[Gllug] Routing and packetfiltering public IPs

[Anthony Newman]

Dylan wrote:
> Hi All, 
> 
> I currently run a network comprising several desktop machines, a server 
> and a gateway connected to the wild by ADSL. The fixed public IP is 
> passed to the gateway's external interface by the ADSL router and the 
> gateway does packet filtering, NAT, etc... The ADSL router will only 
> connect to one machine when it is in bridging mode.
> 
> I'm looking to get an 8 IP block but I'm not at all clear as to how to 
> configure the gateway for them. There are more machines on the internal 
> network than available IP addresses (5 addresses, discounting the 
> network address, broadcast and router, and eight machines.) I intend to 
> assign the addresses to a DMZ mail and ftp server and the remaining 4 
> to four of the desktop boxes.

This is fairly trivial, although the iptables (I assume) incantations 
for all of it are probably not immediately apparent if you haven't done 
it before. The main issue will be whether your ADSL router is able to 
route a block of IP addresses, as if you are using a single IP address 
from your ISP at the moment, it may be a vanilla single routable IP or a 
block of 4 (aka 2 usable; one for the router in PPPoA mode) with a 
framed IP address used for routing. Most routers will cope with blocks.


> So, any comments on the following options? I'm particularly interested 
> to overcome NAT problems with applications like VoIP and IM etc. while 
> creating the least complication for nfs and NIS.
> 
> A - All 5 boxes with public IPs connected to the router, with the 
> gateway routing from the private IP network and NATing etc. This would 
> mean configuring and maintaining the firewalls on each machine.

If you NAT to private IPs, you still lose out. If you simply route 
(which confusingly comes under NAT in iptables), you can still filter 
packets just the same for single firewall justice.


> B - Having the gateway masquerade internal addresses such that 5 are 
> associated with specific internal IPs and the other machines are NATed 
> as usual.

This is similar, but you are definitely using internal private 
addresses, which you don't want to for your NAT-sensitive (broken) 
protocols.

You can go for a mixture of direct NAT and masquerading, but this will 
of course necessitate 2 separate network segments, so you then have to 
cope with routing between them, but that isn't too much of a headache



> C - Having the gateway filter all traffic, but pass on the public IPs to 
> their destinations while NATing other machines. Maybe using IP aliases 
> on the boxes with public IPs to place them on the private network.

Ah, I jumped the gun a bit. Yes and no. Running 2 separate net blocks 
over the same physical cable will cause you headaches - don't do it. 
Stick an extra network card in your gateway machine for private 
addresses, and set up appropriate iptables rules to make it transparent 
as required.

This works for your DMZ too; if you want limited connectivity to your 
publicly-addressed workstations from the DMZ for security, you can run 
yet-another network segment which is NATted 1:1 with public to private 
IP addresses, so your FTP and mail servers have a "static", routable 
address, but don't live on the same segment as your wokstations. More 
network cards again, but they're cheap :-)


> Are there any other options? I've read through a pile of docs but at the 
> moment it all seems a mush of info.

It really depends exactly which machines need to talk to what else 
internally, and which ones need real IP addresses to support broken 
protocols, and which could do without.

Ultimately, the simplest solution in my eyes would be to get the next 
bigger IP address block, run everything with routable IP addresses, and 
firewall/packet filter on the gateway machine. This is slightly 
contentious; throwing away routable addresses on internal machines is 
not really the recommended course of action, but at the end of the day, 
blocks of addresses are still being thrown away willy-nilly on any ADSL 
customer that requests them, so it wouldn't be all bad :-)

I have a linux machine here at home with an internal ADSL card, and a 
routable (/28) internal network which is firewalled, and a privately 
addressed network which has limited access to the outside and is 
masqueraded. It works a treat :-)

If you need any details about how to do something like that, just shout. 
Basically the possibilities are endless, and consequently configuring 
the thing can be a bit confusing, to say the least, but it is incredibly 
powerful and flexible; not to mention satisfying when it finally works :-)


Anthony
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug