| View previous topic :: View next topic |
| Author |
Message |
Maffuster
n00b
Joined: 03 Jun 2004
Posts: 38
|
 Posted: Thu Dec 23, 2004 5:29 am Post subject: Dual External DHCP IP's and Firewalling |
 |
|
Alright. Let's see if I can get this across properly.
My ISP gives me two dynamic DHCP allocated IP addresses. I want to be able to do something like the diagram below.
| Code: |
/----Nic #2 | Nic #3 -----------Internal Network
| |
Cable Modem -----Hub |
| |
\----Nic #1 | Nic #4 ---------DMZ Network
|
So the gentoo box (or whatever) will have four nics. Two will be connected using a hub to the cable modem, and each one will request an IP. The other two nics will be connected to the Internal Network and the DMZ network respectively. I want to be able to Map ports as I see fit, so that port 80 on external IP #1 goes to IP so and so on the DMZ network, while port 53 on external IP #1 goes to IP so and so on the Internal network.
I've looked at smoothwall, but it doesn't support this kind of functionality. I'm 99% sure it's possible. I've looked at the Advanced routing howto, and I THINK it's telling me what I need, but I'm getting lost.
I'm not new to networking...just new to doing this level of networking under linux.
Thanks in advance,
Matt |
|
| Back to top |
|
 |
woolsherpahat
Guru
Joined: 09 Mar 2004
Posts: 347
|
| Posted: Thu Dec 23, 2004 6:10 am Post subject: |
|
|
Alright, to restate the question, you're trying to have two interfaces (one DMZ, one private), both with internet accessible IPs, mapped through one cable modem?
Maybe:
| Code: |
|-----------{Int. 2} ---------> Private LAN
Cable Modem -->{Int. 1} --> | Router/Firewall |
|-----------{Int. 3}----------> DMZ
|
I'm not to good with networking but as far as I can tell, all of the traffic headed towards both your IPs has to pass through your cable modem, which is a single interface. If you're IP for the DMZ was 123.456.789.0 you'd just need to make sure your rules passed all inbound packets on interface one destined for that IP to interface three. Of course you'd have to do the same for your private LAN traffic as well. Everything else would just be the normal NAT and packet filtering stuff.
EDIT:Fixed crappy drawing
_________________
The Real OTW
"Blue skies and high fives" |
|
| Back to top |
|
|
Maffuster
n00b
Joined: 03 Jun 2004
Posts: 38
|
| Posted: Thu Dec 23, 2004 7:45 am Post subject: |
|
|
The box in question will have four interfaces. 1 & 2 will be external, 3 will be DMZ and 4 will be Internal.
My Cable modem (which isn't an interface) can provide me with up to two IP addresses. I want each external interface to grab a DHCP address from my ISP (this is why I need two...if it was static, I'd just assign both IP's to one interface). Then I need to know how (if possible, which I'm sure it is) to route traffic based on ports between the external interfaces and the internal ones.
Example:
Say External #1 was 20.0.0.1 and External 2 was 20.0.0.2
DMZ is 10.0.0.1/24 and Internal is 11.0.0.1/24
I want All internal traffic to go out over 20.0.0.1
I want All DMZ traffic to go out over 20.0.0.2
I want Port 80 on 20.0.0.1 to go to 10.0.0.2
I want Port 80 on 20.0.0.2 to go to 10.0.0.3
I want Port 25 on 20.0.0.1 to go to 10.0.0.2
I want port 2982 on 20.0.0.2 to go to 11.0.0.5 |
|
| Back to top |
|
|
fvant
Guru
Joined: 08 Jun 2003
Posts: 328
Location: Leiden, The Netherlands
|
| Posted: Thu Dec 23, 2004 10:51 am Post subject: |
|
|
what you want seems possible but what is it you need help with ?
Selecting a FW package that provides all this out of the box ?
Are you stuck with particular settings in your own script ? |
|
| Back to top |
|
|
Maffuster
n00b
Joined: 03 Jun 2004
Posts: 38
|
| Posted: Thu Dec 23, 2004 4:50 pm Post subject: |
|
|
I'm looking for more of a howto than anything else.
I can assign all the interfaces no problem, it's the routing and ipchaining between them that I'm a bit rusty on. |
|
| Back to top |
|
|
DarKRaveR
Guru
Joined: 11 Oct 2003
Posts: 500
Location: Old Europe/G-Many
|
| Posted: Thu Dec 23, 2004 6:02 pm Post subject: |
|
|
Well, you will hav to read quite some documentation, that is for sure ....
And yes, it is all possible.
http://www.netfilter.org/
Maybe you need the LARTC HowTo as well.
If you have explicit questions, you should ask those, but in general you can easily do things like:
iptables -t nat -A PREROUTING -i eth0 --dport 80 -j DNAT --to internalip:port
Rewrite destination adress before routig the packet, that come in on eth0 for port 80 to an internal ip+port
There's lots more (source natting for example) and so on.
As soon as ou want to make decisions on port and complicated matching you will use iptables, otherwise policy based routing might partly be sufficent.
EDIT:
I want All internal traffic to go out over 20.0.0.1
I want All DMZ traffic to go out over 20.0.0.2
Policy based source adress routing - you will need advanced routing in the kernel, install iproute2 and set up two different default gateways based on the source adresses of the packets - Advanced routing howto describes that in depth ....
I want Port 80 on 20.0.0.1 to go to 10.0.0.2
I want Port 80 on 20.0.0.2 to go to 10.0.0.3
I want Port 25 on 20.0.0.1 to go to 10.0.0.2
I want port 2982 on 20.0.0.2 to go to 11.0.0.5
All done with DNAT... example see above
Remeber, when you DNAT the packet, the answer packet needs to be SNATTED so externally it looks like it came FROM the Box itself, not the DMZ/internal net. Maybe plain stupid masquerading might help here already .... maybe in certain cases you might want to explicitly SNAT. In your case you might need state matching and connection tracking .... |
|
| Back to top |
|
|
Maffuster
n00b
Joined: 03 Jun 2004
Posts: 38
|
| Posted: Thu Dec 23, 2004 6:47 pm Post subject: |
|
|
Many thanks! I think that should be enough to get me started.
The one question I do have that's specific...
Is there going to be a problem because my two external IP's will change?
Thanks again! |
|
| Back to top |
|
|
DarKRaveR
Guru
Joined: 11 Oct 2003
Posts: 500
Location: Old Europe/G-Many
|
| Posted: Thu Dec 23, 2004 6:59 pm Post subject: |
|
|
| yeah, might make it more difficult, maybe you need to set up the iptables rules via some post up script and remove them after bringing it down ... but maybe you can work around that ..... |
|
| Back to top |
|
|
Maffuster
n00b
Joined: 03 Jun 2004
Posts: 38
|
| Posted: Thu Dec 23, 2004 7:00 pm Post subject: |
|
|
Gotcha. They don't change often ~6months or so, but if I need to do more than just reboot to change it, then it could quickly become a pain in the ass  |
|
| Back to top |
|
|
Taladar
Guru
Joined: 09 Oct 2004
Posts: 458
Location: Bielefeld, Germany
|
| Posted: Thu Dec 23, 2004 7:13 pm Post subject: |
|
|
The worst case would need a restart of the network interfaces or a call to the script setting your rules. A reboot should never be necessary.
If the Interfaces were PPP you could set the rules in /etc/ppp/ip-up.local
but I don't know if there is a similar mechanism with the commonly used dhcp clients. You should look for a dhcp client that allows you to execute scripts after the IP changes. |
|
| Back to top |
|
|
nobspangle
Veteran
Joined: 23 Mar 2004
Posts: 1318
Location: Manchester, UK
|
| Posted: Thu Dec 23, 2004 11:07 pm Post subject: |
|
|
Just use shorewall to configure your iptables. Shorewall maps the interfaces to "zones" you can then use the zones to describe your rules,
You can also choose to masquerade the two subnets (dmz and loc) over the two inernet interfaces.
The files are very simple to configure and you'll be up and running in no time. |
|
| Back to top |
|
|
|
Networking & Security
