How to NAT several public addresses

[HarshaB]

In my workplace, internet access has been established. The router has been established. At our expense (and therefore my office) wants to set up a firewall. I have 8 public IP addresses. So 6 are really usable (2 ip are for the network and broadcast).

Knowing Ipcop 1.4.21, I decided to put one up.
Network Setup GREEN / RED (static public IP).

Scheme:
Ian ---- GREEN (@ internal IP) ---- Ipcop ---- RED (@ public IP 1) ---- ROUTER (@ public IP 2) ---- Internet / WAN.

The internet is carried out correctly (I am writing this post from this web access).

I have a web server for now in the GREEN network (considering that the ISP's DNS have linked the IP address in my domain "www.domain.com").

Two other servers will have to be available soon from the Internet.

How do I NAT traffic from my public IP address No. 3 to the web server? What procedure do I follow?

[Wguy2008]

Have you created aliases for the different ip addresses? Then depending on the type of services you will put in place.

Turning to the things that annoy, ipcop 1.4.x is not at all suited to addressing this need (multiple public ip). I've played, they work very well but this is not a healthy situation manageable. I've since abandoned.

A possible solution is pfsense.

Then if your need is to have multiple Web servers, there are at least five reasons that argue for a different solution.

1. Virtual servers can solve the problem with a single public ip avoiding waste of resources (machines and ip).

2. Connecting to the Internet Web server behind a firewall even still dangerous. It has become virtually indispensable to establish a firewall application. That is a reverse proxy (not Vulture example) providing URL filtering to the web server. Most intrusions are made by exploiting application vulnerabilities. A site with php code was not designed to withstand is vulnerable to all sorts of injections. The reverse is also known to serve several web servers.

3. The result is a necessary division of the network with two dmz (at least). The reverse proxy and firewall can not be in the same area. Incidentally a question: you have no client in your network? Web servers have no place in the County (Green).

4. Ipcop does not develop as it should this type of architecture.

5. If your servers are not coming from web servers, but servers initiating outbound connections, you'll be missing functionality with Ipcop. It can not handle anything other than the nat all ip behind the RED ip.

[HarshaB]

I forgot to say that indeed I had completed the Network -> Alias:
(Rule set):
IP Alias Name
www.mydomain.com ----- public ip address 3

Regarding Port forwarding:
TCP DEFAULT IP: 80 (HTTP) => aa.bb.cc.84: 80 (HTTP)
Access permitted since: xx.yy.zz.108

xx.yy.zz.108 is the public ip 3.

This virtual server web hosting 2 websites.

The other 2 servers will be an SSH server so that teachers can access an application hosted on a server "administrative". And a mail server/mailing list nice guy.

If Ipcop knows correctly handle multiple dynamic IP, it can surely handle multiple translations leading to different IP LAN from a single public IP.

For the rest of your very precise answer to everything you say, and without taking a tour, I'm dropped. The reason is that I learned and still learning the system and network administration on the job (I do not think it more). You will therefore understand that I am not a level engineer. I'm going to find out about all the technologies you mentioned (I hope I have time).

I still have another question: what then is the real function of ALIAS in IPCop? It is mentioned being able to "manage" several public ip.

[Wguy2008]

At first your port forwarding is correct except for the field "who has authorized access must be empty in your case? It is used to restrict the source IP can use port forwarding. Here you put the ip destination.

And a mail server/mailing list nice guy.

This server will be a problem. When sending emails it will use the ip of red, not a alias ip. With ipcop you should manually edit the conf file.

what then is the real function of ALIAS in IPCop? It is mentioned being able to "manage" several public ip.

The function provides a minimalist management of multiple IP on red. I believe that management is scheduled to complete the V2 which is on the gas.

On this project you are taking risks if you do not fundamentally reconsider your architecture.

[Kirt]

* Myth on multiple addresses:

I have several servers set up in DMZ => so I need multiple addresses.

NO, in fact, there is no need for multiple addresses, one for each server.
This is the case that IF the servers use the same protocol (for instance = https 443/tcp).

For http (80/tcp =) you can host multiple websites or on a single machine or on multiple servers accessing through a machine that will sort the traffic and return on common server.

Same for smtp (25/tcp =).

* Perverse effects of multiple addresses:

If there are multiple servers, one per address, and that they should advise initiate another trade, they should avoid using a different address for this other traffic: this is called doing source nat.

IPCOP is not made for these gymnastics: is it really suitable for 1 external address and item. Because manually edit the rc.firewall script to enable source NAT goes with aliases, I do not call it "expected"!

[HarshaB]

So to summarize, we can NAT all from one public address as the servers behind not using the same port (http, ftp, smtp, ssh ...). What makes sense and is the first feature of the address translation?

The analogy is what it is but it's closer to setup NAT on the box they have at home.

And too bad for the other addresses that do not serve.

I return to my experience with the NAT on IPCop
Reminder: Public ip 1 -> the router, public ip 2 -> ipcop, public ip 3 -> NAT on web server

I modified my previous setup this way:
I still have my ALIAS
www.mydomain.com --- public ip 3

but the port forwarding:
in box ALIAS IP I did not selected DEFAULT IP but my alias was created previously.

ALIAS IP IP DESTINATION
Aa.bb.cc.dd TCP 80 (HTTP) => 10.8.20.84: 80 (HTTP)

It works when I enter the public IP, I fall on my website. I can not go more because I have a DNS issue between my domain and public ip address (I'll contact my ISP).