Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am trying to figure out the best way to set up 1-1 NAT for three public ips to three private ips through a ubuntu gateway machine.
I am running ubuntu server 9.10 and the set up is:
Internet/ISP modem -> NIC 1 Ubuntu Gateway Machine NIC 2 -> Three PCs with Private IPs
I had a few questions on how to do this correctly and securely.
1) What packages do I need to install (aside from the basic ubuntu server installation and possibly DHCP3-Server)
2) How do I assign all three public IPs to the NIC connected to the ISP modem? All addresses will be static, will I need the DHCP3-Server package?
3) Once I have the three public IPs assigned how do I map each specific public IP to the private IP address associated with it and provide the correct loopback? I want to make sure each response from the internal machines are sent out as their specific public IP.
4) Aside from allowing all connections, how should IP tables be configured to allow web services to one internal machine, mail to another internal machine and DNS to the other internal machine?
I appreciate any pointers or direction on where to look. Thanks.
1) What packages do I need to install (aside from the basic ubuntu server installation and possibly DHCP3-Server)
I believe you should already have everything you need.
Quote:
2) How do I assign all three public IPs to the NIC connected to the ISP modem? All addresses will be static, will I need the DHCP3-Server package?
You can use this method. If everything is static, no need for any DHCP.
Quote:
3) Once I have the three public IPs assigned how do I map each specific public IP to the private IP address associated with it and provide the correct loopback? I want to make sure each response from the internal machines are sent out as their specific public IP.
You do this by enabling IP forwarding and configuring SNAT with iptables.
This sort of thing is handled in the POSTROUTING chain of the nat table.
How much experience do you have with iptables?
Quote:
4) Aside from allowing all connections, how should IP tables be configured to allow web services to one internal machine, mail to another internal machine and DNS to the other internal machine?
You do this by enabling IP forwarding and configuring port forwarding with iptables.
This sort of thing is handled in the PREROUTING chain of the nat table.
This is an excellent description, thank you! To answer your earlier question I have pretty limited experience with IP tables, but I will try this code in the command line and report back to you.
I had a few more questions to make sure I don't miss anything. How is IP forwarding enabled, I found a method using the code below however I was getting an error message when trying it using sudo, and the description did not explain how to set this permanently so the policy will remain upon reboot:
echo 1 > /proc/sys/net/ipv4/ip_forward
And once I have completed these actions, could you point me to the location of the configuration files so I can view them to double check my work.
Thanks again for your help, I have only been seeing positive things from this forum and appreciate the quick reply.
One more question. Should the eth1 interface be assigned a gateway address (something like 192.168.1.100 in this case) and then each of the internal pcs are assigned their static private ip addresses with a gateway address of 192.168.1.100, or do each of the private IP addresses used for the internal network need to be assigned as virtual interfaces to the eth1 NIC?
How is IP forwarding enabled, I found a method using the code below however I was getting an error message when trying it using sudo, and the description did not explain how to set this permanently so the policy will remain upon reboot:
echo 1 > /proc/sys/net/ipv4/ip_forward
Add "net.ipv4.ip_forward = 1" in to sysctl.conf which is probably located under /etc.
This is an excellent description, thank you! To answer your earlier question I have pretty limited experience with IP tables, but I will try this code in the command line and report back to you.
I had a few more questions to make sure I don't miss anything. How is IP forwarding enabled, I found a method using the code below however I was getting an error message when trying it using sudo, and the description did not explain how to set this permanently so the policy will remain upon reboot:
echo 1 > /proc/sys/net/ipv4/ip_forward
And once I have completed these actions, could you point me to the location of the configuration files so I can view them to double check my work.
Thanks again for your help, I have only been seeing positive things from this forum and appreciate the quick reply.
You can enable it like that, but if you're using sudo to execute that command it'll fail due to the redirection happening as the non-root user. What I'd do is either switch to root, or better yet just wrap it up in a shell command:
Code:
sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
Making it be enabled at startup time is just a matter of adding the corresponding line to your /etc/sysctl.conf file:
Code:
net.ipv4.ip_forward=1
Quote:
Originally Posted by debianfan
One more question. Should the eth1 interface be assigned a gateway address (something like 192.168.1.100 in this case) and then each of the internal pcs are assigned their static private ip addresses with a gateway address of 192.168.1.100, or do each of the private IP addresses used for the internal network need to be assigned as virtual interfaces to the eth1 NIC?
Thanks again.
Only the WAN/Internet address on the NAT box needs a gateway set. As for the boxes on the LAN side (connected to the LAN interface of the NAT box via a switch/hub), they need to have their gateway address set as the IP of the LAN interface on the NAT box. No virtual NICs or IP aliases necessary.
As for making the iptables settings survive reboot, dump the configuration into a file like this:
Code:
iptables-save > /etc/firewall.txt
Remember that if you're using sudo you'll want to wrap it:
Code:
sudo sh -c "iptables-save > /etc/firewall.txt"
Then specify in your /etc/network/interfaces file that you want it to be restored before the interface is activated. As an example, the current /etc/network/interfaces file on my laptop looks like this:
Code:
auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/firewall.txt
I don't have any true interfaces configured there simply because I let the GNOME Wi-Fi thing handle that stuff. In your case, you'd have several stanzas (as shown in the example I linked), so stick the pre-up under the WAN interface stanza.
So far so good, I have configured ip forwarding and set up the network aliases on the WAN side. However a quick question, in the /etc/network/interfaces file only the eth0 interface is appearing. Do I just need to add eth1 information or is there a better way to activate that NIC card. As my default settings during installation made the eth0 the primary network interface I thought eth1 might just be hidden, but I felt I should ask the experts to make sure I go down the right path.
So far I have enabled IP forwarding and have checked it as shown below:
#Used this command
Code:
sysctl net.ipv4.ip_forward
#Got this output
Code:
net.ipv4.ip_forward = 1
My configuration of the /etc/network/interfaces file looks like the example below:
Code:
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address xx.xx.xx.34
netmask 255.255.255.248
network xx.xx.xx.32
broadcast xx.xx.xx.39
gateway xx.xx.xx.33
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers xx.xx.xx.12 xx.xx.xx.13
dns-search xxxx.com
auto eth0:0
iface eth0:0 inet static
address xx.xx.xx.35
netmask 255.255.255.248
broadcast xx.xx.xx.39
auto eth0:1
iface eth0:1 inet static
address xx.xx.xx.36
netmask 255.255.255.248
broadcast xx.xx.xx.39
auto eth0:2
iface eth0:2 inet static
address xx.xx.xx.37
netmask 255.255.255.248
broadcast xx.xx.xx.39
I am planning to implement your iptables code tomorrow morning to ensure my concentration, and will post an update then as well.
Let me know if anything looks off.
I also had a question I had been pondering. Would it be a smart move to also use the firewall as a DNS server as well, or would it be safer to have a dedicated DNS server behind the firewall. I understand the DNS server would be exposed if it were the firewall as well, but was just curious about the pros and cons.
Also, I may have a few questions about my bind configuration when it comes to it, but understand if I should post that in the appropriate subject grouping when it comes to it.
I haven't read your post in its entirety yet, but I just wanted to say in the meantime that for security reasons I highly recommend you disable forwarding until you've got your iptables rules properly set and verified.
It looks good to me. I'd never seen DNS settings in there before (I always use /etc/resolv.conf for that), but I'm assuming you verified that it's sane to set those there, in which case it's all good. Basically, you just need to add your stanza for eth1 as well as the pre-up line for eth0 and you should be set. Use the /sbin/ifconfig command to make sure the IPs are being set as desired. As for your DNS question, running a DNS server on a dedicated machine would make the most security sense IMO.
Thanks for the heads up on the IP forwarding, I disabled it shortly after I saw your post. I may do a clean install again as I want to make sure nothing was tampered with, and I can be a little paranoid.
Those dns nameserver entries were set and placed there during setup, they are also in the resolv.conf file. I believe it is ok as that was the default configuration when I was entering my specific network information during the installation, so basically the first time I came to the network configuration file they were there. I will do a little research to make sure it is ok, but I have been having no problems reaching the internet or the machine remotely so I think it is ok.
That is what I thought on the DNS nameserver question.
One more question if I make a rule to access the internal machines through ssh as well should that protocol be UDP or TCP or both?
Thanks again, I will report back soon with my detailed layout for you to take a look at.
SSH would be TCP only. If you want SSH access to each of the three machines from the WAN side, you'll need to forward three different ports. For example, you could forward port 2201 on the WAN to 192.168.1.101:22, port 2202 to 192.168.1.102:22, and port 2203 to 192.168.1.103:22. Make sure you don't try to forward the port which the NAT box itself is using for its SSH daemon (assuming you are indeed running an SSH daemon on it and it's listening on the WAN side).
# The loopback network interface
auto lo
iface lo inet loopback
pre-up iptables restore < /etc/firewall.txt
# The primary network interface
auto eth0
iface eth0 inet static
address xx.xx.xx.34
netmask 255.255.255.248
network xx.xx.xx.32
broadcast xx.xx.xx.39
gateway xx.xx.xx.33
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers xx.xx.xx.12 xx.xx.xx.13
dns-search xxxx.com
auto eth0:0
iface eth0:0 inet static
address xx.xx.xx.35
netmask 255.255.255.248
broadcast xx.xx.xx.39
auto eth0:1
iface eth0:1 inet static
address xx.xx.xx.36
netmask 255.255.255.248
broadcast xx.xx.xx.39
auto eth0:2
iface eth0:2 inet static
address xx.xx.xx.37
netmask 255.255.255.248
broadcast xx.xx.xx.39
# The secondary network interface
auto eth1
iface eth1 inet static
address 192.168.50.44
netmask 255.255.255.248
network 192.168.50.42
broadcast 192.168.50.49
Using the iptables -L command this is my configuration which I have dumped into that firewall.txt file:
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 192.168.50.45 tcp dpt:www state NEW
ACCEPT tcp -- anywhere 192.168.50.45 tcp dpt:https state NEW
ACCEPT tcp -- anywhere 192.168.50.46 tcp dpt:www state NEW
ACCEPT tcp -- anywhere 192.168.50.46 tcp dpt:https state NEW
ACCEPT tcp -- anywhere 192.168.50.46 tcp dpt:smtp state NEW
ACCEPT tcp -- anywhere 192.168.50.46 tcp dpt:imap2 state NEW
ACCEPT tcp -- anywhere 192.168.50.46 tcp dpt:ssmtp state NEW
ACCEPT tcp -- anywhere 192.168.50.46 tcp dpt:585 state NEW
ACCEPT tcp -- anywhere 192.168.50.46 tcp dpt:imaps state NEW
ACCEPT udp -- anywhere 192.168.50.47 udp dpt:domain state NEW
ACCEPT udp -- anywhere 192.168.50.48 udp dpt:domain state NEW
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Also, this is the code I used for my postrouting up until the prerouting code when I received an error:
Code:
$ sudo iptables -P FORWARD DROP
$ sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$ sudo iptables -A FORWARD -p TCP -i eth0 -o eth1 -d 192.168.50.45 --dport 80 \-m state --state NEW -j ACCEPT
$ sudo iptables -A FORWARD -p TCP -i eth0 -o eth1 -d 192.168.50.45 --dport 443 \-m state --state NEW -j ACCEPT
$ sudo iptables -A FORWARD -p TCP -i eth0 -o eth1 -d 192.168.50.46 --dport 80 \-m state --state NEW -j ACCEPT
$ sudo iptables -A FORWARD -p TCP -i eth0 -o eth1 -d 192.168.50.46 --dport 443 \-m state --state NEW -j ACCEPT
$ sudo iptables -A FORWARD -p TCP -i eth0 -o eth1 -d 192.168.50.46 --dport 25 \-m state --state NEW -j ACCEPT
$ sudo iptables -A FORWARD -p TCP -i eth0 -o eth1 -d 192.168.50.46 --dport 143 \-m state --state NEW -j ACCEPT
$ sudo iptables -A FORWARD -p TCP -i eth0 -o eth1 -d 192.168.50.46 --dport 465 \-m state --state NEW -j ACCEPT
$ sudo iptables -A FORWARD -p TCP -i eth0 -o eth1 -d 192.168.50.46 --dport 585 \-m state --state NEW -j ACCEPT
$ sudo iptables -A FORWARD -p TCP -i eth0 -o eth1 -d 192.168.50.46 --dport 993 \-m state --state NEW -j ACCEPT
$ sudo iptables -A FORWARD -p UDP -i eth0 -o eth1 -d 192.168.50.47 --dport 53 \-m state --state NEW -j ACCEPT
$ sudo iptables -A FORWARD -p UDP -i eth0 -o eth1 -d 192.168.50.48 --dport 53 \-m state --state NEW -j ACCEPT
$ sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.50.45 \-j SNAT --to-source xx.xx.xx.35
$ sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.50.46 \-j SNAT --to-source xx.xx.xx.36
$ sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.50.47 \-j SNAT --to-source xx.xx.xx.37
$ sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.50.48 \-j SNAT --to-source xx.xx.xx.38
However, when I got to the prerouting section and entered the command below, I received an error message about the use of -o:
Code:
sudo iptables -t nat -A PREROUTING -p TCP -i eth0 -o eth1 -d xx.xx.xx.35 --dport 80 \-j DNAT --to-destination 192.168.50.45
iptables v1.4.4: Can't use -o with PREROUTING
Try `iptables -h' or 'iptables --help' for more information.
Do you have an idea on how to remedy that? Also, once I get the prerouting rules in correctly could you tell me how I should save my iptables to firewall.txt so all of the rules, postrouting and prerouting are saved in one file.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
