Public IP Addresses

daveginorge · 06-27-2008, 06:37 AM

Hi All

I have been using a single Public IP address and NATS on my FC Firewall system for many years without a problem. I redirect the appropriate ports to the required severs without problem. Our ISP has recently informed us that we now have 10 available Public IP addresses and I would like to know how I forward public IP addresses through the firewall server.

IP addresses shown are not my actual addresses but for example only.

Our set up is. SHDSL bridge modem to the FC8 Firewall. IP address on Eth1 is 62.249.178.153 and Eth0 is 10.70.70.1

Here is my very basic code that I fall back on after server OS Update. It offers no protection but forwards to the lan. How would I change the script to incorporate Public addresses 62.249.178.154 & 62.249.178.155.

Do I need to add hardware. Extra Ethernet cards?

Code:

# Policies (default)
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

# FORWARD chain rules
# Accept the packets to forward
iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# OUTPUT chain rules
# Only packets with a local address (no spoofing)
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 10.70.70.0/8 -j ACCEPT
iptables -A OUTPUT -p ALL -s 62.249.178.153 -j ACCEPT

# NATS for Internal network
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 62.249.178.153

Thanks in advance
Dave

acid_kewpie · 06-27-2008, 04:11 PM

well in what was do you want to use these IP's? there are many scenarios with different iptables commands. if you want those to be assigned to dedicated internal machines when reached from the net, it'd be a destination nat on the inbound connection:

iptables -t nat -A PREROUTING -i eth1 -d 62.x.y.z -j DNAT --to-destination 192.168.1.2

for example. so how do you want these other IP's to be used?

daveginorge · 06-30-2008, 01:02 AM

Hi Chris

Yes I was intending to be using them as part of the cooperate structure. At present using the single address we have just one server doing all, I was looking at bringing on line an MX2 server and maybe other public servers.

I had the idea that I needed to have a physical interface holding the Public IP address before I could route it, but if all I need to do is use a standard PREROUTING command using the available addresses then I think I have control of the problem.

Thanks
Dave