RE: Need to replace a SonicWall firewall with an iptables firewall.

RE: Need to replace a SonicWall firewall with an iptables firewall.

[Jason Opperisano]

> > your other option could be to leave the /28 of public space outside the
>  > firewall, re-address the DMZ hosts to use private space, and setup
>  > one-to-one NATs for the DMZ hosts, and keep your firewall solely layer 3
>  > (my bias--i love the routing).
>
> I like this idea better, but I'm confused about a couple of things.
> First, I've never done one-to-one NAT, but I'm sure I can look that up.

ok.  the basic premise is that you generate pairs of SNAT and DNAT rules for each private/public IP pair.

> Second, will I require any special rules to allow internal LAN hosts to
> access the DMZ systems by their public IP addresses? I want to be sure
> internal systems access them the same way as external systems. Third,

by their public IP addresses?  yes.  by their names--no (two words for you:  split dns--know it, use it, love it)

if you need the internal folks to access the DMZ hosts by public IP, your best bet is probably to do DNATs like:

  iptables -t nat -A PREROUTING -i $INTERNAL_IF -o $DMZ_IF \
    -d $DMZ_PUB_IP -j DNAT --to-detination $DMZ_PRIV_IP

for each host...you can cycle through these in the script that creates the static one-to-one mappings from #1 above...  ;-)

> when I write rules for what access is allowed to what systems in the DMZ
> from either the Internet or the LANs, what do I write the rule against:
> the real, pulic IP of the DMZ server, or it's private IP address?

private IP.  DNAT happens in the PREROUTING chain of the nat table; which is prior to any chain of the filter table.  SNAT happens in the POSTROUTING chain of the nat table; which is after any chain of the filter table.  so the rule in the filter table should always (hmmm...) use the actual IP assigned to the NIC of the host in question.

-j

Re: Need to replace a SonicWall firewall with an iptables firewall.

[Shaun T. Erickson]

(btw, none of your responses wrap at all, and I have to edit them)

>>First, I've never done one-to-one NAT, but I'm sure I can look that up.
> 
> ok.  the basic premise is that you generate pairs of SNAT and DNAT rules 
 > for each private/public IP pair.

Alright.

>>Second, will I require any special rules to allow internal LAN hosts to
>>access the DMZ systems by their public IP addresses? I want to be sure
>>internal systems access them the same way as external systems. Third,
> 
> 
> by their public IP addresses?  yes.  by their names--no (two words for
 > you:  split dns--know it, use it, love it)

I need internal hosts, and external hosts, to be able to connect to the 
DMZ servers by their public DNS names. Connecting to 
http://www.somedomain.com from either the inside or the outside, should 
get you to the server in the DMZ. For testing purposes, we need to 
access everything the same way as our customers.

Not knowing what split-dns was, I googled it. If I understand it 
correctly it seems that this is only needed when you use a single, 
common domain for both internal and external systems. All our external 
systems (both between the firewall and the router, and in the DMZ) are 
in "domain.com" and all our internal systems are in "sub.domain.com", so 
we don't need split-dns, right?

> if you need the internal folks to access the DMZ hosts by public IP,
 > your best bet is probably to do DNATs like:
> 
>   iptables -t nat -A PREROUTING -i $INTERNAL_IF -o $DMZ_IF \
>     -d $DMZ_PUB_IP -j DNAT --to-detination $DMZ_PRIV_IP
> 
> for each host...you can cycle through these in the script that creates
 > the static one-to-one mappings from #1 above...  ;-)

I think I need to look closer at how packets travers netfilter, before 
I'll understand that one. It's been a long day. :)

>>when I write rules for what access is allowed to what systems in the DMZ
>>from either the Internet or the LANs, what do I write the rule against:
>>the real, public IP of the DMZ server, or it's private IP address?
> 
> private IP.  DNAT happens in the PREROUTING chain of the nat table; which
 > is prior to any chain of the filter table.  SNAT happens in the 
POSTROUTING
 > chain of the nat table; which is after any chain of the filter table.  so
 > the rule in the filter table should always (hmmm...) use the actual IP
 > assigned to the NIC of the host in question.

Hmm. Ok.

	-ste

RE: Need to replace a SonicWall firewall with an iptables firewall.

[Jason Opperisano]

> It's not a matter of what I want or don't want 

sorry--"want" was probably a poor choice of words on my part.

> - I inherited this mess
> from someone else, recently, and I'm slowly working my way through all
> my systems, learning how they are working (or not). We don't currently
> have split-dns (see my reply to the off-topic portion of this thread).
> Systems in the DMZ currently use real IP addresses, and can be accessed
> by their name in our external domain, from either the Internet, or from
> our internal domain (a sub-domain of our external domain). I'm trying to
> replicate this with an iptables firewall, without having to eliminate
> our internal domain and completely re-doing our internal and external
> dns in a split-dns fashion, just to get the firewall to work. Should I
> go to split-dns? From what I've read, and been told here, it would seem
> an excellent thing to do, but it's not something I can do overnight.
>
> I mentioned in another email, that I could probably get two subnets from
> my ISP - one for my external network and one for my DMZ. Would this
> solve the problem until I can migrate to a split dns and one-to-one
> NAT'ing of the DMZ systems?

it sounds like it would probably be less of a headache for you to get that
second public subnet from your ISP.  that way, you're really only changing
the addressing on the DMZ, without also simultaneously introducing NAT, 
split-dns, etc...  i don't particularly like changing multiple, major
things all at once.  you'll probably have enough to deal with just changing
from sonicwall to iptables, and whatever idiosyncrasies are involved with
that.

-j

RE: Need to replace a SonicWall firewall with an iptables firewall.

[Jason Opperisano]

> (btw, none of your responses wrap at all, and I have to edit them)

yeah--sorry about that.  i'm in the process of switching mail accounts.

> I need internal hosts, and external hosts, to be able to connect to the
> DMZ servers by their public DNS names. Connecting to
> http://www.somedomain.com from either the inside or the outside, should
> get you to the server in the DMZ. For testing purposes, we need to
> access everything the same way as our customers.

this statement implies you would want split-dns...

> Not knowing what split-dns was, I googled it. If I understand it
> correctly it seems that this is only needed when you use a single,
> common domain for both internal and external systems. All our external
> systems (both between the firewall and the router, and in the DMZ) are
> in "domain.com" and all our internal systems are in "sub.domain.com", so
> we don't need split-dns, right?

whereas this statement implies you don't want split-dns.

> > if you need the internal folks to access the DMZ hosts by public IP,
>  > your best bet is probably to do DNATs like:
> >
> >   iptables -t nat -A PREROUTING -i $INTERNAL_IF -o $DMZ_IF \
> >     -d $DMZ_PUB_IP -j DNAT --to-detination $DMZ_PRIV_IP

in addition to missing an 's' in there; i also used "-o" which isn't
allowed in PREROUTING--it's been a long day here too...last try:

   iptables -t nat -A PREROUTING -i $INTERNAL_IF \
     -d $DMZ_PUB_IP -j DNAT --to-destination $DMZ_PRIV_IP

> > for each host...you can cycle through these in the script that creates
>  > the static one-to-one mappings from #1 above...  ;-)
>
> I think I need to look closer at how packets travers netfilter, before
> I'll understand that one. It's been a long day. :)

sorry--the above rule says:  translate the destination IP of any packet
entering the internal interface; destined for the public IP address of 
a DMZ host to it's private IP address.

so when someone on the inside tries to get to 198.6.1.10 (which is translated
on the outside interface to 10.10.1.1), it will also get translated to
10.10.1.1.  there are other ways to achieve this--normally the DNAT on the
external side will specify the external interface explicitly:

  iptables -t nat -A PREROUTING -i $EXTERNAL_IF -d $PUBLIC_IP \
    -j DNAT --to-destination $PRIVATE_IP

in this case you could leave out the interface specification, so that *any*
traffic destined to $PUBLIC_IP will get translated, regardless of
interface:

  iptables -t nat -A PREROUTING -d $PUBLIC_IP \
    -j DNAT --to-destination $PRIVATE_IP

the beauty/flexibility of netfilter...

-j

Re: Need to replace a SonicWall firewall with an iptables firewall.

[Shaun T. Erickson]

>>I need internal hosts, and external hosts, to be able to connect to the
>>DMZ servers by their public DNS names. Connecting to
>>http://www.somedomain.com from either the inside or the outside, should
>>get you to the server in the DMZ. For testing purposes, we need to
>>access everything the same way as our customers.
> 
> 
> this statement implies you would want split-dns...
> 
> 
>>Not knowing what split-dns was, I googled it. If I understand it
>>correctly it seems that this is only needed when you use a single,
>>common domain for both internal and external systems. All our external
>>systems (both between the firewall and the router, and in the DMZ) are
>>in "domain.com" and all our internal systems are in "sub.domain.com", so
>>we don't need split-dns, right?
> 
> 
> whereas this statement implies you don't want split-dns.

It's not a matter of what I want or don't want - I inherited this mess 
from someone else, recently, and I'm slowly working my way through all 
my systems, learning how they are working (or not). We don't currently 
have split-dns (see my reply to the off-topic portion of this thread). 
Systems in the DMZ currently use real IP addresses, and can be accessed 
by their name in our external domain, from either the Internet, or from 
our internal domain (a sub-domain of our external domain). I'm trying to 
replicate this with an iptables firewall, without having to eliminate 
our internal domain and completely re-doing our internal and external 
dns in a split-dns fashion, just to get the firewall to work. Should I 
go to split-dns? From what I've read, and been told here, it would seem 
an excellent thing to do, but it's not something I can do overnight.

I mentioned in another email, that I could probably get two subnets from 
my ISP - one for my external network and one for my DMZ. Would this 
solve the problem until I can migrate to a split dns and one-to-one 
NAT'ing of the DMZ systems?

	-ste

RE: Need to replace a SonicWall firewall with an iptables firewall.

[Daniel Chemko]

> Not knowing what split-dns was, I googled it. If I understand it
> correctly it seems that this is only needed when you use a single,
> common domain for both internal and external systems. All our external
> systems (both between the firewall and the router, and in the DMZ) are
> in "domain.com" and all our internal systems are in "sub.domain.com",
> so 
> we don't need split-dns, right?

Split DNS is good in that it allows:

Internet -> (1.1.1.1)Firewall(10.0.0.1) -> DMZ (10.0.0.0/24)
                    (10.0.1.1)
                         |
             Internal_Net (10.0.1.0/24)



Internet (Customers / etc..)
dig www.abc.com > 1.1.1.1

Internally (From your management network)
dig www.abc.com > 10.0.0.111

You have two zones of resolution. One for people inside the NAT, and one
for those outside the NAT. Anyone inside the NAT network will pick up
the real internal address name of the servers. People in the outside
world will see the fake routable DNAT IP address of the servers. Nobody
outside should be able to tell the difference (at least with http) that
the internal server doesn't really have an internet routable IP.

Re: Need to replace a SonicWall firewall with an iptables firewall.

[Nick Drage]

On Mon, Aug 30, 2004 at 03:23:58PM -0700, Daniel Chemko wrote:

> > Not knowing what split-dns was, I googled it. If I understand it
> > correctly it seems that this is only needed when you use a single,
> > common domain for both internal and external systems. All our
> > external systems (both between the firewall and the router, and in
> > the DMZ) are in "domain.com" and all our internal systems are in
> > "sub.domain.com", so we don't need split-dns, right?

Probably a good idea anyway - you probably don't want external users
using your DNS server in the same way that internal hosts do - i.e.
making recursive lookups.  Also while it isn't much of an information
leak, stopping Internet users looking up hosts in sub.domain.com won't
do any harm.

Also with the use of "view" this is pretty easy to do with BIND 9.  If
you don't have a copy of "DNS and BIND" you should be able to find
something useful via Google or equivalent search engine.

Sorry, a little off-topic....

-- 
mors omnia vincit

RE: Need to replace a SonicWall firewall with an iptables firewall.

[Jason Opperisano]

>  iptables -t nat -A PREROUTING -i $INTERNAL_IF -o $DMZ_IF \
>    -d $DMZ_PUB_IP -j DNAT --to-detination $DMZ_PRIV_IP

those with a discerning eye will probably be quick to note that i'm missing an 's' in destination there...

  iptables -t nat -A PREROUTING -i $INTERNAL_IF -o $DMZ_IF \
    -d $DMZ_PUB_IP -j DNAT --to-destination $DMZ_PRIV_IP

argh...

-j

RE: Need to replace a SonicWall firewall with an iptables firewall.

[Jason Opperisano]

> I have a SonicWall Pro 330 that's giving me no end of grief, and so I
> want to replace it. It's my primary firewall. Becase we have two LANs
> and the SonicWall only has one LAN port, I have an iptables
> router/firewall that's connected to the LAN port of the SonicWall. The
> two LANs hang off of the iptables machine. The SonicWall provides our
> DMZ, as well.
>
> I want to collapse the two systems into one, but I'm not quite sure how
> to do it.
>
> I want one iptables-based firewall, with four NICs, that connect to our
> external router, our DMZ switch, and each of our two internal LAN switches.
>
> I believe I know how to set it up so that traffic from either internal
> LAN gets NAT'd to the firewall's external IP address, for traffic headed
> to the Internet, and de-NAT'd on the way back. I also believe I know how
> to allow traffic to flow back and forth between the two LANs, where
> NAT'ing isn't needed.

just to be clear:

	iptables -t nat -A POSTROUTING -o $EXTERNAL_IF \
	  -s $INTERNAL_NET_1 -j SNAT --to-source $EXTERNAL_IP

	iptables -t nat -A POSTROUTING -o $EXTERNAL_IF \
	  -s $INTERNAL_NET_2 -j SNAT --to-source $EXTERNAL_IP

> However, I'm not sure how to handle the external network and the DMZ. We
> have a /28 subnet from our ISP. Our router uses one address on the
> subnet. From the router, you proceed to a switch, where three devices
> are plugged in: a wireless access point, a VPN device, and the external
> interface of the SonicWall firewall. All three devices have addresses on
> the same /28 subnet as the router. Additionally, the SonicWall's DMZ
> interface does not have and address assigned to it - it is somehow
> logically bridged to the external interface. The systems in the DMZ are
> also on the same /28 subnet. You tell the SonicWall which IP addresses
> are in use in the DMZ, so that it knows which interface to send traffic
> for that subnet out of. Internal traffice, heading out either the
> external or DMZ interfaces of the SonicWall, appear to come from the
> external address of the SonicWall. I have no idea how to replicate this
> setup under iptables.

if you desire to replicate this exactly with netfilter, you would create a bridge between the external and DMZ interfaces (man 8 brctl), and use ebtables to do the bridge filtering (http://ebtables.sourceforge.net/).

your other option could be to leave the /28 of public space outside the firewall, re-address the DMZ hosts to use private space, and setup one-to-one NATs for the DMZ hosts, and keep your firewall solely layer 3 (my bias--i love the routing).

> Lastly, some systems in the DMZ need to access database servers on one
> of the internal LANs. The LANs use private, non-routable address space
> (192.168.32.0 & 192.168.40.0). So, I need certain systems in the DMZ, to
> be able to initiate connections through the firewall, to systems on my
> 40-net. No NAT'ing is needed for these connections, but I'm not sure how
> to set them up, either. On the SonicWall, we just put a rule in that
> allows it, and two static routes, so it knows to forward traffic for
> those nets to the linux box. Somehow I think it isn't as simple under
> iptables, but hopefully I'm wrong.

well--the linux box in the new scenario will be directly connected to those LANs (as it is now)--so you won't need static routes to them.  you will need rules that allow the DMZ hosts to connect, though:

  iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

  iptables -A FORWARD -i $DMZ_IF -o $LAN_IF1 -p tcp --syn \
    -s $DMZ_HOST --sport 1024:65535 -d $LAN_HOST --dport $DB_PORT -j ACCEPT

  [ repeat as necessary ]

> Sorry for the length of this, but I wanted to try and describe it all
> accurately. I've never set up an iptables firewall that is so
> (seemingly) complicated before.

let me know what i missed.

-j

Re: Need to replace a SonicWall firewall with an iptables firewall.

[Shaun T. Erickson]

>>I believe I know how to set it up so that traffic from either internal
>>LAN gets NAT'd to the firewall's external IP address, for traffic headed
>>to the Internet, and de-NAT'd on the way back. I also believe I know how
>>to allow traffic to flow back and forth between the two LANs, where
>>NAT'ing isn't needed.
> 
> 
> just to be clear:
> 
> 	iptables -t nat -A POSTROUTING -o $EXTERNAL_IF \
> 	  -s $INTERNAL_NET_1 -j SNAT --to-source $EXTERNAL_IP
> 
> 	iptables -t nat -A POSTROUTING -o $EXTERNAL_IF \
> 	  -s $INTERNAL_NET_2 -j SNAT --to-source $EXTERNAL_IP

Ok, and I know how to do the inter-LAN stuff, as I'm doing it on the 
current linux box, where the database LAN is substantially firewalled 
off from the corporate LAN and everything else.

>>However, I'm not sure how to handle the external network and the DMZ. We
>>have a /28 subnet from our ISP. Our router uses one address on the
>>subnet. From the router, you proceed to a switch, where three devices
>>are plugged in: a wireless access point, a VPN device, and the external
>>interface of the SonicWall firewall. All three devices have addresses on
>>the same /28 subnet as the router. Additionally, the SonicWall's DMZ
>>interface does not have and address assigned to it - it is somehow
>>logically bridged to the external interface. The systems in the DMZ are
>>also on the same /28 subnet. You tell the SonicWall which IP addresses
>>are in use in the DMZ, so that it knows which interface to send traffic
>>for that subnet out of. Internal traffice, heading out either the
>>external or DMZ interfaces of the SonicWall, appear to come from the
>>external address of the SonicWall. I have no idea how to replicate this
>>setup under iptables.
> 
> 
> if you desire to replicate this exactly with netfilter, you would create
 > a bridge between the external and DMZ interfaces (man 8 brctl), and use
> ebtables to do the bridge filtering (http://ebtables.sourceforge.net/).

Ok.

> your other option could be to leave the /28 of public space outside the
 > firewall, re-address the DMZ hosts to use private space, and setup
 > one-to-one NATs for the DMZ hosts, and keep your firewall solely layer 3
 > (my bias--i love the routing).

I like this idea better, but I'm confused about a couple of things. 
First, I've never done one-to-one NAT, but I'm sure I can look that up. 
Second, will I require any special rules to allow internal LAN hosts to 
access the DMZ systems by their public IP addresses? I want to be sure 
internal systems access them the same way as external systems. Third, 
when I write rules for what access is allowed to what systems in the DMZ 
from either the Internet or the LANs, what do I write the rule against: 
the real, pulic IP of the DMZ server, or it's private IP address?

>>Lastly, some systems in the DMZ need to access database servers on one
>>of the internal LANs. The LANs use private, non-routable address space
>>(192.168.32.0 & 192.168.40.0). So, I need certain systems in the DMZ, to
>>be able to initiate connections through the firewall, to systems on my
>>40-net. No NAT'ing is needed for these connections, but I'm not sure how
>>to set them up, either. On the SonicWall, we just put a rule in that
>>allows it, and two static routes, so it knows to forward traffic for
>>those nets to the linux box. Somehow I think it isn't as simple under
>>iptables, but hopefully I'm wrong.
> 
> 
> well--the linux box in the new scenario will be directly connected to those LANs (as it is now)--so you won't need static routes to them.  you will need rules that allow the DMZ hosts to connect, though:
> 
>   iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
>   iptables -A FORWARD -i $DMZ_IF -o $LAN_IF1 -p tcp --syn \
>     -s $DMZ_HOST --sport 1024:65535 -d $LAN_HOST --dport $DB_PORT -j ACCEPT
> 
>   [ repeat as necessary ]

Ok.

> let me know what i missed.

So far, so good. I may have more questions after your reply. :) Thanks 
for your help. :)

	-ste

Need to replace a SonicWall firewall with an iptables firewall.

[Shaun T. Erickson]

I have a SonicWall Pro 330 that's giving me no end of grief, and so I 
want to replace it. It's my primary firewall. Becase we have two LANs 
and the SonicWall only has one LAN port, I have an iptables 
router/firewall that's connected to the LAN port of the SonicWall. The 
two LANs hang off of the iptables machine. The SonicWall provides our 
DMZ, as well.

I want to collapse the two systems into one, but I'm not quite sure how 
to do it.

I want one iptables-based firewall, with four NICs, that connect to our 
external router, our DMZ switch, and each of our two internal LAN switches.

I believe I know how to set it up so that traffic from either internal 
LAN gets NAT'd to the firewall's external IP address, for traffic headed 
to the Internet, and de-NAT'd on the way back. I also believe I know how 
to allow traffic to flow back and forth between the two LANs, where 
NAT'ing isn't needed.

However, I'm not sure how to handle the external network and the DMZ. We 
have a /28 subnet from our ISP. Our router uses one address on the 
subnet. From the router, you proceed to a switch, where three devices 
are plugged in: a wireless access point, a VPN device, and the external 
interface of the SonicWall firewall. All three devices have addresses on 
the same /28 subnet as the router. Additionally, the SonicWall's DMZ 
interface does not have and address assigned to it - it is somehow 
logically bridged to the external interface. The systems in the DMZ are 
also on the same /28 subnet. You tell the SonicWall which IP addresses 
are in use in the DMZ, so that it knows which interface to send traffic 
for that subnet out of. Internal traffice, heading out either the 
external or DMZ interfaces of the SonicWall, appear to come from the 
external address of the SonicWall. I have no idea how to replicate this 
setup under iptables.

Lastly, some systems in the DMZ need to access database servers on one 
of the internal LANs. The LANs use private, non-routable address space 
(192.168.32.0 & 192.168.40.0). So, I need certain systems in the DMZ, to 
be able to initiate connections through the firewall, to systems on my 
40-net. No NAT'ing is needed for these connections, but I'm not sure how 
to set them up, either. On the SonicWall, we just put a rule in that 
allows it, and two static routes, so it knows to forward traffic for 
those nets to the linux box. Somehow I think it isn't as simple under 
iptables, but hopefully I'm wrong.

Sorry for the length of this, but I wanted to try and describe it all 
accurately. I've never set up an iptables firewall that is so 
(seemingly) complicated before.

Thanks, in advance, for any guidance you can give me.

	-ste

Re: Need to replace a SonicWall firewall with an iptables firewall.

[Shaun T. Erickson]

I wrote:

> However, I'm not sure how to handle the external network and the DMZ. We 
> have a /28 subnet from our ISP. Our router uses one address on the 
> subnet. From the router, you proceed to a switch, where three devices 
> are plugged in: a wireless access point, a VPN device, and the external 
> interface of the SonicWall firewall. All three devices have addresses on 
> the same /28 subnet as the router. Additionally, the SonicWall's DMZ 
> interface does not have and address assigned to it - it is somehow 
> logically bridged to the external interface. The systems in the DMZ are 
> also on the same /28 subnet. You tell the SonicWall which IP addresses 
> are in use in the DMZ, so that it knows which interface to send traffic 
> for that subnet out of. Internal traffice, heading out either the 
> external or DMZ interfaces of the SonicWall, appear to come from the 
> external address of the SonicWall. I have no idea how to replicate this 
> setup under iptables.

It occurs to me that I'm running out of IPs anyway, so maybe what I 
should do is get two subnets from my ISP: a subnet of 16 (14 usable) 
addresses for the router, the firewall's external interface, and 
everything in between, and a subnet of 32 (30 usable) addresses for my 
DMZ. That would work, yes?

	-ste