Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have 3 machines that have public IPs that I want to stick behind a firewall:
209.208.89.51
209.208.89.52
209.208.89.53
My firewall (RH 9 box) has 2 interfaces:
eth0 = 209.208.89.50
eth1 = ?
I've got the linux machine up and I'm able to surf the web. My question is how do I send the 3 above IPs through to their designated servers. I won't be doing any nat or masquerading because they will have real IPs. But I want to force their connections through the firewall (to filter).
What I've done is plugged the 3 machines (all with their designated IPs above) and eth1 into a switch.
1) What IP do I assign to eth1?
2) What IP tables command(s) will forward the connections through the firewall? I have already: echo 1 > /proc/sys/net/ipv4/ip_forward
I would nat them. put them on the local network and have your firewall route the info you want to the specific computer. EX eth0 has several public IPs. if something comes in looking for 209.208.89.51 then nat it to 10.1.1.2. f something comes in looking for 209.208.89.52 then nat it to 10.1.1.3. And so on. You will have to do some configurations to all the PCs and use port forwarding on the firewall.
I know that's not what you wanted, but it is more secure in my opinion to do it that way. Plus you will only have one set of rules to handle.
if I were you I would do something like this
internet
|
rh firewall (eth 0 - 209.208.89.51 209.208.89.52 209.208.89.53) (eth1 - 10.1.1.1)
|
|
|
switch - goes to 3 servers or pcs or whatever
| | | (that's supposed to be 3 lines to 3 computers)
computer 1 - 10.1.1.2
computer 2 - 10.1.1.3
computer 3 - 10.1.1.4
And again, your rh firwall is reponsible for ipforwarding. You will have to write specific commands to forward the ports/IPs to the specific computers.
I don't really think it is possible with the 1st scenario. But then again it could be. I think you would have to assign a realworld IP address that you don't own to your eth1, and assign all 4 addresses to eth0 and forward everything that is appropriate but that is bad practice. We had some ass-clown create a network where I work w/ real IP addresses (we have a 10. network and also a 163.34.44. network) and now we have to set it up within our whole network to where we can never access those realworld IPs. It hasn't caused us anytrouble, yet. But if a business partner had those IPs we would have a hell of time communicating with them.
But like I said before. Using the RFC-compliant internal address and using NAT or something similar is the suggestion.
Also the way that I gave you the first time is much more flexible and scalable.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Quote:
Originally posted by benjithegreat98 I don't really think it is possible with the 1st scenario. But then again it could be. I think you would have to assign a realworld IP address that you don't own to your eth1, and assign all 4 addresses to eth0 and forward everything that is appropriate but that is bad practice. We had some ass-clown create a network where I work w/ real IP addresses (we have a 10. network and also a 163.34.44. network) and now we have to set it up within our whole network to where we can never access those realworld IPs. It hasn't caused us anytrouble, yet. But if a business partner had those IPs we would have a hell of time communicating with them.
Holy..!..!!! what the?!!?!?
That is BAD. Never assign an IP you don't own to any of your devices. That is breaking a cardinal rule of the Internet. RFC1918 addresses exists specifically so that is never to happen.
What the original poster could do is bridge the two NICs so neither one has an IP, then put all your public IP boxes on a switch behind. Since the NICs are bridge, the traffic passes right through to the appropriate box on the inside. You can still put filtering rules on the firewall, but neither NIC has an IP.
So far as I know, the above is the only way to do it without NAT or advertising routes. If your ISP let you, you could configure the Linux box as a router and advertise your public IPs to your ISP letting them know they're reachable via your external firewall IP, then just put static routes for them on your firewall
Actually, come to think of it you can probably setup proxy-arp on your outside firewall interface to make your public IPs be announced on the outside interface when some host sends an ARP request for them. I'm not sure what IP you would give your internal interface, though. Read up on how to proxy arp.
Yeah, in my post I forgot to mention that using ips you don't own is very wrong. Sorry.
I wish we knew who did it to our network so we could ask them what the hell their problem was. And unfortunately it is too late to make any changes because it is a hospital and most of the equipment is specialized radiaology equipment and we can't just make changes ourselve. It would take the full collaboration of about 7 companies to help us change that problem in as little time as possible. I don't see it happening.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.