|
Hello!
I'm trying to set up a firewall
with two ethernets to be installed between the internet and a pool of
servers.
The setup is as
follows:
In the firewall:
-eth0 with
public ip 'a.b.c.d', connected to the internet
-eth1 with
private ip 192.168.1.1, connected to a private class C subnet
In the internal server 1
(web server):
-eth0 with
private ip 192.168.1.100, connected to the subnet above.
I have some public ips available
(a.b.c.e, a.b.c.f, a.b.c.g,...) so now I want to map the external ip 'a.b.c.e'
with the internal ip '192.168.1.100' .
So in the firewall I
do:
echo 1 >
/proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -d a.b.c.e -j DNAT --to 192.168.1.100 iptables
-t nat -A POSTROUTING -s 192.168.1.100 -j SNAT --to a.b.c.e
This should
effectively
-change
destination from a.b.c.e to 192.168.1.100 for packets entering the
firewall
-and change
source from 192.168.1.100 to a.b.c.e for packets leaving the
firewall
Now, if I ping the public
address of the internal server 1 (a.b.c.e) from the internet, each packet should
traverse the firewall like this:
1. @internet: source=w.x.y.z, destination=a.b.c.e
2.
@firewall-prerouting: source=w.x.y.z, destination=192.168.1.100 (destination
changed by nat rule 1)
3.
@firewall-postrouting: source=w.x.y.z, destination=192.168.1.100 (no
changes)
4.
@internal_server_1: source=w.x.y.z, destination=192.168.1.100 (so the packet
reaches the target)
and then, when the internal
server bounces the ping:
1.
@internal_server_1: source=192.168.1.100, destination=w.x.y.z
2.
@firewall-prerouting: source=192.168.1.100, destination=w.x.y.z (no
changes)
3.
@firewall-postrouting: source=a.b.c.e, destination=w.x.y.z (source changed by
nat rule 2)
4.
@internet: source=a.b.c.e, destination=w.x.y.z (so the packet reaches the
target)
But this won't work, because
the firewall doesn't know it must process packets
with destination ips other than its own ip (a.b.c.e, a.b.c.f, etc...), and
my ISP doesn't know which machine must deliver these packets to.
So the question is: how can I make the firewall to process the packets with
destinations a.b.c.e, a.b.c.f, etc.?
The only solution I've found is
to define an ip alias in the firewall itself so that eth0:1 will respond to
the external ip a.b.c.e
Thus when the router of my ISP
asks "who has ip a.b.c.e?", the firewall will answer "me" and it will process
the packet and deliver it to the internal server 1.
But this solution means defining
an alias for every external ip I want to firewall. So if I have eight servers
firewalled I will need eight ip alias in the firewall.
Is this the right way to do it?
Or there is a cleaner/easier/better method to achieve the same?
Thank you very much in
advance,
Oriol
Barcelona
|
