Need recommendation on an application proxy/firewall

I've been tasked with migrating our company internet connection where we are unable to retain our existing public IP subnet. The last time I did this it was a bit of a mess as we were moving buildings too, and ended up having to run duplicates of our servers at both sites for a short period until DNS propagation was pretty much complete (a few annoying ISPs appear to ignore TTL settings and fix their caching, so reducing the TTL down to something like 30 mins and then switching everything doesn't always result in smooth migration).

What I was hoping to do this time around was something a little more elegant - move everything to the new connection (which luckily this time shouldn't be too hard as most of it is NAT'd through a PIX, so it should be reasonably easy to just reconfigure the PIX mappings and external IP) but leave a server connected to the old line running an application proxy/firewall for incoming DNS, HTTP, HTTPS, and SMTP.

What I'm after is recommendations on a proxy/firewall that can do this without needing much in the way of hardware (although I can probably commandeer an XP2400 with 512MB DDR for the job, most of the spare PCs here are Celeron 300 with 160MB SDR), simple to configure, and unfortunately above all it has to be free (or at least extremely cheap) as my department budget is already gone and as this is a temporary requirement (at most probably to run for 2 weeks) my boss is reluctant to provide funding (despite the migration resulting in savings of £5k per annum). I guess I'm looking at a Linux based solution that's pretty much already rolled together, and just requires the public and private IPs configuring for each service to be proxied, even though I'm a Win admin I'm happy to turn my hand to messing around in Linux from time to time but I'm a complete novice.

So, any recommendations?


Reply to
Loading thread data ...

I just had a thought - am I being over complicated with my requirements? Can I do this with a simple Linux router setup? The PIX only allows 1 external IP and 1 gateway address to be configured, but if the packets are coming from this router then the responses should go back to it, shouldn't they? If that's the case I should just be able to set up a simple router config that maps the old public IPs to the new public IPs, and slap it between the existing ISP router and my PIX. Anyone got any comments on whether this will work or not?


Reply to

I am not sure I fully understand you, but...

There's a way that works and there is a way that doesn't work.

DNAT doesn't work. It's well supported in Linux, and could be set up by a simple command such as the following: iptables -t nat -I PREROUTING 1 -p tcp --dport 80 -j DNAT \\ --to-destination

This will forward all traffic to port 80 on this box to port 81 on some other box (you'll most likely not need the :81 section, just leave it off to forward to port 80). The source IP is not altered, so you'll probably get something like this:

Client ----> Forwarder (old IP) ----> Firewall New host ^ | | | \\-------------------------------------/

The client now sees a different source address than the one it sent to. This confuses the heck out of it. (Removing the firewall doesn't help, either - the routing tables will still tell the server to send it directly). Configuring the server/firewall to use the forwarder as a gateway solves this problem, but causes exactly the same problem for clients connecting to the new IP.

I am fairly sure that with a little networking magic, you can get this all done in an elegant way (you could mark the packets coming through the forwarder in some way, and base your routing decisions on that, or maybe using two forwarders, the first using DNAT and the second using SNAT, would work). The easy, Windows-friendly solution would be the following, though: - Get yourself one more NIC. Put this NIC in the server. - Connect the firewall to the old NIC, configure as appropriate. - Give the new NIC your old IP. Put the Linux box in front of it to act as a router/firewall if desired. (This would entail giving it some IP, which doesn't really matter, and specifying: echo 1 >

/proc/sys/net/ipv4/ip_forward iptables -P FORWARD DROP iptables -I FORWARD 1 --destination --jump ACCEPT iptables -I FORWARD 1 --source --jump ACCEPT)

Of course, this isn't a very good firewall; a much more effective solution would be to use specific allow directives instead of a blanket one, such as iptables -I FORWARD 1 --destination --protocol tcp \\ --destination-port 80 --jump ACCEPT

Most Linux distributions will support this, I presume. I'm not sure, though - I've been running custom kernels since long before I cared for such complex networking stuff.


Reply to
Joachim Schipper Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.