What distro of Linux were you planning on using?
I'm not a big fan of using a regular distribution for purposes of a firewall, although they obviously do work. I consider a firewall/router a very specific purpose, and anything not directly related to networking as an extraneous waste of resources. Also, from a security standpoint, having services that aren't needed running on a firewall are a vulnerability. I went the route of stripping out unneeded daemons and commands from Slackware back in '01 for firewall use on a secondary IP address at work for testing and as a live backup, but I would not bother now. It's a waste of time considering the alternatives out there.
I've been using
Vyatta for the last several months, and find it to perform very well. It is a Linux based firewall/router distribution. The web site has an open source edition available to anyone. It has everything you need to set up a firewall to handle what you are doing. I've tested with m0n0wall, pfSense and Smoothwall, but did not like them as much as Vyatta.
I'll post an example configuration which is based directly on a working config, but the IP addresses are changed to protect the innocent. The complete configuration for a Vyatta firewall is contained in one file, so backing one up is simple. The only thing that isn't is the keys for OpenVPN.
Code:
firewall {
broadcast-ping disable
conntrack-tcp-loose enable
ip-src-route disable
log-martians enable
name ALLOW_ESTABLISHED {
rule 10 {
action accept
state {
established enable
}
}
}
name INLAN-IN {
rule 10 {
action accept
state {
established enable
}
}
rule 20 {
action accept
destination {
address 192.168.77.0/24
}
source {
address 10.78.24.0/24
}
state {
established enable
invalid enable
new enable
related enable
}
}
rule 30 {
action accept
destination {
address 0.0.0.0/0
}
source {
address 192.168.77.0/24
}
state {
established enable
invalid disable
new enable
related enable
}
}
}
name INWAN-LOCAL {
rule 1 {
action accept
state {
established enable
}
}
rule 10 {
action accept
destination {
address 25.196.69.210
port 500
}
protocol udp
source {
address 69.190.127.9
}
state {
established enable
invalid disable
new enable
related enable
}
}
rule 20 {
action accept
destination {
address 25.196.69.210
}
protocol esp
source {
address 69.190.127.9
}
state {
established enable
invalid disable
new enable
related enable
}
}
rule 30 {
action accept
destination {
address 25.196.69.210
port 1194
}
protocol udp
source {
}
state {
established enable
invalid disable
new enable
related enable
}
}
rule 40 {
action accept
destination {
address 192.168.77.0/24
}
protocol all
source {
address 10.78.24.0/24
}
state {
established enable
invalid disable
new enable
related enable
}
}
}
name INWEB-1 {
rule 1 {
action accept
state {
established enable
}
}
rule 5 {
action accept
destination {
address 10.52.32.100/32
port 80
}
protocol tcp
source {
address 0.0.0.0/0
}
}
rule 10 {
action accept
destination {
address 192.168.77.100/32
port 22,18081
}
protocol tcp
source {
address 24.240.67.38
}
}
rule 20 {
action accept
destination {
address 192.168.77.0/24
}
source {
address 10.78.24.0/24
}
state {
established enable
invalid disable
new enable
related enable
}
}
rule 30 {
action accept
destination {
address 10.78.24.0/24
}
source {
address 192.168.77.0/24
}
state {
established enable
invalid enable
new enable
related enable
}
}
rule 500 {
action drop
destination {
address 0.0.0.0/0
}
protocol all
source {
address 59.56.0.0/13
}
state {
established disable
invalid disable
new disable
related disable
}
}
}
name WAN-VIF11-IN {
}
name WAN-VIF11-LOCAL {
}
receive-redirects disable
send-redirects disable
syn-cookies enable
}
interfaces {
ethernet eth1 {
address 192.168.77.1/24
duplex auto
firewall {
in {
name INLAN-IN
}
}
hw-id 00:06:27:24:d5:9e
speed auto
}
ethernet eth2 {
address 25.196.69.210/29
duplex auto
firewall {
in {
name INWEB-1
}
local {
name INWAN-LOCAL
}
}
hw-id 00:0e:0d:84:01:42
speed auto
vif 11 {
address 25.196.69.211/29
firewall {
in {
name WAN-VIF11-IN
}
local {
name WAN-VIF11-LOCAL
}
}
}
}
ethernet eth3 {
address 10.52.32.1/24
duplex auto
hw-id 00:0e:0d:62:c4:4c
speed auto
}
openvpn vtun0 {
local-host 25.196.69.210
local-port 1194
mode server
openvpn-option "--push route 192.168.77.0 255.255.255.0 --comp-lzo --tls-auth /etc/openvpn/keys/ta.key 0"
protocol udp
server {
subnet 172.20.23.64/28
}
tls {
ca-cert-file /etc/openvpn/keys/ca.crt
cert-file /etc/openvpn/keys/vyatta.crt
crl-file /etc/openvpn/keys/crl.pem
dh-file /etc/openvpn/keys/dh2048.pem
key-file /etc/openvpn/keys/vyatta.key
}
}
}
service {
dhcp-server {
disabled false
shared-network-name ETH1_POOL {
authoritative disable
subnet 192.168.77.0/24 {
default-router 192.168.77.1
dns-server 192.168.77.1
lease 86400
start 192.168.77.203 {
stop 192.168.77.249
}
}
}
}
dns {
forwarding {
cache-size 150
listen-on eth1
name-server 24.196.64.53
name-server 24.159.193.40
name-server 68.115.71.53
}
}
https
nat {
rule 5 {
destination {
address 25.196.69.210
port 80
}
inbound-interface eth+
inside-address {
address 10.52.32.100
}
protocol tcp
source {
address 0.0.0.0/0
}
type destination
}
rule 10 {
destination {
address 25.196.69.210
port 22,18081
}
inbound-interface eth2
inside-address {
address 192.168.77.100
}
protocol tcp
source {
address 24.240.67.38
}
type destination
}
rule 20 {
destination {
address 10.52.32.100
}
outbound-interface eth+
outside-address {
address 25.196.69.210
}
protocol all
source {
address 192.168.77.0/24
}
type source
}
rule 500 {
destination {
address !10.78.24.0/24
}
outbound-interface eth2
source {
address 192.168.77.0/24
}
type masquerade
}
}
ssh {
allow-root false
port 22
protocol-version v2
}
}
system {
domain-name example.com
gateway-address 25.196.69.209
host-name myatta
login {
user root {
authentication {
encrypted-password not_going_to_show_this_here
plaintext-password ""
}
level admin
}
user vyatta {
authentication {
encrypted-password not_going_to_show_this_here
plaintext-password ""
}
level admin
}
}
name-server 24.196.64.53
name-server 24.159.193.40
name-server 68.115.71.53
ntp-server 69.59.150.135
package {
auto-sync 1
repository community {
components main
distribution stable
password ""
url http://packages.vyatta.com/vyatta
username ""
}
}
static-host-mapping {
}
syslog {
global {
facility all {
level info
}
}
host 10.78.24.103 {
facility all {
level err
}
}
}
time-zone GMT
}
vpn {
ipsec {
copy-tos disable
esp-group ESP-JOHN-S2S {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption 3des
hash sha1
}
}
ike-group IKE-JOHN-S2S {
aggressive-mode disable
lifetime 86400
proposal 1 {
dh-group 5
encryption 3des
hash sha1
}
}
ipsec-interfaces {
interface eth2
}
logging {
log-modes all
}
site-to-site {
peer 69.190.127.9 {
authentication {
mode pre-shared-secret
pre-shared-secret example_secret
}
ike-group IKE-JOHN-S2S
local-ip 25.196.69.210
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group ESP-JOHN-S2S
local-subnet 192.168.77.0/24
remote-subnet 10.78.24.0/24
}
}
}
}
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "cluster@1:dhcp-relay@1:dhcp-server@4:firewall@3:ipsec@1:nat@3:quagga@1:serial@1:vrrp@1:wanloadbalance@1:webgui@1" === */
/* Release version: VC5.0.2 */
That probably looks overwhelming, but let me give you a few notes on it.
The system is set up as such:
eth1 - LAN
eth2 - WAN
eth3 - DMZ
There is a web server hosted in the DMZ.
I have an site to site IPSEC VPN tunnel set up, and OpenVPN for mobile users to access the system when on the road.
You can figure out what sections of the firewall rulesets apply to which interfaces by looking at the interfaces themselves to see which section is listed there. If you look at eth2, you see that INWEB-1 and INWAN-LOCAL are being used on the WAN. (eth2)
DHCP as well as a caching DNS server are being offered as services on the LAN. (eth1)
The NAT service rule 500 is the rule that handles masquerading outbound traffic to public space. If you look at the destination on it, instead of 0.0.0.0/24, it is !10.78.24.0/24. The reason I did it that way is because 10.78.24.0/24 is the network on the other side of the IPSEC VPN tunnel, and I don't want that traffic being NAT'ed and set out the WAN (eth2).
As for your question about how to NAT traffic to the LAN/DMZ, here is an example.
First, here is the firewall rule:
Code:
name INWEB-1 {
rule 5 {
action accept
destination {
address 10.52.32.100/32
port 80
}
protocol tcp
source {
address 0.0.0.0/0
}
}
And the corresponding NAT service rule:
Code:
nat {
rule 5 {
destination {
address 25.196.69.210
port 80
}
inbound-interface eth+
inside-address {
address 10.52.32.100
}
protocol tcp
source {
address 0.0.0.0/0
}
type destination
}
External traffic with a destination of 25.196.69.210 on port 80 will be NAT'ed and sent to 10.52.32.100 in the DMZ.
As you can see, there is a virtual interface defined on eth2 (WAN) as vif 11. There are empty firewall sections for it, and no NAT rules as of yet, but you can see the structure needed to add additional IP addresses on the WAN.
The firewall rules listed in sections listed as 'local' define rules intended to accept traffic destined to that interface itself, and not to be NAT'ed or masqueraded. The IPSEC & OpenVPN traffic is listed in the local (INWAN-LOCAL) firewall rulesets because that traffic is destined to the firewall, not to be sent to a system on the LAN.
That is actually a fairly basic firewall config overall. That firewall is installed at a location where the primary activity is software/database development. All traffic sourced from internal systems is allowed out.
I like the configuration interface for Vyatta, too. Once you get used to it, it's straightforward and easy to add/remove functionality as needed.