Solved

How to configure Firewall/router without aliasing

Posted on 2006-06-23
10
295 Views
Last Modified: 2010-04-22
I have more than one Public IP from my ISP (ex: aaa.aaa.aaa.aaX, aaa.aaa.aaa.aaY, aaa.aaa.aaa.aaZ) and i am having two NICs for my firewall machine in which eth0 is external device and eth1 is internal device.

On external device initially i have assigned one of my public IP (aaa.aaa.aaa.aaX) and for that i am masquerading all my traffic from internal network (eth1). In other words i am using the public IP aaa.aaa.aaa.aaX for accessing Internet from my internal network) and also i have implemented firewall using IPTables.

Up to this everything is normal... i hope.

I am running, a server internally (With a private IP), which will be accessed by my client from remote (outside of my Network or Organisation). In this case, generally we will write a DNAT rule for my public IP (aaa.aaa.aaa.aaX) to access internal server from outside of my network.

like:
iptables -p tcp -t nat -A PREROUTING -s <Client'sIP> -d aaa.aaa.aaa.aaaX -j DNAT --to-destination <My Internal Server's Private IP>

However, i don;t want to disclose my public IP (aaa.aaa.aaa.aaX) which i am using for accessing Internet, and also i running Firewall on this IP. Hence, I want to give aaa.aaa.aaa.aaY to my client (not aaa.aaa.aaa.aaX), to access internal server.

Here comes my problem, if i assign the IP address aaa.aaa.aaa.aaY to eth0 as alias, then both the addresses aaa.aaa.aaa.aaX and aaa.aaa.aaa.aaY will be exposed to Internet.

In Hardware Firewall also, in any case we will not assign all the public IPs that we have, to WAN port. i.e Only the ip aaa.aaa.aaa.aaX will be assigned to WAN port. Still we can able to write DNAT rule for the IP aaa.aaa.aaa.aaY without assigning it to WAN port.

My question is, How can we do the same using IPTables ?
0
Comment
Question by:raghuni
  • 3
  • 3
  • 2
10 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16976564
you dont need to assign aaa.aaa.aaa.aaY for this purpose, your DNAT rule should be sufficent asuming that the way back works too).
0
 

Author Comment

by:raghuni
ID: 16977630
I am not asking rule for reverse process DNAT.

Suppose: If my clinet want to accesss my internal IP using a public IP aaa.aaa.aaa.a25 then, i should have assigned that IP to my NIC. and my rule should be like
iptables -p tcp -t nat -A PREROUTING -s <ClinetIP> -d aaa.aaa.aaa.a25 -j DNAT --to-destination <MyInternal IP>.
then i don;t want to assign all the IPs in my pool to my NIC. Instead if i modify my rule as
iptables -p tcp -t nat -A PREROUTING -s <ClientIP> -d aaa.aaa.aaa.aa0/255.255.255.0 -j DNAT --to-destination <MyInternal IP>
and i am NOT configuring all my public IPs to NIC. Why this will not work and i am getting an error " Unroutable Host"
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16977807
> then i don;t want to assign all the IPs in my pool to my NIC. Instead if i modify my rule as
iptables sits on top of the kernels device driver, hence it only gets the traffic captured by the NIC (and its driver),
if you have not configured the NIC (for example a.a.a.a26) for that IP, the driver does not process packets send to this IP and so iptables can't process them.
(well, in practice there are special modes for the NIC where you can accept all packets and route them internally via the loopback interface, like software loadbalancers do, but you need to have that IP configured somehow)

I guess you're barking up the wrong tree.
If you problem is that external clients know your IPs like a.a.a.a25 and a.a.a.a26 and so on and connect them, then you either need to tell those clients to use a.a.a.a25 only, or you need to configure a NIC with a.a.a.a26 (and a proper DNS entry).

Probably I misunderstood what you want to achieve, then please enlighten me.
0
 

Author Comment

by:raghuni
ID: 16981378
>>(well, in practice there are special modes for the NIC where you can accept all packets and route them internally via the >>loopback interface, like software loadbalancers do, but you need to have that IP configured somehow)

Can you please let me know, how to configure this ?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 51

Accepted Solution

by:
ahoffmann earned 75 total points
ID: 16981482
AFAIK iproute2 can do it; http://www.lartc.org/
0
 
LVL 40

Expert Comment

by:noci
ID: 17085911
What it comes down to is that your upstream router need to know where to handoff packets to.

It does this by using ARP. An arp request by the router (upstream) to your network should be answered by someone
(owner of the IPadres wil do that) with a reply to pass it on to your NIC. Also your NIC should be allowed to accept packets with that address.

This is basicaly what you do when you setup up ifconfig or ifconfig with alias for an interface.
Your IPtable rules should filter to allow correct trafic after that.

BTW, as soon as you've setup something to allow access to that IP address is is by definition exposed to.

the internet... You could think about building an IPSEC vpn tunnel between you and your client. The IPSEC connection can run through your exposed address without needing nat. The requirement is that you need to different networks on both tides of the tunnel.
0
 
LVL 40

Assisted Solution

by:noci
noci earned 75 total points
ID: 17086033
There is another way, but I doubt if you want to go there.., try looking up bridging firewalls.
They are invisible on the network, you need another NIC to access the firewall if you really want that.

http://www.securityfocus.com/infocus/1737
http://ebtables.sourceforge.net/

0
 

Author Comment

by:raghuni
ID: 17088039
Hello noci,

Let me work on your solutions, and will get back you with the result.

RaghuNi
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
RHEL 7 , how do you see open firewall ports  ? 3 169
SYSCTL 5 74
Linux Permissions Issue (Can't Upload) 6 82
Website hacked - which logs should I check to find out how? 7 87
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Fine Tune your automatic Updates for Ubuntu / Debian
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now