- Posts: 4
- Thank you received: 0
Design question with IPCop
18 years 7 months ago #13941
by phonecian
Design question with IPCop was created by phonecian
Hello all,
Our networks are currently protected by an IPCop machine with Copfilter.
Inside the IPCop DMZ we have a mail server and 3web/application servers. Inbound traffic hits the correct targets because it arrives at IPCop on a unique port for each machine and port forwarding passes it through to the correct server.
Similarly there are some application servers in green that provide web interfaces to external users and again inbound traffic finds them because it reaches IPCop on unique ports and can be forwarded to the correct destination machine.
Recently, in a big spam storm, our IPCop box with Copfilter (red+Green+orange) found itself struggling to cope with load. The crisis is past now but it was a big learning experience and I would prefer not to go through it again.
As well as upgrading the IPCop hardware, I'm thinking to put the IPcop/Copfilter machine inside a second IpCop machine with Red + Green interfaces.
That way, as well as taking the brunt of the internet noise away from the original Copfilter machine, the new outside machine could be configured to assist with the filtering (say to deal with virus filtering leaving the second inside box to deal only with spam filtering).
I've built a test environment and now I'm stuck. The forwarding isn't working. Outbound traffic from machines inside the inner green zone works normally. However inbound traffic is another story.
I'm not expert in this by any means, so here is what I have done - so far without success. I wonder if any one else has done this and can tell me the way forward.
1) On the outside IPCop I created static routes pointing to the networks behind the inside IPCop and giving the red interface of the inside IPCop as the gateway to them.
On the outside IPCop I set up port-forwarding pointing to the actual ports and IPaddresses of the servers in the networks behind the second IPCop
2) When that didn't work I removed the static routes and simply forwarded inbound traffic hitting the outside IPCop to the same ports on the red interface of the inside IPCop. That hasn't worked either
Obviously there's something in the logic of this I'm missing. Can someone set me right?
Regards
Our networks are currently protected by an IPCop machine with Copfilter.
Inside the IPCop DMZ we have a mail server and 3web/application servers. Inbound traffic hits the correct targets because it arrives at IPCop on a unique port for each machine and port forwarding passes it through to the correct server.
Similarly there are some application servers in green that provide web interfaces to external users and again inbound traffic finds them because it reaches IPCop on unique ports and can be forwarded to the correct destination machine.
Recently, in a big spam storm, our IPCop box with Copfilter (red+Green+orange) found itself struggling to cope with load. The crisis is past now but it was a big learning experience and I would prefer not to go through it again.
As well as upgrading the IPCop hardware, I'm thinking to put the IPcop/Copfilter machine inside a second IpCop machine with Red + Green interfaces.
That way, as well as taking the brunt of the internet noise away from the original Copfilter machine, the new outside machine could be configured to assist with the filtering (say to deal with virus filtering leaving the second inside box to deal only with spam filtering).
I've built a test environment and now I'm stuck. The forwarding isn't working. Outbound traffic from machines inside the inner green zone works normally. However inbound traffic is another story.
I'm not expert in this by any means, so here is what I have done - so far without success. I wonder if any one else has done this and can tell me the way forward.
1) On the outside IPCop I created static routes pointing to the networks behind the inside IPCop and giving the red interface of the inside IPCop as the gateway to them.
On the outside IPCop I set up port-forwarding pointing to the actual ports and IPaddresses of the servers in the networks behind the second IPCop
2) When that didn't work I removed the static routes and simply forwarded inbound traffic hitting the outside IPCop to the same ports on the red interface of the inside IPCop. That hasn't worked either
Obviously there's something in the logic of this I'm missing. Can someone set me right?
Regards
18 years 7 months ago #13945
by DaLight
Replied by DaLight on topic Re: Design question with IPCop
Welcome to firewall.cx, phonecian. I assume the inside IPCOP will perform all the functions of the original lone IPCOP. In that case you still have the servers in its ORANGE (DMZ) and GREEN zones. I'm also assuming that forwarding is not working for servers in either zone.
To open access to machines behind the inside IPCOP, all you need to do is forward the ports twice i.e. first at the outside IPCOP and then at the inside IPCOP. No need to setup static routes as long as none of the ports are shared.
You seem to have done the above according to your post, so you will need to check for errors, e.g. wrong protocol, port numbers, IP addresses. Have you checked the firewall logs to see how far the packets are getting?
Let us know how you get on.
To open access to machines behind the inside IPCOP, all you need to do is forward the ports twice i.e. first at the outside IPCOP and then at the inside IPCOP. No need to setup static routes as long as none of the ports are shared.
You seem to have done the above according to your post, so you will need to check for errors, e.g. wrong protocol, port numbers, IP addresses. Have you checked the firewall logs to see how far the packets are getting?
Let us know how you get on.
18 years 7 months ago #13947
by phonecian
Replied by phonecian on topic Re: Design question with IPCop
Hi all again,
A couple of hours later .....
I've been crawling through many other threads here.
Am I correct that I need to make some configuration to IP Tables on IPCop 2 to allow the port forwarding to work on IPCop 1? That is, to allow specified inbound traffic through the red interface on IPCop 2
Here is what I want to do again
Internet
|
| (PPPoE)
|
|
| IPCOP 1 |
|
|
|(Eth0 192.168.2.1/24)
|
|(Eth1 192.168.2.2/24)
|
|
| IPCOP 2 |
(Eth1 -orange- 192.168.5.1/24)
|
| (need ports 6995, 7534, 8796, 80, 25)
|
(Eth2 - green- 192.168.4.1/24)
(need ports 4777,4900)
Here are the static routes I have added on IPCop1
route add -net 192.168.4.0 netmask 255.255.255.0 gw 192.168.2.2
route add -net 192.168.5.0 netmask 255.255.255.0 gw 192.168.2.2
If I have to edit IP Tables on Cop 2 then I am hampered by phenomenal ignorance and fear. I wonder would there be a guardian angel here to guide me through it step by step?
Cheers
Phonecian
A couple of hours later .....
I've been crawling through many other threads here.
Am I correct that I need to make some configuration to IP Tables on IPCop 2 to allow the port forwarding to work on IPCop 1? That is, to allow specified inbound traffic through the red interface on IPCop 2
Here is what I want to do again
Internet
|
| (PPPoE)
|
|
| IPCOP 1 |
|
|
|(Eth0 192.168.2.1/24)
|
|(Eth1 192.168.2.2/24)
|
|
| IPCOP 2 |
(Eth1 -orange- 192.168.5.1/24)
|
| (need ports 6995, 7534, 8796, 80, 25)
|
(Eth2 - green- 192.168.4.1/24)
(need ports 4777,4900)
Here are the static routes I have added on IPCop1
route add -net 192.168.4.0 netmask 255.255.255.0 gw 192.168.2.2
route add -net 192.168.5.0 netmask 255.255.255.0 gw 192.168.2.2
If I have to edit IP Tables on Cop 2 then I am hampered by phenomenal ignorance and fear. I wonder would there be a guardian angel here to guide me through it step by step?
Cheers
Phonecian
18 years 7 months ago #13948
by phonecian
Replied by phonecian on topic Re: Design question with IPCop
Thanks DaLight,
My second post crossed with your reply. Cancel the second.
Well thats good news. I'll go back through it again. Must have some errors somewhere.
Cheers
My second post crossed with your reply. Cancel the second.
Well thats good news. I'll go back through it again. Must have some errors somewhere.
Cheers
18 years 7 months ago #13967
by phonecian
Replied by phonecian on topic Re: Design question with IPCop
Ok ... all done and working now. Problems were a mixed bag of things: I'd forgotten to reset the default gateway on Cop2, the ISP silently went down for a lengthy upgrade & maintenance, and for some reason green could not talk to orange any more in Cop2. But all fixed now and working using two IPcops; cop1 forwarding all necessary ports to the red interface on cop 2 and cop2 forwarding to the machine addresses inside orange and green.
Thanks for sorting me out, DaLight.
Best regards
Thanks for sorting me out, DaLight.
Best regards
Time to create page: 0.132 seconds