LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 01-06-2010, 11:06 PM   #1
fw12
Member
 
Registered: Mar 2006
Distribution: Fedora core, Ubuntu
Posts: 168

Rep: Reputation: 30
Several servers behind a firewall


For higher security, people suggest putting linux servers behind a firewall. I'm thinking of how this can be accomplished.

I have 4 machines, each running the usual web services: httpd, smtp, imap, mysql, ftp, mail, etc.

I would like to run all the servers using local lan ip's: 192.168.x.x

How do I setup a firewall to route traffic through? I'm thinking of probably setting up a Linux-based multihomed machine with:

eth0,
eth1,
eth2,
eth3.

Each NIC would have an Internet IP assigned to it.

Can I then setup iptables on it to do NAT port forwarding?

Can this be done, or do I need a special router to handle this task?
 
Old 01-06-2010, 11:52 PM   #2
jeff_k
Member
 
Registered: Jan 2008
Location: San Diego, CA USA
Distribution: Debian / Ubuntu
Posts: 51

Rep: Reputation: 17
Absolutely. Aside from purchasing a router for the task, you can use a linux PC for the function. You really only need 2 NICs, 1 connected to the outside (internet), and 1 connected to an internal LAN subnet (for example, 192.168.0.X), or you could have several NICs connecting to separate subnets if you want to compartment your LAN traffic. A linux kernel running iptables will do the trick - you can set up your own script, use others' as examples, or use a firewall program that sets up the iptables scripts for you, to name a few options. I use firestarter, which has been around for quite awhile, seems to no longer be under development, but still serves the purpose fine for me. Using iptables, you can do all of the nat, port forwarding, etc. that you need. Linux also has some very sophisticated traffic control functionality for being able to optimize your bandwidth among several different functions (such as low latency traffic, fast web access, fast throughput simultaneously).

A good tutorial on iptables, including example scripts, is located at:
http://www.frozentux.net/iptables-tu...-tutorial.html
 
1 members found this post helpful.
Old 01-07-2010, 12:23 AM   #3
fw12
Member
 
Registered: Mar 2006
Distribution: Fedora core, Ubuntu
Posts: 168

Original Poster
Rep: Reputation: 30
Thanks for the link.

If I only need two NICs, it means I have to bind multiple IP addresses to the card facing the Internet. I remember reading about this a long time ago, but I've never tried it. Something like: eth0:0, eth0:1, eth0:2, eth0:3. I'll look into that.

Last edited by fw12; 01-07-2010 at 08:27 PM.
 
Old 01-07-2010, 11:25 PM   #4
jeff_k
Member
 
Registered: Jan 2008
Location: San Diego, CA USA
Distribution: Debian / Ubuntu
Posts: 51

Rep: Reputation: 17
I'm not following the need to bind multiple IP addresses to the card facing the internet. Do you have more than one IP address assigned to you? In a typical home setup, your ISP assigns you a single IP address to your cable modem, DSL modem, etc. This is the address you bind to the NIC facing the modem. You bind an IP address associated with your local subnet, such as 192.168.0.X, to the NIC facing your LAN. The firewall via iptables can handle all of the nat, forwarding, etc. to interface between the two networks.

If you have more than one public IP address assigned to you, then I believe you need to get into a less simplified setup with multiple address binding as you mentioned.

Unless I missed something in your desired setup?
 
1 members found this post helpful.
Old 01-09-2010, 04:01 AM   #5
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,902

Rep: Reputation: 775Reputation: 775Reputation: 775Reputation: 775Reputation: 775Reputation: 775Reputation: 775
Quote:
Originally Posted by fw12 View Post
For higher security, people suggest putting linux servers behind a firewall.
By itself, that will not even be adequate security, so I am a bit mystified by the meaning of 'higher security'.


I'm thinking of how this can be accomplished.

Quote:
I have 4 machines, each running the usual web services: httpd, smtp, imap, mysql, ftp, mail, etc.
Are you thinking of a DMZ. If not, why not?

Quote:
Can this be done, or do I need a special router to handle this task?
Special router? If you can define clearly and in detail what you want to achieve and are prepared to work at it, it can probably be done without a special router. If you aren't, it probably won't really be achievable with or without a special router. Although you may be happy in not knowing that it hasn't been achieved.
 
0 members found this post helpful.
Old 01-12-2010, 01:28 AM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by salasi View Post
By itself, that will not even be adequate security, so I am a bit mystified by the meaning of 'higher security'.
What it means is that servers behind an adequately managed dedicated firewall will be able to enjoy the mitigation of certain vulnerabilities in ways which servers without dedicated firewalls wouldn't be able to (ceteris paribus). It also means that their administrator(s) will have more options and greater control when responding to security incidents. Firewalls play an integral role in just about any multi-layered security approach, so I'm not sure why you'd be mystified by any of this.

Quote:
Originally Posted by fw12 View Post
If I only need two NICs, it means I have to bind multiple IP addresses to the card facing the Internet. I remember reading about this a long time ago, but I've never tried it. Something like: eth0:0, eth0:1, eth0:2, eth0:3. I'll look into that.
If you can afford to buy one NIC for each server that would be optimal. This will let you isolate the servers from each other at the physical level, which you wouldn't be able to do with host-based firewalls (since you'd be plugging them all into the same switch). As for the multiple IPs, that's called IP aliasing and as jeff_k hinted, it's only really an option for you if you've got more than one public IP address. Do you? People that don't will typically end up settling for plain old port forwarding with a shared IP.

EDIT: I just noticed that you explicitly stated:
Quote:
Originally Posted by fw12 View Post
Each NIC would have an Internet IP assigned to it.
So it would seem that you do indeed have four dedicated public IPs. In that case, I would recommend that you use five NICs. Assign the four public IPs to one of them (the Internet-facing one), and then do port forwarding to the servers on each of the other four NICs. Of course, each server should have its own host-based firewall too.

Last edited by win32sux; 01-12-2010 at 01:34 AM.
 
1 members found this post helpful.
Old 01-12-2010, 07:01 AM   #7
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,902

Rep: Reputation: 775Reputation: 775Reputation: 775Reputation: 775Reputation: 775Reputation: 775Reputation: 775
Quote:
Originally Posted by win32sux View Post
What it means is that servers behind an adequately managed dedicated firewall will be able to enjoy the mitigation of certain vulnerabilities in ways which servers without dedicated firewalls wouldn't be able to (ceteris paribus). It also means that their administrator(s) will have more options and greater control when responding to security incidents. Firewalls play an integral role in just about any multi-layered security approach, so I'm not sure why you'd be mystified by any of this.
The critical word here is 'higher'. Higher than 'none' certainly, but if you were to start off from a position in which you had adequate security, which would not just be a perimeter firewall, and this was taken to be the limit of your security measures, it would be sensible to consider the reduction in security as a lowering, so I find it difficult to know enough detail about what exactly the OP is suggesting and how to evaluate whether this level of security is 'higher' or 'lower'.

If the suggestion is just that a perimeter firewall will, by itself, make the system secure, then that is incorrect.

OTOH, the OP may be suggesting that a perimeter firewall may be a worthwhile addition to some other set of measures. As it stands, this might be fine, but without extra knowledge of what those other measures actually are, it seems impossible to comment on whether it would be an adequate set of measures for any particular situation.

I had hoped that the OP would explain the deliberately mysterious comments about what exactly was meant in some detail.

Yes, it is clear that firewalls have a role to play in security (duh!), but it is the possible interpretation of what else the OP is considering and what the context of this question (what do these servers do? are they providing publicly accessible services? what services? are there risks from the local network?) that means that it is almost impossible to give anything other than a very generic response to the original post and the inference that it would be valid to compare the security of a situation with a firewall to something completely undefined seems strange.
 
0 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
two web servers behind firewall, one functioning and one in construction frankie_DJ Linux - Networking 1 08-07-2009 12:46 AM
Monitor servers with nagios behind firewall --witout ping, sarajevo Linux - Server 5 05-29-2009 03:35 AM
Delays getting Linux servers to firewall, Windows OK tongar Linux - Networking 1 01-14-2009 11:55 AM
Pinging servers thru firewall Danteleo Linux - Networking 1 10-28-2006 04:25 PM
Microsoft ISA Firewall Returns Port Scan Warnings From Linux BIND DNS Servers. ramram29 Linux - Security 4 01-26-2004 10:09 PM


All times are GMT -5. The time now is 11:38 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration