amuck-landowner

"Firewall" - is this possible?

RiotSecurity

New Member
I've been trying, haven't been very successful.

Firewall (controls incoming and outgoing traffic).

Request to 10.0.2.15 leads to firewall page.

Request to 10.0.2.16 routes though firewall and goes to server once checking firewall rules, etc.

So basically, all traffic even if on different virtual machines is routed automatically though firewall.

Any ideas? I was just thinking of assigning the firewall all these ip addresses, then if one requested route to a "sub" (different) ip address but don't reveal the other IP address.
 

acd

New Member
There isn't really enough information here to judge what you're trying to do.

I guess you could do some static routes to send 10.0.2.16 via 10.0.2.15 at your router. That would cause it to pass through 10.0.2.15 on the way to 10.0.2.16. Then you would use iptables FORWARD rules or pf, or what-have-you to filter it on the way through. That probably isn't what you want though.
 

Francisco

Company Lube
Verified Provider
Hm.

One way would to have an exempt table/etc in your firewall that passes traffic through w/o validating it again.

You'd have to use NAT and have your 'auth' page push the users connecting IP into the allowed table.

Francisco
 

NodeBytes

Dedi Addict
You could probably set the default gateway to be 10.0.2.15 but then you'd have to set NAT and all other settings properly on the firewall.
 

RiotSecurity

New Member
Hm.


One way would to have an exempt table/etc in your firewall that passes traffic through w/o validating it again.


You'd have to use NAT and have your 'auth' page push the users connecting IP into the allowed table.


Francisco
Could you elaborate on this more?

As for lack of information, in theory here is how I want it to work.

User sends a request to example.com [10.0.2.16], but before it reaches destination of 10.0.2.16, I want it to go though the firewall to help clean out bad traffic, etc.
 

scv

Massive Nerd
Verified Provider
Your best bet would be to use a routing firewall that performs 1:1 NAT to the server. 1:1 NAT means no translation tables, port forwarding, or any of the headaches of normal NAT. The firewall would have two NICs, one facing internet-side and the other on a VLAN with only the server.

[ internet ] -> 10.0.2.16 [ firewall eth0 ] <-> [ firewall eth1 ] 10.1.1.1 -> 10.1.1.2 [ server eth0 ]

You can also do a NAT free version of this setup by bridging both NICs on the firewall, assigning 10.0.2.16 directly to the server, and enabling ARP proxy on the firewall.
 

RiotSecurity

New Member
Your best bet would be to use a routing firewall that performs 1:1 NAT to the server. 1:1 NAT means no translation tables, port forwarding, or any of the headaches of normal NAT. The firewall would have two NICs, one facing internet-side and the other on a VLAN with only the server.

[ internet ] -> 10.0.2.16 [ firewall eth0 ] <-> [ firewall eth1 ] 10.1.1.1 -> 10.1.1.2 [ server eth0 ]

You can also do a NAT free version of this setup by bridging both NICs on the firewall, assigning 10.0.2.16 directly to the server, and enabling ARP proxy on the firewall.
Well, I looked at using a existing firewall like ClearOS, it has 1:1 NAT on it.
 
Top
amuck-landowner