How to configure Firewall/router without aliasing
Posted on 2006-06-23
I have more than one Public IP from my ISP (ex: aaa.aaa.aaa.aaX, aaa.aaa.aaa.aaY, aaa.aaa.aaa.aaZ) and i am having two NICs for my firewall machine in which eth0 is external device and eth1 is internal device.
On external device initially i have assigned one of my public IP (aaa.aaa.aaa.aaX) and for that i am masquerading all my traffic from internal network (eth1). In other words i am using the public IP aaa.aaa.aaa.aaX for accessing Internet from my internal network) and also i have implemented firewall using IPTables.
Up to this everything is normal... i hope.
I am running, a server internally (With a private IP), which will be accessed by my client from remote (outside of my Network or Organisation). In this case, generally we will write a DNAT rule for my public IP (aaa.aaa.aaa.aaX) to access internal server from outside of my network.
iptables -p tcp -t nat -A PREROUTING -s <Client'sIP> -d aaa.aaa.aaa.aaaX -j DNAT --to-destination <My Internal Server's Private IP>
However, i don;t want to disclose my public IP (aaa.aaa.aaa.aaX) which i am using for accessing Internet, and also i running Firewall on this IP. Hence, I want to give aaa.aaa.aaa.aaY to my client (not aaa.aaa.aaa.aaX), to access internal server.
Here comes my problem, if i assign the IP address aaa.aaa.aaa.aaY to eth0 as alias, then both the addresses aaa.aaa.aaa.aaX and aaa.aaa.aaa.aaY will be exposed to Internet.
In Hardware Firewall also, in any case we will not assign all the public IPs that we have, to WAN port. i.e Only the ip aaa.aaa.aaa.aaX will be assigned to WAN port. Still we can able to write DNAT rule for the IP aaa.aaa.aaa.aaY without assigning it to WAN port.
My question is, How can we do the same using IPTables ?