Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Both the above rules are working fine for me.
For ex: If a client from the ip aaa.bbb.ccc.ddd tries to connect to port 22 on the IP xxx.xxx.xxx.1 then, it will be DNATed to 192.168.0.1. and as I mentioned above this is working fine for me.
But, xxx.xxx.xxx.1 is my firewall's (Primary) IP which we don’t want to disclose to anybody as security concern. Instead, we want to give another IP (Ex: xxx.xxx.xxx.2) to access my internal server (192.168.0.1) to our client.
One solution, which I have for this is, assigning xxx.xxx.xxx.2 as an alias IP to my external NIC and my iptables rule should be either
With this, without changing any other settings client can able to access my internal server (192.168.0.1) from his IP (aaa.bbb.ccc.ddd) i.e. client will do ssh to xxx.xxx.xxx.2 and because of our DNAT rule he will be DNATed to 192.168.0.1 automatically.
Here, creating an alias IP is not at all a secure way as both the IPs (xxx.xxx.xxx.1 and xxx.xxx.xxx.2) are open to internet. So, without IP aliasing, How to DNAT a packet which is coming for xxx.xxx.xxx.2 to my internal IP.
In simple way, with out IP aliasing How to DNAT (one to one only) on other public IP which is not assigned on my firewall box. I believe, in iptables, for DNAT rule, we don’t require writing a separate SNAT rule again.
Are you trying to "assign" a different public ip to your external interface than the one given by your isp? That could cause problems if say, your isp already assigned the address that you chose to someone else. And probably against your isp rules as well.
Even if you create aliases or find other ways to simulate having a different ip on your external interface, the ip which was assigned to you by your isp is still exposed to the internet, because that's your link to the net. There's no way to avoid this, apart from unplugging from the net. Regardless of services that you may be providing on the connection, if you're connected your ip is exposed. The solution is to lock down your end of things, harden os, etc.
Apologies if i've misunderstood your post.
Distribution: Redhat Linux 9.0,Redhat Linux EL 3.0, 4.0 5.0 SLES 10 SLES10(OES)
Posts: 43
Original Poster
Rep:
Actually i am not trying to use the IP which is not alloted to me by my ISP. Suppose i have a set of ip with proper netmask.... How do i make use those IPs without asgining all of my IPs to firewall machine for DNATing.
It really depends on what you're trying to accomplish.
Are you trying to avoid a "single-point-of-failure" and bottlenecks?
In this case you should have more than one firewall machine, each assigned a different real IP of your allocated subnet. But with identical settings for all the firewalls. I'd suggest writing a single script to set the firewall rules and running it on all firewall machiens (pay attention to different devices names though).
Are you trying to consolidate and control your "points-of-exposure"?
In this case, several NICs on the firewall, each with a different real IP and one NIC to connect to the DMZ is the way to go. This way you can tailor your firewall rules on a per-device basis. Not to mention the wonders the routing table will be able to accomplish
Either way, DNATing is needed. Which is a good thing cause DNATing is what keeps your DMZ safe.
[edit]
Forgot to mention one thing. It's really more of a personal preference than an established fact, but I try to avoid aliasing (whenever possible). Just to keep things clean and clear. However, aliasing will accomplish *almost* exactly the same result as my second suggestion mentioned above.
[/edit]
Distribution: Redhat Linux 9.0,Redhat Linux EL 3.0, 4.0 5.0 SLES 10 SLES10(OES)
Posts: 43
Original Poster
Rep:
But, this is not the case with any of the Hard ware firewall.
While configuring Hardware firewall, we will just allocate only one IP on WAN port and we will configure all other public to private DNAT rules separately, in which case except the public IP which is configured to WAN, no other IP will be exposed to Internet. I am trying to implement the same scenario.
But, this is not the case with any of the Hard ware firewall.
While configuring Hardware firewall, we will just allocate only one IP on WAN port and we will configure all other public to private DNAT rules separately, in which case except the public IP which is configured to WAN, no other IP will be exposed to Internet. I am trying to implement the same scenario.
the moment you implement a DNAT to an internal IP, that host on the internal IP is exposed to the WAN - and the stealth on the public one is violated... i'm not sure what exactly is the difference you are pointing-out between the way hardware and software firewalls do it... NAT is NAT... there really isn't a "hardware" firewall at all, as without software, the hardware would be useless (and vice-versa)...
if you are gonna use a public IP (on your WAN side) it WILL be exposed no matter what you do... the best you can opt for is to have it STEALTHED... perhaps that's what you are looking to achieve??? two public IPs, one of them doing DNAT to your LAN, and the other completely stealthed??? does that sound about right???
Actually i am not trying to use the IP which is not alloted to me by my ISP. Suppose i have a set of ip with proper netmask.... How do i make use those IPs without asgining all of my IPs to firewall machine for DNATing.
So is this set of addresses one you have created for your internal network? Or are they public ips from your isp? If they're private, then they will not be exposed to the net if you do dnat-ing on the firewall.
From your posts, i gather that this is your network layout:
WAN -> firewall -> internal network
-> dnat connections from aaa.bbb.ccc.ddd to server(192.168.0.1)
and what you want to do is (i think win32sux is talking about the same thing):
WAN -> firewall(two public addresses) -> internal network
-> only connections to the alternate address of the firewall, from aaa.bbb.ccc.ddd, should be dnat-ed to server
Quote:
But, this is not the case with any of the Hard ware firewall.
While configuring Hardware firewall, we will just allocate only one IP on WAN port and we will configure all other public to private DNAT rules separately, in which case except the public IP which is configured to WAN, no other IP will be exposed to Internet. I am trying to implement the same scenario.
Even with your original setup, only one ip is allocated to the WAN port, your private ips are not exposed. If they were it would just cause a whole lot of routing issues.
If on the other hand you have a block of public ip addresses allocated to you, then i'd just echo what Notwerk said.
Distribution: Redhat Linux 9.0,Redhat Linux EL 3.0, 4.0 5.0 SLES 10 SLES10(OES)
Posts: 43
Original Poster
Rep:
I will try to give you all more inputs..
Suppose
I have more than one Public IP from my ISP (ex: aaa.aaa.aaa.aaX, aaa.aaa.aaa.aaY, aaa.aaa.aaa.aaZ) and i am having two NICs for my firewall machine in which eth0 is external device and eth1 is internal device.
On external device initially i have assigned one of my public IP (aaa.aaa.aaa.aaX) and for that i am masquerading all my traffic from internal network (eth1). In other words i am using the public IP aaa.aaa.aaa.aaX for accessing Internet from my internal network) and also i have implemented firewall using IPTables.
Up to this everything is normal... i hope.
I am running, a server internally (With a private IP), which will be accessed by my client from remote (outside of my Network or Organisation). In this case, generally we will write a DNAT rule for my public IP (aaa.aaa.aaa.aaX) to access internal server from outside of my network.
However, i don;t want to disclose my public IP (aaa.aaa.aaa.aaX) which i am using for accessing Internet, and also i running Firewall on this IP. Hence, I want to give aaa.aaa.aaa.aaY to my client (not aaa.aaa.aaa.aaX), to access internal server.
Here comes my problem, if i assign the IP address aaa.aaa.aaa.aaY to eth0 as alias, then both the addresses aaa.aaa.aaa.aaX and aaa.aaa.aaa.aaY will be exposed to Internet.
In Hardware Firewall also, in any case we will not assign all the public IPs that we have, to WAN port. i.e Only the ip aaa.aaa.aaa.aaX will be assigned to WAN port. Still we can able to write DNAT rule for the IP aaa.aaa.aaa.aaY without assigning it to WAN port.
My question is, How can we do the same using IPTables ?
It still eludes me why you are so intent on not disclosing your firewall's IP. Could you please explain this point?
The bottom line is:
There's always AT LEAST ONE REAL IP which your entire network will use to talk to the outside world. This IP should (must?) be your firewall. In other words, you want to give the aaa.aaa.aaa.aaX to your clients to use simply because this IP is your "FIREWALL".
One more point:
If your IP is static, then it won't take much effort for anyone on the internet to find out what that IP is, so long as they know *something* about your company.
Maybe it would be better to focus on securing the services and user accounts on the server which receives DNATed traffic because that is a more likely point of attack.
Suppose
I have more than one Public IP from my ISP (ex: aaa.aaa.aaa.aaX, aaa.aaa.aaa.aaY, aaa.aaa.aaa.aaZ) and i am having two NICs for my firewall machine in which eth0 is external device and eth1 is internal device.
On external device initially i have assigned one of my public IP (aaa.aaa.aaa.aaX) and for that i am masquerading all my traffic from internal network (eth1). In other words i am using the public IP aaa.aaa.aaa.aaX for accessing Internet from my internal network) and also i have implemented firewall using IPTables.
Up to this everything is normal... i hope.
yeah, everything's clear so far...
Quote:
I am running, a server internally (With a private IP), which will be accessed by my client from remote (outside of my Network or Organisation). In this case, generally we will write a DNAT rule for my public IP (aaa.aaa.aaa.aaX) to access internal server from outside of my network.
However, i don;t want to disclose my public IP (aaa.aaa.aaa.aaX) which i am using for accessing Internet, and also i running Firewall on this IP. Hence, I want to give aaa.aaa.aaa.aaY to my client (not aaa.aaa.aaa.aaX), to access internal server.
okay, even though your reasons are kinda weird (IMHO), this can definitely be done with no problem...
Quote:
Here comes my problem, if i assign the IP address aaa.aaa.aaa.aaY to eth0 as alias, then both the addresses aaa.aaa.aaa.aaX and aaa.aaa.aaa.aaY will be exposed to Internet.
each IP will have it's own set of firewall rules... you can have X remain completely stealthed, while only Y is unstealthed to the Internet (because of the DNAT)... BTW, if your FORWARD rule for the DNAT-ed packets contains a source address match for you client's IP (as in my example below) then the IP would still remain stealthed to everyone except your client...
if you have an IP on the WAN side (IP X) being masqueraded (and stealthed), adding one or two or a hundred other public IPs on the WAN side will have no effect on IP X's status... each IP is independant...
Quote:
In Hardware Firewall also, in any case we will not assign all the public IPs that we have, to WAN port. i.e Only the ip aaa.aaa.aaa.aaX will be assigned to WAN port. Still we can able to write DNAT rule for the IP aaa.aaa.aaa.aaY without assigning it to WAN port.
i don't think that makes sense... could you confirm this with your network administrator?? DNAT means that packets which hit the WAN interface and are destined for aaa.aaa.aaa.aaY will have their destination address changed to that of your internal LAN host's IP... in order for this to happen, your WAN interface would need to have public IP aaa.aaa.aaa.aaY assigned to it...
Quote:
My question is, How can we do the same using IPTables ?
like this (with aaa.aaa.aaa.aaY as an alias):
Code:
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# FORWARD your outgoing LAN packets:
iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE \
-m state --state NEW -j ACCEPT
# SNAT your LAN through aaa.aaa.aaa.aaX:
iptables -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT \
--to-source aaa.aaa.aaa.aaX
# DNAT for aaa.aaa.aaa.aaY:
iptables -t nat -A PREROUTING -i $WAN_IFACE -d aaa.aaa.aaa.aaY \
-j DNAT --to-destination <Private IP>
# FORWARD the DNAT-ed packets (only for our special client):
iptables -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -d <Private IP> \
-s <Client IP> -m state --state NEW -j ACCEPT
iptables -A FORWARD -j LOG --log-prefix "FORWARD DROP: "
this will not work if you don't have the second IP aliased...
Distribution: Redhat Linux 9.0,Redhat Linux EL 3.0, 4.0 5.0 SLES 10 SLES10(OES)
Posts: 43
Original Poster
Rep:
Thank you for your all help. I will try to implement and i will get back to you.
One more thing i need to clarify here is, As i have configured two IPs to single NIC, is there any possibility to implement default policies on single IP.
Thank you for your all help. I will try to implement and i will get back to you.
One more thing i need to clarify here is, As i have configured two IPs to single NIC, is there any possibility to implement default policies on single IP.
each IP can have it's own set of unique rules... but since they both go through the FORWARD chain, they will both use the FORWARD chain's policy (which sould be DROP)...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.