Solved

How to configure Firewall/router without aliasing

Posted on 2006-06-23
10
296 Views
Last Modified: 2010-04-22
I have more than one Public IP from my ISP (ex: aaa.aaa.aaa.aaX, aaa.aaa.aaa.aaY, aaa.aaa.aaa.aaZ) and i am having two NICs for my firewall machine in which eth0 is external device and eth1 is internal device.

On external device initially i have assigned one of my public IP (aaa.aaa.aaa.aaX) and for that i am masquerading all my traffic from internal network (eth1). In other words i am using the public IP aaa.aaa.aaa.aaX for accessing Internet from my internal network) and also i have implemented firewall using IPTables.

Up to this everything is normal... i hope.

I am running, a server internally (With a private IP), which will be accessed by my client from remote (outside of my Network or Organisation). In this case, generally we will write a DNAT rule for my public IP (aaa.aaa.aaa.aaX) to access internal server from outside of my network.

like:
iptables -p tcp -t nat -A PREROUTING -s <Client'sIP> -d aaa.aaa.aaa.aaaX -j DNAT --to-destination <My Internal Server's Private IP>

However, i don;t want to disclose my public IP (aaa.aaa.aaa.aaX) which i am using for accessing Internet, and also i running Firewall on this IP. Hence, I want to give aaa.aaa.aaa.aaY to my client (not aaa.aaa.aaa.aaX), to access internal server.

Here comes my problem, if i assign the IP address aaa.aaa.aaa.aaY to eth0 as alias, then both the addresses aaa.aaa.aaa.aaX and aaa.aaa.aaa.aaY will be exposed to Internet.

In Hardware Firewall also, in any case we will not assign all the public IPs that we have, to WAN port. i.e Only the ip aaa.aaa.aaa.aaX will be assigned to WAN port. Still we can able to write DNAT rule for the IP aaa.aaa.aaa.aaY without assigning it to WAN port.

My question is, How can we do the same using IPTables ?
0
Comment
Question by:raghuni
  • 3
  • 3
  • 2
10 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16976564
you dont need to assign aaa.aaa.aaa.aaY for this purpose, your DNAT rule should be sufficent asuming that the way back works too).
0
 

Author Comment

by:raghuni
ID: 16977630
I am not asking rule for reverse process DNAT.

Suppose: If my clinet want to accesss my internal IP using a public IP aaa.aaa.aaa.a25 then, i should have assigned that IP to my NIC. and my rule should be like
iptables -p tcp -t nat -A PREROUTING -s <ClinetIP> -d aaa.aaa.aaa.a25 -j DNAT --to-destination <MyInternal IP>.
then i don;t want to assign all the IPs in my pool to my NIC. Instead if i modify my rule as
iptables -p tcp -t nat -A PREROUTING -s <ClientIP> -d aaa.aaa.aaa.aa0/255.255.255.0 -j DNAT --to-destination <MyInternal IP>
and i am NOT configuring all my public IPs to NIC. Why this will not work and i am getting an error " Unroutable Host"
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16977807
> then i don;t want to assign all the IPs in my pool to my NIC. Instead if i modify my rule as
iptables sits on top of the kernels device driver, hence it only gets the traffic captured by the NIC (and its driver),
if you have not configured the NIC (for example a.a.a.a26) for that IP, the driver does not process packets send to this IP and so iptables can't process them.
(well, in practice there are special modes for the NIC where you can accept all packets and route them internally via the loopback interface, like software loadbalancers do, but you need to have that IP configured somehow)

I guess you're barking up the wrong tree.
If you problem is that external clients know your IPs like a.a.a.a25 and a.a.a.a26 and so on and connect them, then you either need to tell those clients to use a.a.a.a25 only, or you need to configure a NIC with a.a.a.a26 (and a proper DNS entry).

Probably I misunderstood what you want to achieve, then please enlighten me.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:raghuni
ID: 16981378
>>(well, in practice there are special modes for the NIC where you can accept all packets and route them internally via the >>loopback interface, like software loadbalancers do, but you need to have that IP configured somehow)

Can you please let me know, how to configure this ?
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 75 total points
ID: 16981482
AFAIK iproute2 can do it; http://www.lartc.org/
0
 
LVL 40

Expert Comment

by:noci
ID: 17085911
What it comes down to is that your upstream router need to know where to handoff packets to.

It does this by using ARP. An arp request by the router (upstream) to your network should be answered by someone
(owner of the IPadres wil do that) with a reply to pass it on to your NIC. Also your NIC should be allowed to accept packets with that address.

This is basicaly what you do when you setup up ifconfig or ifconfig with alias for an interface.
Your IPtable rules should filter to allow correct trafic after that.

BTW, as soon as you've setup something to allow access to that IP address is is by definition exposed to.

the internet... You could think about building an IPSEC vpn tunnel between you and your client. The IPSEC connection can run through your exposed address without needing nat. The requirement is that you need to different networks on both tides of the tunnel.
0
 
LVL 40

Assisted Solution

by:noci
noci earned 75 total points
ID: 17086033
There is another way, but I doubt if you want to go there.., try looking up bridging firewalls.
They are invisible on the network, you need another NIC to access the firewall if you really want that.

http://www.securityfocus.com/infocus/1737
http://ebtables.sourceforge.net/

0
 

Author Comment

by:raghuni
ID: 17088039
Hello noci,

Let me work on your solutions, and will get back you with the result.

RaghuNi
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question