Linode Forum
https://forum.linode.com/

Using one Linode as a firewall/router for all others.
https://forum.linode.com/viewtopic.php?f=19&t=3193		 Page 1 of 2
Author:  geekman [ Wed Apr 02, 2008 6:18 am ]
Post subject:  Using one Linode as a firewall/router for all others.
Hi, I currently have two Linodes, I want to use one as my router/firewall for both Linodes (and more if I get more) so I don't need to maintain multiple firewalls. Both Linodes are currently at Dallas so I've enabled private IP's in the hope that I can get one to act as a gateway for the other without any increase in traffic use.

I've done this before at my place with multiple servers, my linux router handles all traffic for all servers; but it is a little messy. It's done entirely using routing with IPTables and the way it is subnet 2 (the servers) can access Subnet 1 (Home LAN and Internet) but Home LAN needs to go in over the net to access server, or I setup a route on each PC.

Now I could probably duplicate this, but I don't want to. Although I've never bridged before, I've been told it's a good method. Right now I'm trying to determine what I _should_ do. And maybe how to do it after that, though hopefully I can handle it.

My idea at this point is to take the IP off my secondary Linode, and assign it to the one acting as the gateway, that way I can use IPTables to simply forward traffic to the second server's public IP - Is possible? (It's not like my setup at home, though it may sound like ;)). On the other hand, if I were to say use bridging, would I simply buy a second WAN IP on the primary (gateway) server, then bridge one of the WAN IP's with the Private IP and set It's Public IP as the default gateway on the second Linode? As you can probably see having never used bridging before it's only a guess.

Suggestions on a better method are much welcome, also if anyone has done something similar before and is wanting to share exactly how they did it, that'd be great.

For reference the primary Linode is running Ubuntu 7.10 and the secondary running Debian 4.0.

Thanks In Advance.
Author:  chrisnolan [ Wed Apr 02, 2008 6:57 am ]
Post subject: 
have you considered m0n0wall?

It's a pretty impressive package, and would basically mean that your "firewall" linode would have all the capability of an enterprise class hardware firewall. Not sure how you'd go about installing it on a linode, but I'm sure its possible and would be a nice project for you to enjoy :)

"m0n0wall is a project aimed at creating a complete, embedded firewall software package that, when used together with an embedded PC, provides all the important features of commercial firewall boxes (including ease of use) at a fraction of the price (free software).

m0n0wall is based on a bare-bones version of FreeBSD, along with a web server, PHP and a few other utilities. The entire system configuration is stored in one single XML text file to keep things transparent."

http://m0n0.ch/wall/
Author:  geekman [ Wed Apr 02, 2008 7:13 am ]
Post subject: 
Looks like a cool product. And I'd definitely recommend it to a few people I know of. But, does it allow IPTables syntax at all? It looks to be only web based. I'm too used to IPTables to really want to change now - at least for "production" use. Shrug.

I do want to try it out though...I just need to get a spare box ready for it!

Thanks for the suggestion.
Author:  SteveG [ Wed Apr 02, 2008 12:27 pm ]
Post subject: 
Monowall is a complete distribution of BSD, oriented towards embedded systems. I don't see how it would work with a Linode.
Author:  JDM [ Wed Apr 02, 2008 7:28 pm ]
Post subject:  Re: Using one Linode as a firewall/router for all others.
geekman wrote:
Hi, I currently have two Linodes, I want to use one as my router/firewall for both Linodes (and more if I get more) so I don't need to maintain multiple firewalls. Both Linodes are currently at Dallas so I've enabled private IP's in the hope that I can get one to act as a gateway for the other without any increase in traffic use.


That would be interesting to find out because of the whole issue of bringing up IPs that are assigned to a different Linode (using the IP Failover feature). I'm pretty sure traffic is accounted for per Linode, not per person, but I'm not sure if the traffic would be accounted for the Linode the IP address is actually assigned to (your secondary Linode) or the Linode that actually has the IP address up (your gateway Linode).

geekman wrote:

My idea at this point is to take the IP off my secondary Linode, and assign it to the one acting as the gateway, that way I can use IPTables to simply forward traffic to the second server's public IP - Is possible?



That should work fine except you'd have to forward traffic to the second server's private IP since you can't bring up it's real IP two times (on it and the gateway, like you described). I assume you're talking about some NAT sort of setup?

As for bridging, I haven't used it in any real-word situations (only virtualized), so I couldn't tell you about that option.

Have fun!
Author:  caker [ Wed Apr 02, 2008 9:07 pm ]
Post subject: 
Public IP traffic is accounted on the Linode that received the traffic, regardless of the ip-failover setup.

We're also working out a mechanism whereby traffic is pooled between all your Linode accounts which would make either case moot.

-Chris
Author:  geekman [ Thu Apr 03, 2008 12:57 am ]
Post subject:  Re: Using one Linode as a firewall/router for all others.
JDM wrote:
geekman wrote:
Hi, I currently have two Linodes, I want to use one as my router/firewall for both Linodes (and more if I get more) so I don't need to maintain multiple firewalls. Both Linodes are currently at Dallas so I've enabled private IP's in the hope that I can get one to act as a gateway for the other without any increase in traffic use.


That would be interesting to find out because of the whole issue of bringing up IPs that are assigned to a different Linode (using the IP Failover feature). I'm pretty sure traffic is accounted for per Linode, not per person, but I'm not sure if the traffic would be accounted for the Linode the IP address is actually assigned to (your secondary Linode) or the Linode that actually has the IP address up (your gateway Linode).

geekman wrote:

My idea at this point is to take the IP off my secondary Linode, and assign it to the one acting as the gateway, that way I can use IPTables to simply forward traffic to the second server's public IP - Is possible?



That should work fine except you'd have to forward traffic to the second server's private IP since you can't bring up it's real IP two times (on it and the gateway, like you described). I assume you're talking about some NAT sort of setup?

As for bridging, I haven't used it in any real-word situations (only virtualized), so I couldn't tell you about that option.

Have fun!



When I said "PTables to simply forward traffic to the second server's public IP" I actually meant the second servers private IP. :)

And yeah I suppose that is NAT...kind of, though it would be different in that the gateway simply forwards traffic based on the Public IP given in the request. Only thing I'm not too sure of is how to maintain a proper connection to the internet from the secondary server, without having a public IP assigned to it. Simple as telling it to set the secondary server's gateway as the Private IP of my proposed gateway? Is it even possible to configure Linode one to have both Public IP's while having no public IP on Linode 2? I can probably just use Lish untill I get it routing correctly, right?


Thanks in Advance.
Author:  geekman [ Thu Apr 03, 2008 10:13 am ]
Post subject: 
While this thread is active - I figured I'd verify this too.

Code:
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_nat_ftp


Currently have those modules commented out as they like to error and don't seem to be enabled in that way. Instead it says the following:
Code:
FATAL: Could not load /lib/modules/2.6.23.17-linode43/modules.dep: No such file or directory
FATAL: Could not load /lib/modules/2.6.23.17-linode43/modules.dep: No such file or directory


Although I don't _need_ these modules, I'd like to use NAT with FTP so i'd like them. I am hoping for one of two things here, are these modules already enabled for use in IPTables, or is there another way of enabling them?

Thanks.
Author:  caker [ Thu Apr 03, 2008 10:20 am ]
Post subject: 
They're compiled in.

Code:
# zgrep NAT /proc/config.gz 
CONFIG_IP_NF_NAT=y

-Chris
Author:  JDM [ Thu Apr 03, 2008 7:25 pm ]
Post subject:  Re: Using one Linode as a firewall/router for all others.
geekman wrote:

And yeah I suppose that is NAT...kind of, though it would be different in that the gateway simply forwards traffic based on the Public IP given in the request. Only thing I'm not too sure of is how to maintain a proper connection to the internet from the secondary server, without having a public IP assigned to it. Simple as telling it to set the secondary server's gateway as the Private IP of my proposed gateway? Is it even possible to configure Linode one to have both Public IP's while having no public IP on Linode 2? I can probably just use Lish untill I get it routing correctly, right?


Thanks in Advance.


It's still NAT because you're translating traffic to a private IP from a public one.. though you're right that it is different from regular home NAT, I believe in this case it would be called SNAT instead of normal DNAT or masquerading. Correct, you would do it by having the gateway set up to route and have it's private IP set as the default gateway on the second Linode (like you would set a home router's private IP as the default gateway to use it to connect to the internet).

As for your last question, it's entirely possible to just have a private IP active on a Linode. You could even bring up no and just use Lish all the time (I don't think you would want to though).
Author:  geekman [ Fri Apr 04, 2008 2:16 am ]
Post subject: 
Ok. I've begun, I configured the router to be able to use "IP Fallover" so it could bring up the WAN IP on the secondary Linode. It shows up in ifconfig fine, and I can even ping the IP from the router itself. The issue is it doesn't seem to work from anywhere else.

Here's how the interface is setup:

Code:
# Used by ifup(8) and ifdown(8). See the interfaces(5) manpage or
# /usr/share/doc/ifupdown/examples for more information.

# The loopback interface
auto lo
iface lo inet loopback

# The first network card - this entry was created during the Debian installation
# (network, broadcast and gateway are optional)
auto eth0
iface eth0 inet dhcp

auto eth1
iface eth1 inet static
        address 192.168.130.1xx
        netmask 255.255.128.0

# Secondary Linode IP (morpheus)
auto eth0:0
iface eth0:0 inet static
        address 67.18.208.xx
        netmask 255.255.255.0
        gateway 67.18.208.1


And here's the routing table:

Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
67.18.208.0     *               255.255.255.0   U     0      0        0 eth0
192.168.128.0   *               255.255.128.0   U     0      0        0 eth1
link-local      *               255.255.0.0     U     1000   0        0 eth0
default         gateway23.linod 0.0.0.0         UG    100    0        0 eth0
root@theconstruct:/etc/router # cat /etc/network/interfaces


Probably missing something stupid, though I feel like I covered t
Author:  geekman [ Fri Apr 04, 2008 2:26 am ]
Post subject: 
I also just realised...since the router sees both interfaces as "connected" from it's Point of view, it hangs up when trying to lookup DNS, or visit a website. I assume it can't decide on what IP to use, any way I can force it to use one?

Thanks.
Author:  JDM [ Fri Apr 04, 2008 6:55 am ]
Post subject: 
geekman wrote:

Code:
# Used by ifup(8) and ifdown(8). See the interfaces(5) manpage or
# /usr/share/doc/ifupdown/examples for more information.

# The loopback interface
auto lo
iface lo inet loopback

# The first network card - this entry was created during the Debian installation
# (network, broadcast and gateway are optional)
auto eth0
iface eth0 inet dhcp

auto eth1
iface eth1 inet static
        address 192.168.130.1xx
        netmask 255.255.128.0

# Secondary Linode IP (morpheus)
auto eth0:0
iface eth0:0 inet static
        address 67.18.208.xx
        netmask 255.255.255.0
        gateway 67.18.208.1



I only have one Linode and one IP so I can't tell you for sure, but it looks like you might be setting the multiple IPs up wrong (eth0 and eth0:1 instead of eth0:0 and eth0:1). Check the wiki entry for known working setup instructions from other people.

Also, have you rebooted since using the IP Failover tool to allow your gateway Linode to bring up the second's IP? This might be necessary. Linode has some fancy firewalling that makes sure you don't bring up IPs that don't belong to you, (and unless something has changed recently) it only updates with new authorizations when you boot.
Author:  geekman [ Fri Apr 04, 2008 8:08 am ]
Post subject: 
Thanks. I realised I rebooted the router but not the other one. I also changed the interface of the new IP to eth0:1 just in case. Now i can see the port 80 requests coming in when I try and get to the new IP, though I can't see the router forwarding that request onto the actual server. On top of this, although I used:
Code:
route add default gw 192.168.130.1xx

Which is the LAN IP of the router (which it can ping), the second Linode can't currently access the internet. Thus, I cannot use TCPDump to see if any traffic is getting through right now.

Here's the output of TCPDump:
Code:
07:55:26.560459 IP dsl-203-33-160-120.NSW.netspace.net.au.3994 > morpheus.www: S 1943587100:1943587100(0) win 65535 <mss 1412,nop,wscale 0,nop,nop,sackOK>
07:55:29.461899 IP dsl-203-33-160-120.NSW.netspace.net.au.3994 > morpheus.www: S 1943587100:1943587100(0) win 65535 <mss 1412,nop,wscale 0,nop,nop,sackOK>
07:55:35.397855 IP dsl-203-33-160-120.NSW.netspace.net.au.3994 > morpheus.www: S 1943587100:1943587100(0) win 65535 <mss 1412,nop,wscale 0,nop,nop,sackOK>


I'll dig up the output from my server at home which has a somewhat similar setup later.

Thanks.
Author:  geekman [ Fri Apr 04, 2008 8:21 am ]
Post subject: 
Ok. So I got tcpdump installed on the secondary server, and got it listening on eth1 (the LAN interface) while I made a web request. Got the same output as last time from the router; here's the output for the secondary server: - Note 192.168.130.1xx is the LAN IP of the router.

Code:
device eth1 entered promiscuous mode
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
08:15:47.978046 arp who-has none.local tell 192.168.130.1xx
08:16:13.077115 arp reply none.local is-at fe:fe:c0:a8:82:96 (oui Unknown)
08:15:47.978794 IP none.local.32774 > 192.168.130.1xx.domain:  65356+ PTR? 150.130.168.192.in-addr.arpa. (46)
08:15:52.977028 arp who-has 192.168.130.1xx tell none.local
08:15:52.977159 IP none.local.32775 > 192.168.130.1xx.domain:  65356+ PTR? 150.130.168.192.in-addr.arpa. (46)
08:15:52.977301 arp reply 192.168.130.1xx is-at fe:fe:c0:a8:82:9b (oui Unknown)
08:15:58.077313 IP none.local.mdns > 224.0.0.251.mdns:  0 PTR? 150.130.168.192.in-addr.arpa. (46)
08:15:58.077420 IP none.local.mdns > 224.0.0.251.mdns:  0*- [0q] 1/0/0 (Cache flush) PTR[|domain]
08:15:58.077738 IP none.local.32776 > 192.168.130.1xx.domain:  6999+ PTR? 1xx.130.168.192.in-addr.arpa. (46)
08:16:03.076581 IP none.local.32778 > 192.168.130.1xx.domain:  6999+ PTR? 1xx.130.168.192.in-addr.arpa. (46)
08:16:08.176752 IP none.local.mdns > 224.0.0.251.mdns:  0 PTR? 1xx.130.168.192.in-addr.arpa. (46)
08:16:09.177623 IP none.local.mdns > 224.0.0.251.mdns:  0 PTR? 1xx.130.168.192.in-addr.arpa. (46)
08:16:11.178307 IP none.local.mdns > 224.0.0.251.mdns:  0 PTR? 1xx.130.168.192.in-addr.arpa. (46)
08:16:13.077426 IP none.local.32779 > 192.168.130.1xx.domain:  60638+ PTR? 251.0.0.224.in-addr.arpa. (42)
08:16:18.076188 arp who-has 192.168.130.1xx tell none.local
08:16:18.076362 IP none.local.32780 > 192.168.130.1xx.domain:  60638+ PTR? 251.0.0.224.in-addr.arpa. (42)
08:16:18.076470 arp reply 192.168.130.1xx is-at fe:fe:c0:a8:82:9b (oui Unknown)
08:16:23.176470 IP none.local.mdns > 224.0.0.251.mdns:  0 PTR? 251.0.0.224.in-addr.arpa. (42)
08:16:24.177330 IP none.local.mdns > 224.0.0.251.mdns:  0 PTR? 251.0.0.224.in-addr.arpa. (42)
08:16:26.178025 IP none.local.mdns > 224.0.0.251.mdns:  0 PTR? 251.0.0.224.in-addr.arpa. (42)


Looks kind of like it's doing a reverse lookup on the LAN IP maybe? I've not seen this before. And I would assume DNS lookups would be OK since I set the primary DNS as the router - though it could all be buggered if my routing is off I guess.

Thanks.
Page 1 of 2 All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/