Design of a LAN with a Linux router?

Hi,

We recently got a fast internet connection to my home, and were
assigned 5 static IP addresses. We are trying to design a sensible LAN,
and were hoping you could help us understand a few issues.

Here's what we're working with:
We have a small Linux box called cerberus.
We have a powerful Linux box, which we want to use for web hosting one
domain.
We have two Windows machines. One will be for desktop use, and one will
be for web hosting under other domain names.

Right now, each computer is connected to the network through a switch,
and my understanding is that they each have their own (external) IP
address, and there is no firewall so each host must ensure its own
protection. For my edification, please correct me if that's incorrect.

I was thinking it would be better if we have cerberus be the single
point of connection to the internet. It would be the firewall, do
routing and NAT, deliver mail, and provide nameservice for multiple
domain names (each corresponding to the three different internal
machines). Then, the three other machines would be connected to
cerberus.

Some questions, in descending order of importance:

* Will having cerberus do routing limit throughput? i.e. What are the
limitations of having a single point of access?
* Can I set up the HTTP hosts behind cerberus and provide web service
to the outside internet, even though these TCP connections are
activated from the outside and not within the LAN?
* Does having 5 static IPs do me any good if cerberus is the only one
that is accessed externally? Is it possible to associate one (external)
static IP address with each internal machine? If so, is there a reason
to do so?
* Does it make more sense to have cerberus provide DNS and SMTP
service, or should that be handled by an internal machine (the other
Linux box)?
* What limitations/disadvantages do you see with the proposed LAN
setup? Can you suggest any alternatives?

Thank you for your advice.

Joseph

"Joseph Turian" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...

> * Will having cerberus do routing limit throughput? i.e. What are the
> limitations of having a single point of access?

Not likely, assuming it's a reasonably fast machine.

> * Can I set up the HTTP hosts behind cerberus and provide web service
> to the outside internet, even though these TCP connections are
> activated from the outside and not within the LAN?

Yes, but I wouldn't. I assign machines that routinely host services your
outside IP address and place desktop/client machines on private IP
addresses.

> * Does having 5 static IPs do me any good if cerberus is the only one
> that is accessed externally? Is it possible to associate one (external)
> static IP address with each internal machine? If so, is there a reason
> to do so?

Usually if you assign more than one IP address to the gateway machine,
it's so that it can handle multiple internal machines that want to listen on
the same port.

> * Does it make more sense to have cerberus provide DNS and SMTP
> service, or should that be handled by an internal machine (the other
> Linux box)?

I would recommend handling all services on outside machines unless you
have extreme security needs or one very expensive firewall that you want to
use to protect the servers.

> * What limitations/disadvantages do you see with the proposed LAN
> setup? Can you suggest any alternatives?

That's how I do it. For example, I own a store that has a DSL line. Our
web server, mail server, wireless gateway, and other such server machines
are on our public, static IP addresses. One of our Linux machines acts as a
DHCP and NAT server for several gaming machines that are assigned private IP
addresses.

DS

David,

Thank you for your responses.

> > * Can I set up the HTTP hosts behind cerberus and provide web service
> > to the outside internet, even though these TCP connections are
> > activated from the outside and not within the LAN?
> Yes, but I wouldn't. I assign machines that routinely host services your
> outside IP address and place desktop/client machines on private IP
> addresses.

Do you meen outside IP addressES? Otherwise, how can two different
machines with web hosting be on the same IP?

Can you explain why you would put the service hosts on the outside?
I have been reading the HOWTOs, and it seems standard to put the
service hosts on the outside, but they don't say why.

> I would recommend handling all services on outside machines unless you
> have extreme security needs or one very expensive firewall that you want to
> use to protect the servers.

What do you mean by "extreme security needs"?
I assume that keeping services inside is more secure.
So why do you recommend handling services on outside machines?

Thanks,
Joseph

"Joseph Turian" <(E-Mail Removed)> écrivait
news:(E-Mail Removed) ups.com:

> David,
>
> Thank you for your responses.
>
>> > * Can I set up the HTTP hosts behind cerberus and provide web
>> > service to the outside internet, even though these TCP connections
>> > are activated from the outside and not within the LAN?
>> Yes, but I wouldn't. I assign machines that routinely host
>> services your
>> outside IP address and place desktop/client machines on private IP
>> addresses.
>
> Do you meen outside IP addressES? Otherwise, how can two different
> machines with web hosting be on the same IP?

You may have to hosting service on the same IP if you use differents
ports (e.g. 80 and 8080), but this is not the clearest solution.

> Can you explain why you would put the service hosts on the outside?
> I have been reading the HOWTOs, and it seems standard to put the
> service hosts on the outside, but they don't say why.

>> I would recommend handling all services on outside machines
>> unless you
>> have extreme security needs or one very expensive firewall that you
>> want to use to protect the servers.
>
> What do you mean by "extreme security needs"?
> I assume that keeping services inside is more secure.
> So why do you recommend handling services on outside machines?

Because the hosting machine may be hacked and so give access to your
inner LAN. So, it's common to set a different LAN for the hosting
services, we call this the DMZ.

In this case you need 3 network cards in your firewall : 1 outside (DSL
connection with public IP), 1 for the DMZ (using public IP or reverse NAT
in its own LAN), 1 for the private network (NATed, and outgoing connexion
only).


Regards

Antoine EMERIT wrote:
> Because the hosting machine may be hacked and so give access to your
> inner LAN. So, it's common to set a different LAN for the hosting
> services, we call this the DMZ.
>
> In this case you need 3 network cards in your firewall : 1 outside (DSL
> connection with public IP), 1 for the DMZ (using public IP or reverse NAT
> in its own LAN), 1 for the private network (NATed, and outgoing connexion
> only).

So the best option from a security perspective is to have one firewall
machine which is the proxy between the internet and two separate LANs?
Why does having the two LANs on separate ethernet devices add any
security?
Why is more secure if the hosting machine is hacked in this scenario?

Sorry if these questions seem basic.

Joseph

"Joseph Turian" <(E-Mail Removed)> écrivait
news:(E-Mail Removed) oups.com:

>
> Antoine EMERIT wrote:
>> Because the hosting machine may be hacked and so give access to your
>> inner LAN. So, it's common to set a different LAN for the hosting
>> services, we call this the DMZ.
>>
>> In this case you need 3 network cards in your firewall : 1 outside
>> (DSL connection with public IP), 1 for the DMZ (using public IP or
>> reverse NAT in its own LAN), 1 for the private network (NATed, and
>> outgoing connexion only).
>
> So the best option from a security perspective is to have one firewall
> machine which is the proxy between the internet and two separate LANs?
> Why does having the two LANs on separate ethernet devices add any
> security?
> Why is more secure if the hosting machine is hacked in this scenario?
>
> Sorry if these questions seem basic.

If the hosting machine is hack, you private office lan is still safe.

For exemple, you may have your account database in your office lan (were
users have their worstations) for company access only, and a web serveur
with limited database in the DMZ (the second lan).

Regards

Regarding DMZs.

Using a DMZ as described above is safer, but it may be more of a pain
to setup in your existing infrastructure. For a home Internet
connection, I say skip the DMZ, turn on your automatic updates, and let
the firewall handle your traffic policies for you, and keep your
servers on the local LAN with your home computers. It's simpler, and a
home Internet connection in most cases does not warrant the added
complexity of a DMZ, unless you just want to try it out.

X

Here's how to assign multiple IP addresses to the same NIC:

(assuming your eth1 is x.x.x.2, a public IP address)
ifconfig eth1:0 x.x.x.3 netmask 255.255.255.248
ifconfig eth1:1 x.x.x.4 netmask 255.255.255.248
ifconfig eth1:2 x.x.x.5 netmask 255.255.255.248
ifconfig eth1:3 x.x.x.6 netmask 255.255.255.248

I run these commands (and shaping rule commands) in a script in
rc.local. Now your device eth1 will answer for all IP addresses
between x.x.x.2 and x.x.x.6. (Your router is probably on x.x.x.1.)

As for your port forwarding rules, they would look something like this
(/etc/sysconfig/iptables) below. I added some comments, to clarify
what each of these rules do.
Also, the following is assumed:
eth0 is the private side of the firewall
eth1 is the public side of the firewall

x.x.x.2 is the public IP answering for the firewall and used for
general Internet traffic
x.x.x.3 is the public IP answering for the mail server
x.x.x.4 is the public IP answering for the 1st web server
x.x.x.5 is the public IP answering for the 2nd web server
x.x.x.6 is not used

y.y.y.2 is the private IP of the firewall box
y.y.y.3 is the private IP of the mail server
y.y.y.4 is the private IP of the 1st web server
y.y.y.5 is the private IP of the 2nd web server

(/etc/sysconfig/iptables listing)
# Generated by iptables-save v1.3.5 on ...
*filter
:INPUT DROP
:FORWARD ACCEPT
:OUTPUT ACCEPT
# allows related and established traffic from all interfaces
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# blocks connection requests from eth1 only
-A INPUT -i ! eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j
ACCEPT
# allows SSH into the server from the Internet
-A INPUT -d x.x.x.2 -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on ...
# Generated by iptables-save v1.3.5 on ...
*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT
# Mail server NAT rule
# SMTP, HTTPS (for webmail), and RDP from the public IP x.x.x.3 to
private IP y.y.y.3
-A PREROUTING -d x.x.x.3 -i eth1 -p tcp -m multiport --dports
25,443,3389 -j DNAT --to-destination y.y.y.3
# 1st Web Server NAT rule
# NATs HTTP, HTTPS, and RDP from the public IP x.x.x.4 to private IP
y.y.y.4
-A PREROUTING -d x.x.x.4 -i eth1 -p tcp -m multiport --dports
80,443,3389 -j DNAT --to-destination y.y.y.4
# 2nd Web Server NAT rule
# NATs HTTP, HTTPS, and RDP from the public IP x.x.x.5 to private IP
y.y.y.5
-A PREROUTING -d x.x.x.5 -i eth1 -p tcp -m multiport --dports
80,443,3389 -j DNAT --to-destination y.y.y.5
# Return Traffic rule for the mail server
-A POSTROUTING -s y.y.y.3 -o eth1 -p tcp -m multiport --sports
25,443,3389 -j SNAT --to-source x.x.x.3
# Return Traffic rule for 1st web server
-A POSTROUTING -s y.y.y.4 -o eth1 -p tcp -m multiport --sports
80,443,3389 -j SNAT --to-source x.x.x.4
# Return Traffic rule for 2nd web server
-A POSTROUTING -s y.y.y.5 -o eth1 -p tcp -m multiport --sports
80,443,3389 -j SNAT --to-source x.x.x.5
# Make sure the two rules below are listed last !!!
# Outgoing traffic NAT rule for general Internet users
-A POSTROUTING -o eth1 -j SNAT --to-source x.x.x.2
# Incoming traffic NAT rule for general Internet users
-A POSTROUTING -o eth0 -j SNAT --to-source y.y.y.2
COMMIT
# Completed on ...

Originally, I did all the port accept rules for the servers on the
INPUT chain and then had some simple PREROUTING and POSTROUTING rules
(that didn't include port numbers), but then I rediscovered that the
PREROUTING chain is checked before the INPUT chain, and so all traffic
to the public IP addresses were getting NAT'd straight to the
corresponding servers (not just specific ports), so it was like they
were directly on the Internet. That's when I figured out that I needed
to specify the ports in the PREROUTING chain and then also in the
POSTROUTING chains for consistency. I also could have used the FORWARD
chain instead, but I decided the PREROUTING and POSTROUTING rules would
take less rules to accomplish the same result, so that's how I got this
configuration.

One other interesting tidbit about this setup, is that any traffic from
the servers' public ports (e.g. mail server's ports: 25, 443, 3389)
gets returned using their own IP address (e.g. mail server's: x.x.x.3),
but if someone logs into that server to surf the web or do FTP, that
traffic (from the Internet) looks like it comes from firewall's public
IP of x.x.x.2. Modern Frame Relay routers that I have used work this
way also.

X

I accidentally sent my original reply directly to the author instead of
posting it here, but to answer his questions:

You can setup the firewall to answer all the public IP addresses and
then forward them (or certain ports on certain IP addresses) to the
appropriate servers. The configuration to do that is listed in the
message above. This is an good solution as your Internet IP addresses,
firewall, and your bandwidth is managed centrally rather than
configuring each server with its own specific firewall. You also don't
have to multihome (put multiple NICs in) the servers to have them on
both public and private IPs. You can set this server up to shape
traffic and give priority to certain types of traffic. You can log
traffic. You can do most anything a high dollar Cisco router will do.

X