Routing problem

teeno · 11-21-2005, 08:35 AM

I have a routing/firewall problem that has been bothering me for some time now and it has come to the stage where I need to have a solution.

Here is the back ground. My ISP has given me a 32 IP address subnet and I intended to allocate these IP addresses to our mail server, web server and then other machines on our LAN that need to be accessible from outside our building. I have done this but the machines are not behind the firewall. This is the problem. At the moment only the computers on the network that are using NAT are behind the firewall and I have had to secure all the machines that have real IP address separately.

How do I move the computers with global IP addresses behind the firewall? Here is a diagram to explain.

ISP has assigned the following:

Network address: A.B.C.160
Broadcast address: A.B.C.191
Subnet: 255.255.255.224

Current Configuration:

Code:

                                  Router
                                A.B.C.161
                                    |
    ---------------------------------------------------------------
    |                     |                   |                   |
Firewall              Web Server         Mail Server       Other Computers
A.B.C.162             A.B.C.163 	   A.B.C.164         A.B.C.165-190
192.168.1.1
    |
NAT LAN
192.168.1.2-254

Required Configuration:

Code:

 

                                        Router
                                      A.B.C.161
                                           |
                   --------------------------------------------
                  |                                            |
              Firewall                                        DMZ
              A.B.C.162		                         A.B.C.163-174
              A.B.C.177
             192.168.1.1
                  |
         ----------------------------------
        |                                  |
   NAT LAN                                 |
192.168.1.2-254                            |
                                           |
                         -------------------------------------------
                         |                      |                   |
                     Web Server           Mail Server        Other Computers
                     A.B.C.178	           A.B.C.179           A.B.C.180-190

As you can see I want to split my subnet so that I have a secure subnet behind the firewall. Is this possible? Is there a better way of achieving this configuration? Does the router need to be reconfigured by the ISP? If it is possible can someone help me with the configuration? I am using slackware 10 for my router/firewall.

If more information is needed or this does not make any sense please let me know.

Thank you for all your help.

Brian1 · 11-21-2005, 05:45 PM

This is generic at the moment since I do not have the time to do full details.
1. I assume this is going to be a linux based firewall and router.
Now with that know
1. Create your fisrt eth0 interface with your first availble IP.
2. Then create each addtional IP as a virtual aliasing IP eth0:0, eth0:1, eth0:2,.....
3. Now in each lan or dmz create each of those machines on a non-routable ip class like 192.168.1.0/24 for the lan and 192.168.2.0/24 for the dmz.
4. Now using iptables you can forward external ip address to internal lan or dmz address and even define ports only.

While your in the dmz I would run firewalls on each machine and only open needed ports when needed.

Notes on iptables. Iptables handle IP address and eth* fine. It does not handle virtual aliasing IPs so that why you need to use IP addreeses for that.

Example based on above info

Code:

                                           Wan
                           eth0 and eth0:0-eth0:31    A.B.C.161-177
                                           |
            Router --------------------------------------------
                  |                                            |
              Lan                                                   DMZ
          192.168.1.0/24		                192.168.2.0/24
     eth1 192.168.1.1                                eth2 192.168.2.1

       |
   NAT LAN                                               |
192.168.1.2-254                                          |
                                                         |
                         -------------------------------------------
                         |                      |                   |
                     Web Server           Mail Server        Other Computers
                     192.168.2.178	 192.168.2.179    192.168.2.180-190

Quick links for help.
This one to help create each Aliasing IP https://www.redhat.com/archives/fedo.../msg04163.html
This is a decent iptables script for 3 nics and a start with multiple IP. It really starts out with 2 but you can configure it for more easily. http://www.linuxguruz.com/iptables/s...rewall_005.txt
Lots of good reading here.
http://www.linuxguruz.com/iptables/
http://iptables-tutorial.frozentux.n...-tutorial.html
Also look around for nat 1 to 1 or nat 1:1. Search here and google around the linux way at http://www.google.com/linux
edit:
when creating eth1 and eth2 do not use a gateway on them. Masqureading takes care of this.
edit:

Any Questions please ask. Hope this helps.
Brian1

fr_laz · 11-21-2005, 07:43 PM

Hi,

Brian1 put the machine that can be accessed from internet behind your DMZ, and he's got a point.
I don't know if you defined the architecture or if it is imposed... but the DMZ should include every single machine accessible from internet, whereas the LAN should have an upstream Internet access only.

I'll assume the architecture MUST be as you showed it in your second picture... even though (I know it's the second time I say so) every remotly accessible machine should be in the DMZ... If you can change the architecture, then, you SHOULD use something similar to what Brian1 proposed. Anyway, the commands I give can be adapted to whatever config you want.

So, to fit what you asked for, I propose this:

Code:

 

                                        Router
                                      A.B.C.161
                                           |
                   --------------------------------------------
                  |                                                      |
              Firewall                                             DMZ
              A.B.C.162, 178-190	          A.B.C.163-174
             192.168.1.1
             192.168.2.1
                  |
         ----------------------------------
        |                                         |
   NAT LAN                                  |
192.168.1.2-254                        |
                                                  |
                         -------------------------------------------
                         |                              |                      |
                     Web Server           Mail Server        Other Computers
                  192.168.2.178    192.168.2.179           192.168.2.180-190

I'll assume as well that you have 3 interfaces to plug into you firewall. If you don't, then you can use aliases.
The first one, that I will call the WAN interface, has A.B.C.162 as an IP address. Let's say it's eth0.
The second one, that I will call the LAN interface, has 192.168.1.1 as an IP address. Let's say it's eth1.
The third one, that I will call the LAN2 interface, has 192.168.2.1 as an IP address. Let's say it's eth2.

1/
Let's begin with the NAT stuff, since that's pretty much straight forward.
A classical NAT rule will do the job:
iptables -t nat -A POSTROUTING -i eth1 -o eth0 -j SNAT --to-source A.B.C.162

This means that any packet entering eth1 and outgoing through eth0 (so, the traffic to internet and A.B.C) will be nated to the A.B.C.162 IP.
On their way in, the response to these packets are de-nated (magic)

2/
Now, the servers and Other computers...
Same thing as above, when packets are on their way out you must use:
iptables -t nat -A POSTROUTING -i eth2 -o eth0 -s 192.168.2.178 -j SNAT --to-source A.B.C.178
iptables -t nat -A POSTROUTING -i eth2 -o eth0 -s 192.168.2.179 -j SNAT --to-source A.B.C.179
...

The main difference with the above command is that, this time you specify the source IP, so that every single machine uses its own public IP (whereas in the LAN, everybody uses the same).

On the way in, you can use:
iptables -t nat -A PREROUTING -i eth0 -s A.B.C.178 -j DNAT --to-dest 192.168.2.178
iptables -t nat -A PREROUTING -i eth0 -s A.B.C.179 -j DNAT --to-dest 192.168.2.179
...

This time you NAT the other way: packets coming from the WAN interface using a specific public IP will be translated to the corresponding private IP.

3/ IP aliasing
But, the above config still don't work... because eth0 won't accept packets for A.B.C.178-190, since its IP is A.B.C.162
So, you have to configure aliases on eth0 so that it is configured with every single IP:
ip addr add A.B.C.178 dev eth0
ip addr add A.B.C.179 dev eth0
...

4/ Routing
You must make sure the default gateways are correctly set on each subnet
On the firewall, you shouldn't have to define any route but the default gateway.
Make sure that "echo 1 > /proc/sys/net/ipv4/ip_forward", if not, then packets won't be forwarded from an interface to the other.

Hope this helps

teeno · 11-22-2005, 02:40 AM

Excellent, this is really good stuff. I will have a go and see if I can get this up and running. Thank you both and I will give some feedback when I have got this configured.

Cheers,
Peter

Brian1 · 11-22-2005, 05:24 PM

I agree with fr_laz and not really define a lan machine an external IP. The firewall can relay any external IP port to and internal lan port if needed. I would not really open any ports into the lan. If you need to do so then ssh to the firewall and run a few iptable lines to gain access to a lan machine. When done close the access or even create a cron file to return the firewall back to secure state once every hour. This can cause and issue but if know when the script runs then should not be a big deal.

You really want your lan as secure as possible. DMZ can be less restritive but run firewalls on each machine and open only what is needed. If certain ports need to be open say to backup files to maybe lan, do as above open needed ports from your backup script and close them when it is done.

Keep us posted. You will more than likely pull your hair out before you get it done. I know, be there and done that.
Brian1

teeno · 11-23-2005, 06:00 AM

Thanks for all your help.

This is the basic configuration I used to test the 1 to 1 NAT.

Code:

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.10 -j SNAT --to-source A.B.C.10
iptables -t nat -A PREROUTING -i eth0 -d A.B.C.10 -j DNAT --to-dest 192.168.1.10
iptables -A FORWARD -j ACCEPT
ip addr add A.B.C.10 dev eth0

Now I understand how it works I shouldn't have a problem completing my configuration and securing it.

I have noted all your points and will take them into account as I secure and test my setup.

Thank you again this has saved me a lot of time.

(A very happy) Peter

PS. If I do run into any more problems along the way I might need some more help.

Brian1 · 11-23-2005, 06:44 PM

Glad to be of help. Once completed maybe you could write up a post about how you did it to help others. One day I may write one.

Brian