Solved

How to configure Firewall/router without aliasing

Posted on 2006-06-23
10
294 Views
Last Modified: 2010-04-22
I have more than one Public IP from my ISP (ex: aaa.aaa.aaa.aaX, aaa.aaa.aaa.aaY, aaa.aaa.aaa.aaZ) and i am having two NICs for my firewall machine in which eth0 is external device and eth1 is internal device.

On external device initially i have assigned one of my public IP (aaa.aaa.aaa.aaX) and for that i am masquerading all my traffic from internal network (eth1). In other words i am using the public IP aaa.aaa.aaa.aaX for accessing Internet from my internal network) and also i have implemented firewall using IPTables.

Up to this everything is normal... i hope.

I am running, a server internally (With a private IP), which will be accessed by my client from remote (outside of my Network or Organisation). In this case, generally we will write a DNAT rule for my public IP (aaa.aaa.aaa.aaX) to access internal server from outside of my network.

like:
iptables -p tcp -t nat -A PREROUTING -s <Client'sIP> -d aaa.aaa.aaa.aaaX -j DNAT --to-destination <My Internal Server's Private IP>

However, i don;t want to disclose my public IP (aaa.aaa.aaa.aaX) which i am using for accessing Internet, and also i running Firewall on this IP. Hence, I want to give aaa.aaa.aaa.aaY to my client (not aaa.aaa.aaa.aaX), to access internal server.

Here comes my problem, if i assign the IP address aaa.aaa.aaa.aaY to eth0 as alias, then both the addresses aaa.aaa.aaa.aaX and aaa.aaa.aaa.aaY will be exposed to Internet.

In Hardware Firewall also, in any case we will not assign all the public IPs that we have, to WAN port. i.e Only the ip aaa.aaa.aaa.aaX will be assigned to WAN port. Still we can able to write DNAT rule for the IP aaa.aaa.aaa.aaY without assigning it to WAN port.

My question is, How can we do the same using IPTables ?
0
Comment
Question by:raghuni
  • 3
  • 3
  • 2
10 Comments
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
you dont need to assign aaa.aaa.aaa.aaY for this purpose, your DNAT rule should be sufficent asuming that the way back works too).
0
 

Author Comment

by:raghuni
Comment Utility
I am not asking rule for reverse process DNAT.

Suppose: If my clinet want to accesss my internal IP using a public IP aaa.aaa.aaa.a25 then, i should have assigned that IP to my NIC. and my rule should be like
iptables -p tcp -t nat -A PREROUTING -s <ClinetIP> -d aaa.aaa.aaa.a25 -j DNAT --to-destination <MyInternal IP>.
then i don;t want to assign all the IPs in my pool to my NIC. Instead if i modify my rule as
iptables -p tcp -t nat -A PREROUTING -s <ClientIP> -d aaa.aaa.aaa.aa0/255.255.255.0 -j DNAT --to-destination <MyInternal IP>
and i am NOT configuring all my public IPs to NIC. Why this will not work and i am getting an error " Unroutable Host"
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
> then i don;t want to assign all the IPs in my pool to my NIC. Instead if i modify my rule as
iptables sits on top of the kernels device driver, hence it only gets the traffic captured by the NIC (and its driver),
if you have not configured the NIC (for example a.a.a.a26) for that IP, the driver does not process packets send to this IP and so iptables can't process them.
(well, in practice there are special modes for the NIC where you can accept all packets and route them internally via the loopback interface, like software loadbalancers do, but you need to have that IP configured somehow)

I guess you're barking up the wrong tree.
If you problem is that external clients know your IPs like a.a.a.a25 and a.a.a.a26 and so on and connect them, then you either need to tell those clients to use a.a.a.a25 only, or you need to configure a NIC with a.a.a.a26 (and a proper DNS entry).

Probably I misunderstood what you want to achieve, then please enlighten me.
0
 

Author Comment

by:raghuni
Comment Utility
>>(well, in practice there are special modes for the NIC where you can accept all packets and route them internally via the >>loopback interface, like software loadbalancers do, but you need to have that IP configured somehow)

Can you please let me know, how to configure this ?
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 51

Accepted Solution

by:
ahoffmann earned 75 total points
Comment Utility
AFAIK iproute2 can do it; http://www.lartc.org/
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
What it comes down to is that your upstream router need to know where to handoff packets to.

It does this by using ARP. An arp request by the router (upstream) to your network should be answered by someone
(owner of the IPadres wil do that) with a reply to pass it on to your NIC. Also your NIC should be allowed to accept packets with that address.

This is basicaly what you do when you setup up ifconfig or ifconfig with alias for an interface.
Your IPtable rules should filter to allow correct trafic after that.

BTW, as soon as you've setup something to allow access to that IP address is is by definition exposed to.

the internet... You could think about building an IPSEC vpn tunnel between you and your client. The IPSEC connection can run through your exposed address without needing nat. The requirement is that you need to different networks on both tides of the tunnel.
0
 
LVL 39

Assisted Solution

by:noci
noci earned 75 total points
Comment Utility
There is another way, but I doubt if you want to go there.., try looking up bridging firewalls.
They are invisible on the network, you need another NIC to access the firewall if you really want that.

http://www.securityfocus.com/infocus/1737
http://ebtables.sourceforge.net/

0
 

Author Comment

by:raghuni
Comment Utility
Hello noci,

Let me work on your solutions, and will get back you with the result.

RaghuNi
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Suggested Solutions

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now