Re: [fw-wiz] Non-NAT Firewall

From: R. DuFresne (dufresne_at_sysinfo.com)
Date: 11/18/05

  • Next message: Patrick M. Hausen: "Re: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
    To: Sigurd Urdahl <sigurdur@linpro.no>
    Date: Fri, 18 Nov 2005 11:37:47 -0500 (EST)
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On Thu, 11 Nov 2005, Sigurd Urdahl wrote:

    > Nathaniel Hall <nathaniel.d.hall@gmail.com> writes:
    >
    >> Alright, this is a bit tough to explain, so I will try my best.
    >>
    >> I am currently running a CheckPoint-NG firewall with three interfaces.
    >> Interface 1 goes to DMZ 1 (public IP addressing and Internet facing),
    >> interface 2 goes to DMZ 2 (public IP addressing) and interface 3 goes to
    >> the internal network (private IP addressing). The CheckPoint FW does
    >> not peform NAT. That allows me to review logs of servers in DMZ 1
    >> without having to figure out what internal IP as NATed.
    >>
    >> Now, for my problem. I would like to be able to have the same
    >> functionality using NetFilter, but I have not been able to figure out
    >> how to do this without masquerading or using DNAT and SNAT. Any ideas?
    >
    > I don't get it. You say the CP box doesn't do NAT. But I assume you
    > still have the internal clients accessing the Internat NATed?
    >
    > If what you want is to have traffic from the internal net not be NATed
    > if going to one of the DMZ's, but NATed if going to the internet you
    > should probably be able to do something like this:
    >
    > iptables -t nat -A PREROUTING -i eth2 --destination $DMZ1 --source $INTERNAL -j ACCEPT
    > iptables -t nat -A PREROUTING -i eth2 --destination $DMZ2 --source $INTERNAL -j ACCEPT
    > iptables -t nat -A PREROUTING -i eth2 --destination $DMZ1 --source $INTERNAL -j DNAT --to $EXTERNAL_IP
    >
    > with $DMZ1, $DMZ2 and $INTERNAL being the different nets, e.g
    > 10.12.25.0/24 and $EXTERNAL_IP being the address on the firewall that
    > you want the clients to come through when going out on the
    > Internet. And of course you'll have to adjust the targets, you most
    > likely will want to jump to a chain with rules instead of to
    > ACCEPT. And make those chains end in a DROP or something, otherwise
    > packets might fall through and hit the DNAT-rule.
    >
    >
    > Disclaimer: I haven't tested that this actually works (need to rebuild
    > that testbox:-), but at least iptables doesn't complain when I try
    > to add that kind of rules to my workstation.

    I keep getting the impression that NAT is taking place at least for eth2;

    "interface 3 goes to the internal network (private IP addressing)"

    And if my reading is correct then it's likely 1:1 NAT rather then mere
    masq or other forms of NAT, which is really poorly documented in the
    linux/iptable literature. We found that some ip2route majik was required
    to do 1:1 NAT under iptables;

         ip addr add {public address} dev ${outside}

    one such command per external address mapped to an inside private
    address, with pretty much open forwarding rules <-j ACCEPT>, in addition
    to the post/pre:routing rules within the iptable rulesets.

    the documentation on functionality tween iptables and the various ip2route
    utilities is poor, lacking at best, but if one taps the right folks with
    the right info they can get some of the majik chants required. iptable
    specific issues are likely best addressed to the netfilter mailing list.

    Of course, since we are reading here on the quick in work mode, perhaps
    I've missed something and am entirely off-base here.

    Thanks,

    Ron DuFresne
    - --
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
             admin & senior security consultant: sysinfo.com
                             http://sysinfo.com
    Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629

    ...We waste time looking for the perfect lover
    instead of creating the perfect love.

                     -Tom Robbins <Still Life With Woodpecker>
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (GNU/Linux)

    iD8DBQFDfgNest+vzJSwZikRAtMTAJ9LL5DcZBUVq0luXGxbGkcDHY0WdwCfR6El
    1H4ztWfpEUgLRO+pxKaBKW0=
    =iSNJ
    -----END PGP SIGNATURE-----
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Patrick M. Hausen: "Re: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"

    Relevant Pages

    • Re: firewall using iptables DHCP IP may change?
      ... >iptables -P OUTPUT DROP ... You're clearing the NAT table also later in the script. ... what kind of network you have behind this machine (how much you can trust ... campus network or the Internet the worse threat to the firewall.. ...
      (comp.os.linux.networking)
    • Re: EBS 2008, TMG and external firewall. Dont want double NAT
      ... This is done because Exchange is bound to the internal interface and leaves the external interface to be *completely* controlled by TMG...a good security guideline by the way. ... If you are disabling NAT then you'll need to change this from a publishing rule to an access rule, but it should still work fine. ... The first is an access rule allows traffic from the internal IP to the external interface and to the messaging server ... One of the default rules is an "internet access for all users" that allows http and https by default. ...
      (microsoft.public.windows.server.sbs)
    • Re: Routing and Remote Access NAT - I need to modify TTL
      ... with two interfaces: PUBLIC (internet) and PRIVATE ... use it as a gateway, they can access hosts on the PUBLIC interface, TTL is ... but the replay that comes back to the NAT ... They relay on the fact that client computers accept packets with TTL=0, ...
      (microsoft.public.windows.server.networking)
    • Re: Routing and Remote Access NAT - I need to modify TTL
      ... with two interfaces: PUBLIC (internet) and PRIVATE ... use it as a gateway, they can access hosts on the PUBLIC interface, TTL is ... but the replay that comes back to the NAT ... They relay on the fact that client computers accept packets with TTL=0, ...
      (microsoft.public.windows.server.networking)
    • Simultaneous NAT overload (internet) and NAT overlapping for IPsec
      ... There is a pure IPsec tunnel between SITE1 and SITE2. ... SITE1 also has an internet connection via ISP1 which is used to ... the NAT overload from SITE1. ... interface on ISP1) its "also" translating the addresses across to ...
      (comp.dcom.sys.cisco)