• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

firewall/bridging using IPTABLES?

K

kt

Diamond Member
I am not sure if this is possible using IPTABLES. Here's my setup:

I have a Linux box with 2 NIC's. I have 6 public IP addresses assigned to the external interface and 1 private IP address assigned to the internal interface. There are 6 servers behind this box each having a private IP address of their own. Is it possible for me to redirect the 6 public IP addresses to these 6 servers sitting behind the Linux box using IPTABLES? Anyone know how to do this or have links to documents on how to accomplish such task? TIA
 
I'll be damned. After much searching on the net, I found that this could be done.. but I am so surprised that NO ONE has a pre-made script to handle this (or I might've just looked in the wrong places). After reading thru all the HOW-TO's for IPtables, I think I am going to start up the coffee machine and write this sucker up myself. Wish me luck!
 
Actually, what you're asking about is pretty easy with netfilter, as long as you fully understand the concept of how the packets traverse the tables.
 
Originally posted by: chsh1ca
Actually, what you're asking about is pretty easy with netfilter, as long as you fully understand the concept of how the packets traverse the tables.
Click to expand...

Yes, I spent the whole night reading up on the iptables/netfilter and this is what I come up with in terms of how packets flow thru the code in the kernel.

network packets from outside of firewall => mangle/PREROUTING => nat/PREROUTING

at this point, the packets either will go thru filter/FORWARD or:

=> filter/INPUT => local process => mangle/OUTPUT => nat/OUTPUT => filter/OUTPUT

The difference between the two paths is packets going thru filter/FORWARD are not meant for the firewall and you guessed it, the packets going thru filter/INPUT are meant for the firewall if you have services running on the firewall itself.

Packets coming out of filter/FORWARD or filter/OUTPUT will go thru nat/POSTROUTING before they head out of the firewall.

In my case, the firewall does not run any services so the packets will always traverse thru filter/FORWARD which made it a lot easier for me to secure the firewall. I just drop all unsolicited packets by default and punch holes in the firewall for the internal servers. All the 6 servers I mentioned above are webservers, so I only need to open up the HTTP and HTTPS ports to these servers. Since I wanted a 1:1 mapping using DNAT/SNAT is the way to go according to the docs. This is done using the nat/PREROUTING and filter/FORWARD policies to direct the packets to the appropriate internal webservers. For traffic to flow the other way (internal webservers sending responses to requests), I use the nat/POSTROUTING policy to direct packets from the internal webservers to their respective public IP address. I still haven't tested out the script I wrote yet, but once I have it working and fully tested I'll share it with you guys 🙂
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top