Some of the basic versions are designed for single-homed firewalls, like KISS, while others have advanced multihomed features. There are a number of these firewall scripts available on the Internet. If you aren't running a Red Hat-based Linux and you don't want to mess with manually configuring NAT/PAT, you might consider running a simple boot-time iptables setup script. This concept is often called port/IP mapping or Port Address Translation (PAT). Likewise, anything destined for a specified IP address can be mangled and sent to a different IP or port under DNAT. This means that anything from a specified IP address can be mangled (rewritten) to appear as if it comes from another location using SNAT. The "nat" table can be configured for SNAT (Source NAT), and DNAT (Destination NAT), packet modifying or mangling. Note that this figure does not indicate actual packet flow, but simply illustrates an idea. Figure 11-6 shows a simplified view of this concept. In this dual-homed routing firewall configuration the layout is somewhat different. See for more information on NAT theory.Įarlier in this chapter, we described iptables as the outer layer of network security, followed by TCP wrappers and then by individual daemon configuration files. Some people refer to this configuration as a type of Transparent TCP Proxy Router. This is a very secure arrangement, as nothing from the untrusted outside interface will be allowed through the firewall unless it has been requested by an IP on the inside or otherwise explicitly permitted via NAT by the firewall. Such devices in the commercial world are usually configured for the enterprise with routable IP ranges on the outside and nonroutable IP address ranges on the inside. Network Address Translation, or NAT, is the technology used on a network gateway, router, or firewall that allows it to translate network addresses and usually also track sessions between networks with SPI. Some people even use Linux NAT firewalls to handle tasks like web/FTP proxying, bandwidth throttling, and Quality of Service (or QoS) controls. Whereas a firewall on a single server accepts and rejects packets for applications on that machine, when you set up a network NAT-based firewall you are basically configuring a type of security-based network router, which performs functions such as Network Address Translation, state tracking, and port/address forwarding. When securing an entire network with iptables instead of just a single server, you need to think in different terms. We focus on the basic configuration of such firewalls, as well as offer some help on troubleshooting existing installations. Entire books have been written on the complexities of this subject, so you'll find enough to get you going.
In this section, we build on the last section's dive into iptables and use it to introduce dual-homed network firewalls.