Need to replace a SonicWall firewall with an iptables firewall.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I have a SonicWall Pro 330 that's giving me no end of grief, and so I want to replace it. It's my primary firewall. Becase we have two LANs and the SonicWall only has one LAN port, I have an iptables router/firewall that's connected to the LAN port of the SonicWall. The two LANs hang off of the iptables machine. The SonicWall provides our DMZ, as well.

I want to collapse the two systems into one, but I'm not quite sure how to do it.

I want one iptables-based firewall, with four NICs, that connect to our external router, our DMZ switch, and each of our two internal LAN switches.

I believe I know how to set it up so that traffic from either internal LAN gets NAT'd to the firewall's external IP address, for traffic headed to the Internet, and de-NAT'd on the way back. I also believe I know how to allow traffic to flow back and forth between the two LANs, where NAT'ing isn't needed.

However, I'm not sure how to handle the external network and the DMZ. We have a /28 subnet from our ISP. Our router uses one address on the subnet. From the router, you proceed to a switch, where three devices are plugged in: a wireless access point, a VPN device, and the external interface of the SonicWall firewall. All three devices have addresses on the same /28 subnet as the router. Additionally, the SonicWall's DMZ interface does not have and address assigned to it - it is somehow logically bridged to the external interface. The systems in the DMZ are also on the same /28 subnet. You tell the SonicWall which IP addresses are in use in the DMZ, so that it knows which interface to send traffic for that subnet out of. Internal traffice, heading out either the external or DMZ interfaces of the SonicWall, appear to come from the external address of the SonicWall. I have no idea how to replicate this setup under iptables.

Lastly, some systems in the DMZ need to access database servers on one of the internal LANs. The LANs use private, non-routable address space (192.168.32.0 & 192.168.40.0). So, I need certain systems in the DMZ, to be able to initiate connections through the firewall, to systems on my 40-net. No NAT'ing is needed for these connections, but I'm not sure how to set them up, either. On the SonicWall, we just put a rule in that allows it, and two static routes, so it knows to forward traffic for those nets to the linux box. Somehow I think it isn't as simple under iptables, but hopefully I'm wrong.

Sorry for the length of this, but I wanted to try and describe it all accurately. I've never set up an iptables firewall that is so (seemingly) complicated before.

Thanks, in advance, for any guidance you can give me.

	-ste

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux