External address forwarding

Madison Kelly linux-5ZoueyuiTZhBDgjK7y7TUQ at public.gmane.org
Thu Oct 28 22:30:35 UTC 2004 

Ilya Palagin wrote:
> Hi,
> 
> I'm trying to find solution for an iptables related task.  There is a server
> with external address, which is supposed to be behind a Linux firewall soon. 
> Right now it's behind the Sonicwall firewall, which provides with address
> forwarding.  It means the following:
> 
> Internet <---> 198.182.196.56_Sonicwall_172.18.1.1 <---> 198.182.196.56_Server
> 
> Is there a way to set up the same with Linux?  I know that this layout is not
> correct and the Server's address must belong to the internal network, but
> reasons for doing this are:
> 1.It works with Sonicwall (which sucks), why shouldn't it work with Linux?
> 2.It'll take time to reconfigure the Server, any down time is not desireable.
> 
> Thanks,
> Ilya.

Hi Ilya,

   Short answer; yep, you can do that (easily) with Linux.

   Long answer: You need to simply setup SNAT forwarding. What you need 
to do (roughly) is give your Linux machine the public IP address of the 
server. I am going to assume that you have two public IPs, one for the 
router, and one for the server. If not, you can use port forwarding 
where instead of forwarding an entire IP address you choose ports to 
forward instead. Keep in mind with port forwarding only one machine can 
answer each port, not both. For example, you can't run a web server on 
both machines on port 80 because the incoming packets have to be told to 
go to either the local machine (firewall) OR the server.

   Now back to assuming you have two IPs:

   Say 111.222.33.44 is your firewall's own IP and 111.222.33.45 is the 
IP address that remote clients will call when they are looking for your 
server. Remember that both are assigned to the Internet-facing NIC (lets 
say 'eth0'). The firewall needs to have a second network card that will 
face the server (or the network the server is a part of). Let's say that 
the server-facing fireall NIC ('eth1') is 192.168.1.1.

   You need to assign an IP within the same subnet (again let's say 
'255.255.255.0'). Let's use '192.168.1.2'. At this point all of the 
network configuration you need to do it done. The next step is 
configuring the 'iptables' firewall. To do this you want to create a 
rule like that tells any request coming from the Internet calling the 
server's IP address '111.222.33.45' (which the firewall answers) to be 
forwarded to the internal IP '192.168.1.2'.

   I wrote a paper for TLUG a little while back on firewalls. A couple 
smallish problems have been found since but for what you are trying to 
do it should tell you exactly what you need to do.

http://thelinuxexperience.com/whitepapers/TLE-WhitePaper_Netfilter-v1.1.pdf

Good luck and I hope this helped!

Madison

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Madison Kelly
Lead Technician
The Linux Experience
http://thelinuxexperience.com

TLE-BU; GPL Linux Backup Software
http://tle-bu.thelinuxexperience.com
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list