Forum OpenACS Q&A: Setting up firewall with a range of ports?

Collapse
1: Setting up firewall with a range of ports?
Posted by Jade Rubick on 03/16/02 07:22 PM
I'm setting up my webserver at home now, on a DSL line, and I'm curious... my ISP gives me a block of 4 or 5 IP addresses. Yet when I set up my eth0, don't you set it to just one IP address? I'd like to be able to port forward each of the IP addresses to the appropriate server. 

External Network (BAD)
           |
           |
       eth0|
    ---------------
    | all 5 external IPs|
    |             |eth0
    |             |
    |             |
    |             |
    |10.1.1.1 
    ---------------   
           | eth1
           |       
           |       
           |

  Several servers to port forward to
Any suggestions?
Collapse
2: Response to Setting up firewall with a range of ports? (response to 1)
Posted by Rocael Hernández Rizzardini on 03/16/02 08:18 PM
Jade, I don't undestand your question well, but I guess what you want is to have with each server a different IP, so that is all the thing that you need to do, the first server will have the DSL internet connection that will share with the others servers through a hub, so just assign a specific IP to each server and that's it! (configure the dns correctly in each one)
What you need to be shure is to share the internet connection.
Collapse
3: Response to Setting up firewall with a range of ports? (response to 1)
Posted by Jade Rubick on 03/16/02 08:43 PM
Well, I see a few ways I could do this:

Possibility #1 

External Network (BAD)
           |
           |1.2.3.4-9
           |
    ---------------
    | router      |
    ---------------------
    |1.2.3.4  |1.2.3.5   | 1.2.3.6
    |         |          |
  server1  server2     old pc
The problem with this setup is there is no firewall :(

Possibility #2 

           |
           |1.2.3.4-9
           |
    ---------------
    | router      |
    ---------------
           |1.2.3.4-9
           |
    ---------------
    |     eth0    |
    |  firewall   |
    |             |
    ---------------
    |eth1    |eth2
    |        
    |         
   switch      switch
    |             
    |              
  server1          home network
   @ 1.2.3.4
  server2
   @ 1.2.3.5
  server3
   @ 1.2.3.6
What I guess I'm curious about is that in the past, I've always set up eth0 to listen to one IP address, say.. 1.2.3.4 Is there a way I can have it listen to the range of ports from 1.2.3.4-9, and then assign these out to server1-3?
Collapse
4: Response to Setting up firewall with a range of ports? (response to 1)
Posted by David Walker on 03/16/02 08:47 PM
You can set up the firewall to listen to all 5 IP addresses and port forward the
services you need from the firewall to the computers with the servers using
ipmasqadm or a proxy program.
Collapse
5: Response to Setting up firewall with a range of ports? (response to 1)
Posted by Stephen . on 03/16/02 11:18 PM
If you're using RedHat you can bind multiple addresses (not ports) to one interface by creating a file simillar to the following: 
cd /etc/sysconfig/network-scripts/
cat ifcfg-eth0-range0 

IPADDR_START=192.168.2.100
IPADDR_END=192.168.2.120
CLONENUM_START=0

/etc/rc.d/init.d/network restart
Collapse
6: Response to Setting up firewall with a range of ports? (response to 1)
Posted by defunct defunct on 03/17/02 11:25 AM
What works really well with a DSL setup is to put in a router/firewall that will mask off the local network.

If you have an old machine (486) that you no longer need, try using freesco. It runs off a floppy and will give you much better control over you network. www.freesco.org (I think)

It will also mean you can leave all those spare IP addresses in your DMZ.

Collapse
7: Response to Setting up firewall with a range of ports? (response to 1)
Posted by Malte Sussdorff on 03/17/02 07:23 PM
Hi Jade,

the way to do it within SuSE Linux is to add the ethernet devices eth0:1 til eth0:5 (or whatever your need is, so it either with yast or edit rc.config manually). That way you have multiple devices which can have their own IP Adresses, all reachable through your eth0 cable.

Hope this helps

Collapse
8: Response to Setting up firewall with a range of ports? (response to 1)
Posted by Alex Sokoloff on 03/18/02 04:04 AM
If you're using Red Hat and you want your eth0 to listen to several IPs without puzzling through the configuration files, run linuxconf as root. Under Config > Networking > Server Tasks there's an option called "IP aliases for virtual hosts". That's where you create "aliases" for your eth0, each of which has its own IP. That's how it looks under RH 6.2, anyways. The marvels and, I'm sure, dangers of automated Unix administration are yours to enjoy!
Collapse
9: Response to Setting up firewall with a range of ports? (response to 1)
Posted by Kjell Wooding on 03/18/02 07:48 PM
I can think of two ways to do what you want, off the top of my head:
  • One, use a bridging firewall (firewall with no IP address)

    DSL --- [bridging FW] --- DMZ (allocate IPs as you see fit here)

  • Two, assign all five addresses to your firewall machine, and use some kind of static NAT assignment. (Sorry, I don't know the Linux terminology here, I come from a BSD world).

    In other words, configure address translation (masquerading) to route everyting addressed to IP#1 to the machine 10.1.1.2, everything addressed to IP#2 to 10.1.1.3, and so forth.

    On platfoms running PF or IPF, this is a referred to as a BINAT.

Hope that helps...
Collapse
10: Response to Setting up firewall with a range of ports? (response to 1)
Posted by Jun Yamog on 03/19/02 09:49 PM

Hi Jade,

You have 2 options basically.

  1. Use port forwarding (TCP level)
  2. Use a reverse proxy (HTTP level)

Using port forwarding maybe simpler and straigth forward. But it does limit you to the number of external IP addresses. In your case only 5 sites can be up. Since port forwarding is a one to one mapping of IP Addr and ports. I assume that you would like to only access your sites using only the standard HTTP port 80, this will limit you to only 5 sites.

Using a reverse proxy such as Apache + proxy or Squid may give you better results. Although this maybe more complex. Since you will be just be using the HTTP headers you can have infinite amount of internal web servers with only 1 IP address. You may also want to turn on caching for some of your sites.

On both cases you have to use NAT or masquarading so the internal web servers can access the outside world. Maybe you can also use NAT or MASQ in reverse to let the external network access your internal network. Not too sure if its possible because normally I use NAT or MASQ from inside going outside.

Collapse
11: Response to Setting up firewall with a range of ports? (response to 1)
Posted by defunct defunct on 03/20/02 02:18 PM
A nice little arrangement we've tried is as follows.

DSL router -> Freesco router (www.freesco.org?)
Freesco routers can run off a floppy and on an old machine with as littel a 8mb. We've found a p60 with 64Mb no disk and a floppy is perfectly fine for a small office setup.

With the router in place you're local network can now be hidden, leaving you spare IP addresses in your DMZ.

Freesco is quite funtional and thus its simple enough to map ports in firewall fashion to the local network...

I beleive freesco on one box will suport up to three network cards and two modems, so its quite possible to have multiple local networks or multiple IPs for the same service etc....

Definately worth a look as a really simple, low cost solution

Incidentally, from scratch it took us about an hour to set everything up.. So pretty straightforward