[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How to configure Firewall/router without aliasing

Posted on 2006-06-23
10
Medium Priority
?
305 Views
Last Modified: 2010-04-22
I have more than one Public IP from my ISP (ex: aaa.aaa.aaa.aaX, aaa.aaa.aaa.aaY, aaa.aaa.aaa.aaZ) and i am having two NICs for my firewall machine in which eth0 is external device and eth1 is internal device.

On external device initially i have assigned one of my public IP (aaa.aaa.aaa.aaX) and for that i am masquerading all my traffic from internal network (eth1). In other words i am using the public IP aaa.aaa.aaa.aaX for accessing Internet from my internal network) and also i have implemented firewall using IPTables.

Up to this everything is normal... i hope.

I am running, a server internally (With a private IP), which will be accessed by my client from remote (outside of my Network or Organisation). In this case, generally we will write a DNAT rule for my public IP (aaa.aaa.aaa.aaX) to access internal server from outside of my network.

like:
iptables -p tcp -t nat -A PREROUTING -s <Client'sIP> -d aaa.aaa.aaa.aaaX -j DNAT --to-destination <My Internal Server's Private IP>

However, i don;t want to disclose my public IP (aaa.aaa.aaa.aaX) which i am using for accessing Internet, and also i running Firewall on this IP. Hence, I want to give aaa.aaa.aaa.aaY to my client (not aaa.aaa.aaa.aaX), to access internal server.

Here comes my problem, if i assign the IP address aaa.aaa.aaa.aaY to eth0 as alias, then both the addresses aaa.aaa.aaa.aaX and aaa.aaa.aaa.aaY will be exposed to Internet.

In Hardware Firewall also, in any case we will not assign all the public IPs that we have, to WAN port. i.e Only the ip aaa.aaa.aaa.aaX will be assigned to WAN port. Still we can able to write DNAT rule for the IP aaa.aaa.aaa.aaY without assigning it to WAN port.

My question is, How can we do the same using IPTables ?
0
Comment
Question by:raghuni
  • 3
  • 3
  • 2
8 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16976564
you dont need to assign aaa.aaa.aaa.aaY for this purpose, your DNAT rule should be sufficent asuming that the way back works too).
0
 

Author Comment

by:raghuni
ID: 16977630
I am not asking rule for reverse process DNAT.

Suppose: If my clinet want to accesss my internal IP using a public IP aaa.aaa.aaa.a25 then, i should have assigned that IP to my NIC. and my rule should be like
iptables -p tcp -t nat -A PREROUTING -s <ClinetIP> -d aaa.aaa.aaa.a25 -j DNAT --to-destination <MyInternal IP>.
then i don;t want to assign all the IPs in my pool to my NIC. Instead if i modify my rule as
iptables -p tcp -t nat -A PREROUTING -s <ClientIP> -d aaa.aaa.aaa.aa0/255.255.255.0 -j DNAT --to-destination <MyInternal IP>
and i am NOT configuring all my public IPs to NIC. Why this will not work and i am getting an error " Unroutable Host"
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16977807
> then i don;t want to assign all the IPs in my pool to my NIC. Instead if i modify my rule as
iptables sits on top of the kernels device driver, hence it only gets the traffic captured by the NIC (and its driver),
if you have not configured the NIC (for example a.a.a.a26) for that IP, the driver does not process packets send to this IP and so iptables can't process them.
(well, in practice there are special modes for the NIC where you can accept all packets and route them internally via the loopback interface, like software loadbalancers do, but you need to have that IP configured somehow)

I guess you're barking up the wrong tree.
If you problem is that external clients know your IPs like a.a.a.a25 and a.a.a.a26 and so on and connect them, then you either need to tell those clients to use a.a.a.a25 only, or you need to configure a NIC with a.a.a.a26 (and a proper DNS entry).

Probably I misunderstood what you want to achieve, then please enlighten me.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 

Author Comment

by:raghuni
ID: 16981378
>>(well, in practice there are special modes for the NIC where you can accept all packets and route them internally via the >>loopback interface, like software loadbalancers do, but you need to have that IP configured somehow)

Can you please let me know, how to configure this ?
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 300 total points
ID: 16981482
AFAIK iproute2 can do it; http://www.lartc.org/
0
 
LVL 41

Expert Comment

by:noci
ID: 17085911
What it comes down to is that your upstream router need to know where to handoff packets to.

It does this by using ARP. An arp request by the router (upstream) to your network should be answered by someone
(owner of the IPadres wil do that) with a reply to pass it on to your NIC. Also your NIC should be allowed to accept packets with that address.

This is basicaly what you do when you setup up ifconfig or ifconfig with alias for an interface.
Your IPtable rules should filter to allow correct trafic after that.

BTW, as soon as you've setup something to allow access to that IP address is is by definition exposed to.

the internet... You could think about building an IPSEC vpn tunnel between you and your client. The IPSEC connection can run through your exposed address without needing nat. The requirement is that you need to different networks on both tides of the tunnel.
0
 
LVL 41

Assisted Solution

by:noci
noci earned 300 total points
ID: 17086033
There is another way, but I doubt if you want to go there.., try looking up bridging firewalls.
They are invisible on the network, you need another NIC to access the firewall if you really want that.

http://www.securityfocus.com/infocus/1737
http://ebtables.sourceforge.net/

0
 

Author Comment

by:raghuni
ID: 17088039
Hello noci,

Let me work on your solutions, and will get back you with the result.

RaghuNi
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Fine Tune your automatic Updates for Ubuntu / Debian
Integration Management Part 2
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses
Course of the Month19 days, 1 hour left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question