Can SuSEFirewall2 be easily set to perform NAT, the same way Cisco IOS in a PIX firewall can? Specifically, for a particular client we are considering hosting internally several public web servers. These web servers would each need to have a public IP address (of course), but the web servers themselves would be ignorant of their public IP addresses. The web servers would each be configured with a private IP address (so LAN users can update the web sites), and the firewall would then forward packets for public IP address "A" to web server "A", etc. Is this possible (or have I made what I am trying to accomplish clear?) :-) Thanks! _____________________________________________ A Message From... L. Mark Stone Reliable Networks of Maine, LLC 477 Congress Street, 5th Floor Portland, ME 04107 Tel: (207) 772-5678 Cell: (917) 597-2057 Email: LMStone@RNoME.com Private: LMStone@LMStone.com Web: http://www.rnome.com
I'd personally use cisco router if available to do
static NAT which is what I guess you're asking for.
It's most likely being called 'masquarading' in Linux
terms so you probably have to have this in your fw
config:
FW_FORWARD_MASQ="194.168.1.2,192.168.1.2,tcp,80"
194.x.x.x being public IP assign to your server and
192.x.x.x being private IP assign to the same server.
If I'm wrong somebody pls correct me :).
Martin
--- "L. Mark Stone"
Can SuSEFirewall2 be easily set to perform NAT, the same way Cisco IOS in a PIX firewall can?
Specifically, for a particular client we are considering hosting internally several public web servers. These web servers would each need to have a public IP address (of course), but the web servers themselves would be ignorant of their public IP addresses. The web servers would each be configured with a private IP address (so LAN users can update the web sites), and the firewall would then forward packets for public IP address "A" to web server "A", etc.
Is this possible (or have I made what I am trying to accomplish clear?) :-)
Thanks!
_____________________________________________ A Message From... L. Mark Stone
Reliable Networks of Maine, LLC 477 Congress Street, 5th Floor Portland, ME 04107 Tel: (207) 772-5678 Cell: (917) 597-2057 Email: LMStone@RNoME.com Private: LMStone@LMStone.com Web: http://www.rnome.com
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
__________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
Martin wrote:
I'd personally use cisco router if available to do static NAT which is what I guess you're asking for. It's most likely being called 'masquarading' in Linux terms so you probably have to have this in your fw config:
FW_FORWARD_MASQ="194.168.1.2,192.168.1.2,tcp,80"
194.x.x.x being public IP assign to your server and 192.x.x.x being private IP assign to the same server.
If I'm wrong somebody pls correct me :).
No - there's much much more "NAT" than just masquerading. See http://www.suse.de/~mha/linux-ip-nat/diplom/nat.html He needs n:n static translation. While I wrote doc and code for that many many years ago I don't know what's in current kernels at all :-( Michael
-----Original Message----- From: Michael Hasenstein [mailto:mha@suse.com] Sent: Thursday, May 22, 2003 11:31 AM To: Martin Cc: suse-linux-e@suse.com Subject: Re: [SLE] Network Address Translation
Martin wrote:
I'd personally use cisco router if available to do static NAT which is what I guess you're asking for. It's most likely being called 'masquarading' in Linux terms so you probably have to have this in your fw config:
FW_FORWARD_MASQ="194.168.1.2,192.168.1.2,tcp,80"
194.x.x.x being public IP assign to your server and 192.x.x.x being private IP assign to the same server.
If I'm wrong somebody pls correct me :).
No - there's much much more "NAT" than just masquerading. See http://www.suse.de/~mha/linux-ip-nat/diplom/nat.html
He needs n:n static translation. While I wrote doc and code for that many many years ago I don't know what's in current kernels at all :-(
Michael
Michael, I need only static NAT. There are several separate web servers with public IP addresses (i.e. proper A records in public DNS) and which are now directly exposed to the Internet. The internal network is protected by a firewall, and all machines on the internal network have private IP addresses. The network is connected to the Internet via a T-1 with a half dozen usable fixed, public IP addresses. So, right now the client has the T-1 DSU/CSU connected to a switch, and then the firewall and the public web servers plug in to the switch. I want to move the web servers behind the firewall, give them private IP addresses (which makes updating their content from the LAN much easier), and have the firewall forward traffic destined for their public IP addresses to the servers which will have (going forward) only private IP addresses. In other words, have the T-1 DSU/CSU connect to the WAN ethernet card on the firewall, have the LAN ethernet card on the firewall plug in to the switch, and then have the web servers and the rest of the internal network connect to the switch. (We may or may not subnet the web servers.) We do this with Cisco PIX firewalls all the time. It's easy, and there's only one firewall to configure. BTW, nice article! _____________________________________________ A Message From... L. Mark Stone Reliable Networks of Maine, LLC 477 Congress Street, 5th Floor Portland, ME 04107 Tel: (207) 772-5678 Cell: (917) 597-2057 Email: LMStone@RNoME.com Private: LMStone@LMStone.com Web: http://www.rnome.com
L. Mark Stone wrote:
I need only static NAT.
Yes, I understood that ;-) ...
I want to move the web servers behind the firewall, give them private IP addresses (which makes updating their content from the LAN much easier), and have the firewall forward traffic destined for their public IP addresses to the servers which will have (going forward) only private IP addresses. In
There are user level gateways for just that purpose too. I guess when it comes to really high bandwidth webservers IP NAT rules but it's just another option. Look for package "rinetd".
other words, have the T-1 DSU/CSU connect to the WAN ethernet card on the firewall, have the LAN ethernet card on the firewall plug in to the switch, and then have the web servers and the rest of the internal network connect to the switch. (We may or may not subnet the web servers.)
We do this with Cisco PIX firewalls all the time. It's easy, and there's only one firewall to configure.
Whether or not it's good security policy to have internal machines (which the webservers are in this setup) exposed in such a way or if you should add another firewall to have them on their own network between the firewalls is another topic... Michael
--- Michael Hasenstein
L. Mark Stone wrote:
I need only static NAT.
Yes, I understood that ;-)
I want to move the web servers behind the firewall, give them private IP addresses (which makes updating their content from
have the firewall forward traffic destined for
the servers which will have (going forward) only
... the LAN much easier), and their public IP addresses to private IP addresses. In
There are user level gateways for just that purpose too. I guess when it comes to really high bandwidth webservers IP NAT rules but it's just another option. Look for package "rinetd".
other words, have the T-1 DSU/CSU connect to the WAN ethernet card on the firewall, have the LAN ethernet card on the firewall plug in to the switch, and then have the web servers and the rest of the internal network connect to the switch. (We may or may not subnet the web servers.)
We do this with Cisco PIX firewalls all the time. It's easy, and there's only one firewall to configure.
Whether or not it's good security policy to have internal machines (which the webservers are in this setup) exposed in such a way or if you should add another firewall to have them on their own network between the firewalls is another topic...
This is why we have DMZ ... can SuSeFirewall2 do something like this? internet<->dmz -> NAT1 + routing internet<->intranet -> NAT2 + routing intranet<->dmz -> routing Martin
Michael
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
__________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
<snip>
I want to move the web servers behind the firewall, give them private IP addresses (which makes updating their content from the LAN much easier), and have the firewall forward traffic destined for their public IP addresses to the servers which will have (going forward) only private IP addresses. In other words, have the T-1 DSU/CSU connect to the WAN ethernet card on the firewall, have the LAN ethernet card on the firewall plug in to the switch, and then have the web servers and the rest of the internal network connect to the switch. (We may or may not subnet the web servers.)
Hmm, sounds kinda similar to a setup I just made. Firewall connected to the Internet via eth0, connected to LAN router via eth1. Not sure if this will help you but I was able to run web/email/ftp server on the private LAN using iptables rules: EXTIF="eth0" INTIF="eth1" SERVER="192.168.0.2" # Enabling SNAT (MASQUERADE) functionality on $EXTIF $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE # snat everything except DNS (handled locally) $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp -j DNAT --to $SERVER $IPTABLES -t nat -A PREROUTING -i $EXTIF -p udp --dport ! 53 -j DNAT --to $SERVER Of course, this is only part of the firewall script... I wanted both public and private DNS so I decidede to run the public DNS on the firewall box to avoid conflicts with the private DNS on the LAN. Yes, this would have been better accomplished with a DMZ, but it's such a small network that I didn't want to go through that much more trouble. Josh
participants (4)
-
Josh Trutwin -
L. Mark Stone -
Martin -
Michael Hasenstein