"Firewall" - is this possible?

RiotSecurity · Aug 26, 2013

I've been trying, haven't been very successful.

Firewall (controls incoming and outgoing traffic).

Request to 10.0.2.15 leads to firewall page.

Request to 10.0.2.16 routes though firewall and goes to server once checking firewall rules, etc.

So basically, all traffic even if on different virtual machines is routed automatically though firewall.

Any ideas? I was just thinking of assigning the firewall all these ip addresses, then if one requested route to a "sub" (different) ip address but don't reveal the other IP address.

acd · Aug 26, 2013

There isn't really enough information here to judge what you're trying to do.

I guess you could do some static routes to send 10.0.2.16 via 10.0.2.15 at your router. That would cause it to pass through 10.0.2.15 on the way to 10.0.2.16. Then you would use iptables FORWARD rules or pf, or what-have-you to filter it on the way through. That probably isn't what you want though.

Francisco · Aug 26, 2013

Hm.

One way would to have an exempt table/etc in your firewall that passes traffic through w/o validating it again.

You'd have to use NAT and have your 'auth' page push the users connecting IP into the allowed table.

Francisco

NodeBytes · Aug 26, 2013

You could probably set the default gateway to be 10.0.2.15 but then you'd have to set NAT and all other settings properly on the firewall.

RiotSecurity · Aug 27, 2013

Francisco said:
Hm.

One way would to have an exempt table/etc in your firewall that passes traffic through w/o validating it again.

You'd have to use NAT and have your 'auth' page push the users connecting IP into the allowed table.

Francisco

Could you elaborate on this more?

As for lack of information, in theory here is how I want it to work.

User sends a request to example.com [10.0.2.16], but before it reaches destination of 10.0.2.16, I want it to go though the firewall to help clean out bad traffic, etc.

scv · Aug 27, 2013

Your best bet would be to use a routing firewall that performs 1:1 NAT to the server. 1:1 NAT means no translation tables, port forwarding, or any of the headaches of normal NAT. The firewall would have two NICs, one facing internet-side and the other on a VLAN with only the server.

[ internet ] -> 10.0.2.16 [ firewall eth0 ] <-> [ firewall eth1 ] 10.1.1.1 -> 10.1.1.2 [ server eth0 ]

You can also do a NAT free version of this setup by bridging both NICs on the firewall, assigning 10.0.2.16 directly to the server, and enabling ARP proxy on the firewall.

RiotSecurity · Aug 27, 2013

scv said:
Your best bet would be to use a routing firewall that performs 1:1 NAT to the server. 1:1 NAT means no translation tables, port forwarding, or any of the headaches of normal NAT. The firewall would have two NICs, one facing internet-side and the other on a VLAN with only the server.

[ internet ] -> 10.0.2.16 [ firewall eth0 ] <-> [ firewall eth1 ] 10.1.1.1 -> 10.1.1.2 [ server eth0 ]

You can also do a NAT free version of this setup by bridging both NICs on the firewall, assigning 10.0.2.16 directly to the server, and enabling ARP proxy on the firewall.

Well, I looked at using a existing firewall like ClearOS, it has 1:1 NAT on it.

"Firewall" - is this possible?

RiotSecurity

New Member

acd

New Member

Francisco

Company Lube

NodeBytes

Dedi Addict

RiotSecurity

New Member

scv

Massive Nerd

RiotSecurity

New Member