The firewall can use IPTables to forward packets between the Internet and the internal network. IPTables is the interface to changing the built in netfilter firewall built into the Linux kernel. We'll also use IPTables to forward SSH requests for the firewall to the head node, making the firewall transparent. (Users of the cluster should interact with the head node, not the firewall.)
For my example (see Network Topology), this means that users will see something like the following. They specify the address of my firewall, eyrie, but then are deposited onto gyrfalcon, my head node. 
kwanous@cassowary:~$ ssh's password:

Linux gyrfalcon 2.6.18-4-486 #1 Wed May 9 22:23:40 UTC 2007 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Most newer version of Debian (etch, sid, lenny) come with iptables installed. However, to make sure iptables installed with the latest version, run.

apt-get install iptables

Configuring IPTables

IPTables is generally configured from the command line; it isn't read from a file. To make changes that "stick" after a reboot, a bash script run at startup can be used to enter all the configuration commands. We've already created a script for you - IPTables Script. Download this, save it as local, place it in /etc/init.d/, then change its status to be executable (chmod +x local/code>). Next the file needs to be symlinked to a place where it will be loaded as the firewall is started up. Debian stores the files loaded during runtime in /etc/rc*.d, where * is the runlevel: 0, 1, 2, 3, 4, 5, 6, or S. In Debian, run level 2 is the normal run level. /etc/rcS.d stores the scripts that are run regardless of the run level. Within a given run level directory, the scripts are run in order of lowest to highest numbered. Symlinks that start with S are executed with the argument start, K (for kill) ones are executed with stop
To be the most secure and not allow any slips while the server is started up, the local script needs to be executed before the networking script. Networking is S40networking, so S39 will do. Symlink the file with
ln -s /etc/init.d/local /etc/rcS.d/S39local
or to /etc/rc2.d/S39local if you prefer. 

Source Network Address Translation (SNAT)

The first iptables command does the SNAT - translating packets generated by computers on the internal interface to go out to the Internet. Any machines seeing packets on the Internet from the cluster will see them as coming from the firewall, and they will respond to the firewall. Rather than accepting the packets themselves, the firewall them forwards them to the inside of the network. 
iptables -t nat -A POSTROUTING -d ! ${LOCALNET} -j SNAT --to ${EXTERNIP}
  • -t nat specifies that this rule's type is network address translation (NAT), aka IP masquerading
  • -A POSTROUTING appends a rule to the POSTROUTING chain, meaning it will be processed after all the other possible processing has been done
  • -d ! ${LOCALNET} means any packets destined for an IP not within ${LOCALNET}
  • -j SNAT means to jump to the SNAT rule
  • --to ${EXTERNIP} specifies that any packets leaving will assume the IP ${EXTERNIP}
All together in English, this rule says to take any packets not destined for sources within the internal network and send them out to their destination on the outside network after changing the source destination IP address to the firewall's IP.

Destination Network Address Translation (DNAT)

This rule does just the opposite. It takes SSH packets coming in from the Internet and sends them along to the head node. 
iptables -t nat -A PREROUTING --dst ${EXTERNIP} -p tcp --dport 22 -j DNAT --to-destination ${SSHHOST}
Created by d'za

Baca Pula Artikel Terkait >>


Post a Comment