aaX) to access internal server from outside of my network.
like:
iptables -p tcp -t nat -A PREROUTING -s <Client'sIP> -d aaa.aaa.aaa.aaaX -j DNAT --to-destination <My Internal Server's Private IP>
However, i don;t want to disclose my public IP (aaa.aaa.aaa.aaX) which i am using for accessing Internet, and also i running Firewall on this IP. Hence, I want to give aaa.aaa.aaa.aaY to my client (not aaa.aaa.aaa.aaX), to access internal server.
Here comes my problem, if i assign the IP address aaa.aaa.aaa.aaY to eth0 as alias, then both the addresses aaa.aaa.aaa.aaX and aaa.aaa.aaa.aaY will be exposed to Internet.
In Hardware Firewall also, in any case we will not assign all the public IPs that we have, to WAN port. i.e Only the ip aaa.aaa.aaa.aaX will be assigned to WAN port. Still we can able to write DNAT rule for the IP aaa.aaa.aaa.aaY without assigning it to WAN port.
My question is, How can we do the same using IPTables ?
On external device initially i have assigned one of my public IP (aaa.aaa.aaa.aaX) and for that i am masquerading all my traffic from internal network (eth1). In other words i am using the public IP aaa.aaa.aaa.aaX for accessing Internet from my internal network) and also i have implemented firewall using IPTables.
Up to this everything is normal... i hope.
I am running, a server internally (With a private IP), which will be accessed by my client from remote (outside of my Network or Organisation). In this case, generally we will write a DNAT rule for my public IP (aaa.aaa.aaa.aaX) to access internal server from outside of my network.
like:
iptables -p tcp -t nat -A PREROUTING -s <Client'sIP> -d aaa.aaa.aaa.aaaX -j DNAT --to-destination <My Internal Server's Private IP>
However, i don;t want to disclose my public IP (aaa.aaa.aaa.aaX) which i am using for accessing Internet, and also i running Firewall on this IP. Hence, I want to give aaa.aaa.aaa.aaY to my client (not aaa.aaa.aaa.aaX), to access internal server.
Here comes my problem, if i assign the IP address aaa.aaa.aaa.aaY to eth0 as alias, then both the addresses aaa.aaa.aaa.aaX and aaa.aaa.aaa.aaY will be exposed to Internet.
In Hardware Firewall also, in any case we will not assign all the public IPs that we have, to WAN port. i.e Only the ip aaa.aaa.aaa.aaX will be assigned to WAN port. Still we can able to write DNAT rule for the IP aaa.aaa.aaa.aaY without assigning it to WAN port.
My question is, How can we do the same using IPTables ?
ahoffmann
you dont need to assign aaa.aaa.aaa.aaY for this purpose, your DNAT rule should be sufficent asuming that the way back works too).
ASKER
I am not asking rule for reverse process DNAT.
Suppose: If my clinet want to accesss my internal IP using a public IP aaa.aaa.aaa.a25 then, i should have assigned that IP to my NIC. and my rule should be like
iptables -p tcp -t nat -A PREROUTING -s <ClinetIP> -d aaa.aaa.aaa.a25 -j DNAT --to-destination <MyInternal IP>.
then i don;t want to assign all the IPs in my pool to my NIC. Instead if i modify my rule as
iptables -p tcp -t nat -A PREROUTING -s <ClientIP> -d aaa.aaa.aaa.aa0/255.255.25
and i am NOT configuring all my public IPs to NIC. Why this will not work and i am getting an error " Unroutable Host"
Suppose: If my clinet want to accesss my internal IP using a public IP aaa.aaa.aaa.a25 then, i should have assigned that IP to my NIC. and my rule should be like
iptables -p tcp -t nat -A PREROUTING -s <ClinetIP> -d aaa.aaa.aaa.a25 -j DNAT --to-destination <MyInternal IP>.
then i don;t want to assign all the IPs in my pool to my NIC. Instead if i modify my rule as
iptables -p tcp -t nat -A PREROUTING -s <ClientIP> -d aaa.aaa.aaa.aa0/255.255.25
and i am NOT configuring all my public IPs to NIC. Why this will not work and i am getting an error " Unroutable Host"
> then i don;t want to assign all the IPs in my pool to my NIC. Instead if i modify my rule as
iptables sits on top of the kernels device driver, hence it only gets the traffic captured by the NIC (and its driver),
if you have not configured the NIC (for example a.a.a.a26) for that IP, the driver does not process packets send to this IP and so iptables can't process them.
(well, in practice there are special modes for the NIC where you can accept all packets and route them internally via the loopback interface, like software loadbalancers do, but you need to have that IP configured somehow)
I guess you're barking up the wrong tree.
If you problem is that external clients know your IPs like a.a.a.a25 and a.a.a.a26 and so on and connect them, then you either need to tell those clients to use a.a.a.a25 only, or you need to configure a NIC with a.a.a.a26 (and a proper DNS entry).
Probably I misunderstood what you want to achieve, then please enlighten me.
iptables sits on top of the kernels device driver, hence it only gets the traffic captured by the NIC (and its driver),
if you have not configured the NIC (for example a.a.a.a26) for that IP, the driver does not process packets send to this IP and so iptables can't process them.
(well, in practice there are special modes for the NIC where you can accept all packets and route them internally via the loopback interface, like software loadbalancers do, but you need to have that IP configured somehow)
I guess you're barking up the wrong tree.
If you problem is that external clients know your IPs like a.a.a.a25 and a.a.a.a26 and so on and connect them, then you either need to tell those clients to use a.a.a.a25 only, or you need to configure a NIC with a.a.a.a26 (and a proper DNS entry).
Probably I misunderstood what you want to achieve, then please enlighten me.
ASKER
>>(well, in practice there are special modes for the NIC where you can accept all packets and route them internally via the >>loopback interface, like software loadbalancers do, but you need to have that IP configured somehow)
Can you please let me know, how to configure this ?
Can you please let me know, how to configure this ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What it comes down to is that your upstream router need to know where to handoff packets to.
It does this by using ARP. An arp request by the router (upstream) to your network should be answered by someone
(owner of the IPadres wil do that) with a reply to pass it on to your NIC. Also your NIC should be allowed to accept packets with that address.
This is basicaly what you do when you setup up ifconfig or ifconfig with alias for an interface.
Your IPtable rules should filter to allow correct trafic after that.
BTW, as soon as you've setup something to allow access to that IP address is is by definition exposed to.
the internet... You could think about building an IPSEC vpn tunnel between you and your client. The IPSEC connection can run through your exposed address without needing nat. The requirement is that you need to different networks on both tides of the tunnel.
It does this by using ARP. An arp request by the router (upstream) to your network should be answered by someone
(owner of the IPadres wil do that) with a reply to pass it on to your NIC. Also your NIC should be allowed to accept packets with that address.
This is basicaly what you do when you setup up ifconfig or ifconfig with alias for an interface.
Your IPtable rules should filter to allow correct trafic after that.
BTW, as soon as you've setup something to allow access to that IP address is is by definition exposed to.
the internet... You could think about building an IPSEC vpn tunnel between you and your client. The IPSEC connection can run through your exposed address without needing nat. The requirement is that you need to different networks on both tides of the tunnel.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello noci,
Let me work on your solutions, and will get back you with the result.
RaghuNi
Let me work on your solutions, and will get back you with the result.
RaghuNi