I need a virtual firewall/router solution. I'm thinking of a netscreen 1000 but I want to know if it can be done in Linux.
Here is my idea:
1 Linux box 2 GigE interfaces
1 interface setup with a public IP address ($PUBIP)
1 interface setup with 802.1q VLAN trunking with 100 vlans assigned ($VLAN1-$VLAN100)
a /25 subnet routed to $PUBIP from my core routers
All $VLAN interfaces setup with IP 192.168.1.1/24
Inbound traffic on $VLAN gets marked with a fwmark ($VLAN1 = fw1, $VLAN2 = fw2)
Outbound traffic gets NAT'ed based on the fwmark to an IP in the subnet
Returning traffic gets marked based on the dest IP (one of the subnets) with the same fwmark for the appropriate VLAN
returning packets are 'unNAT'ed' and then routed down the correct VLAN based on the fwmark on the packet.
Questions:
How will Linux react if I put 192.168.1.1 on >1 interfaces?
Does the unNAT'ing of the packets destroy the fwmark?
Is there a way of handling kernel based packets (ICMP, ARP responses) so they go out the correct interface?
Example: an ARP (who has 192.168.1.1) from in on VLAN5, How can I get the kernel to send its response on VLAN5?
I see the packet flow as something like.
Client (192.168.1.100) sends SYN to www.redhat.com:80 Client has default gw of 192.168.1.1 Client is on 802.1q VLAN10 Client puts packet on Ethernet VLAN10 with MAC address of Linux box Packet enters Linux box on VLAN10 Source:ClientIP Dest:www.redhat.com:80 Packet gets marked by iptables rule. FWMARK = 10 Packet gets routed out to upstream gateway Packet gets NAT'ed to SUBNETIP10 based on FWMARK 10 Packet now looks like src: SUBNETIP10:NATPORT dst:REDHAT:80
Response packet from redhat flows
Packet enters Linux box src REDHAT:80 dst SUBNETIP10:NATPORT
Packet gets tagged with fwmark based on SUBNETIP to FWMARK 10
Packet gets unNAT'ed by kernel NAT table
Packet looks like src REDHAT:80 dst CLIENTIP:CLIENTPORT fwmark:10
iproute2 setup routes CLIENTIP to the correct client on the correct VLAN (vlan10)
arp lookup assigned correct MAC address and sends the packet to the switch on VLAN10
Problems I can see biting me:
ARP tables. Can the kernel maintain seperate ARP tables for each VLAN? Each VLAN can have a machine with IP 192.168.1.100
ICMPs: What happens when a client tries to ping the linux box (192.168.1.1). If I fwmark all incoming packets on a VLAN will the kernel respond with a packet using the same fwmark?
ARP requests: Same as the ICMPs. Will the kernel be able to answer an ARP request to 192.168.1.1
IPs : I'm sure the kernel will bitch about assigning 192.168.1.1 on a bunch on Interfaces.
Any ideas?
-- Matthew Crocker Vice President Crocker Communications
w. 413-746-2760 f. 413-746-3704 e. matthew@xxxxxxxxxxx
