External address forwarding
Madison Kelly
linux-5ZoueyuiTZhBDgjK7y7TUQ at public.gmane.org
Thu Oct 28 22:30:35 UTC 2004
Ilya Palagin wrote:
> Hi,
>
> I'm trying to find solution for an iptables related task. There is a server
> with external address, which is supposed to be behind a Linux firewall soon.
> Right now it's behind the Sonicwall firewall, which provides with address
> forwarding. It means the following:
>
> Internet <---> 198.182.196.56_Sonicwall_172.18.1.1 <---> 198.182.196.56_Server
>
> Is there a way to set up the same with Linux? I know that this layout is not
> correct and the Server's address must belong to the internal network, but
> reasons for doing this are:
> 1.It works with Sonicwall (which sucks), why shouldn't it work with Linux?
> 2.It'll take time to reconfigure the Server, any down time is not desireable.
>
> Thanks,
> Ilya.
Hi Ilya,
Short answer; yep, you can do that (easily) with Linux.
Long answer: You need to simply setup SNAT forwarding. What you need
to do (roughly) is give your Linux machine the public IP address of the
server. I am going to assume that you have two public IPs, one for the
router, and one for the server. If not, you can use port forwarding
where instead of forwarding an entire IP address you choose ports to
forward instead. Keep in mind with port forwarding only one machine can
answer each port, not both. For example, you can't run a web server on
both machines on port 80 because the incoming packets have to be told to
go to either the local machine (firewall) OR the server.
Now back to assuming you have two IPs:
Say 111.222.33.44 is your firewall's own IP and 111.222.33.45 is the
IP address that remote clients will call when they are looking for your
server. Remember that both are assigned to the Internet-facing NIC (lets
say 'eth0'). The firewall needs to have a second network card that will
face the server (or the network the server is a part of). Let's say that
the server-facing fireall NIC ('eth1') is 192.168.1.1.
You need to assign an IP within the same subnet (again let's say
'255.255.255.0'). Let's use '192.168.1.2'. At this point all of the
network configuration you need to do it done. The next step is
configuring the 'iptables' firewall. To do this you want to create a
rule like that tells any request coming from the Internet calling the
server's IP address '111.222.33.45' (which the firewall answers) to be
forwarded to the internal IP '192.168.1.2'.
I wrote a paper for TLUG a little while back on firewalls. A couple
smallish problems have been found since but for what you are trying to
do it should tell you exactly what you need to do.
http://thelinuxexperience.com/whitepapers/TLE-WhitePaper_Netfilter-v1.1.pdf
Good luck and I hope this helped!
Madison
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Madison Kelly
Lead Technician
The Linux Experience
http://thelinuxexperience.com
TLE-BU; GPL Linux Backup Software
http://tle-bu.thelinuxexperience.com
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list