Rory:
Background:
As a small software development company we host many the applications that we develop in our lab on in house servers. Many of these applications require large databases and high bandwidth that would make off site hosting or collocation cost prohibitive. Recently we bought five additional static IP addresses from our Internet Service Provider to host our growing number of websites / applications.
We knew that we could use those five IP addresses to host other applications and websites, but for now, we want to host all of the websites on one server. This post will outline the ins and outs of setting up this type of system.
 |  |  |
The Modem: At this point we have five IP addresses and one Ethernet wire coming out of the modem. | The Router / Firewall: We need a device that will be able to route all of the IPs to a single location. We want to serve five websites (all on port 80) and protect our server from the internet. | The server: Our web server has a single network card and is running Windows 2003 server. |
Starting out we thought we needed an off the shelf router, but we knew that the cheap Linksys router we were currently using would only allow us to assign it one external IP address. After hours of searching we figured out that the ability to assign multiple external IP addresses to a router is call multi-NAT. After more searching and a few calls we also figured out that it was virtually impossible to tell whether a router was capable of multi-NAT. Since a commercial router would break our equipment budget, we started evaluating Smoothwall Linux. Smoothwall is a Linux based firewall that is fully configurable (including multi-NAT).
Setup:
1. Configure the Windows Ethernet card with your five corresponding internal IPs.
(Network - Local Area Network Connection - TCP/IP - Properties) I will assign two addresses for the following example.
2. Install 3 NIC cards into the PC that will become the Smoothwall firewall.
3. Burn Smoothwall installation to a CD and install on the firewall PC.
3. Boot firewall and login as root to setup forwarding of the red interface packets coming in on port 80 to the correct internal IP of the server. Edit the /etc/rc.d/firewall.up to forward the correct packets. Assuming that I want to forward web server requests coming into the firewall's red interface to the green interface, add the following lines to the end of the firewall.up file:
# Add external IPs to the red interface (eth2)
/sbin/ifconfig eth2:19 128.49.41.19 broadcast 128.49.41.255 netmask 255.255.255.0
/sbin/ifconfig eth2:20 128.49.41.20 broadcast 128.49.41.255 netmask 255.255.255.0
# Route RED to GREEN
/sbin/iptables -I PREROUTING -t nat -d 128.49.41.19 -j DNAT --to-destination 192.168.1.19
/sbin/iptables -I PREROUTING -t nat -d 128.49.41.20 -j DNAT --to-destination 192.168.1.20
# Change all web server responses from GREEN to RED
/sbin/iptables -I POSTROUTING -t nat -o $RED_DEV -p tcp -s 192.168.1.19 -j SNAT --to-source 128.49.41.19
/sbin/iptables -I POSTROUTING -t nat -o $RED_DEV -p tcp -s 192.168.1.20 -j SNAT --to-source 128.49.41.20
# Allow port 80 traffic to pass through firewall
/sbin/iptables -I FORWARD -d 192.168.1.19 -i $RED_DEV -o $GREEN_DEV -p tcp --dport 80 -j ACCEPT
/sbin/iptables -I FORWARD -d 192.168.1.20 -i $RED_DEV -o $GREEN_DEV -p tcp --dport 80 -j ACCEPT
Conclusion:
After many attempts to configure the firewall through the web admin, even after adding the MODS for Full Firewall Control and Mutliple IP Addresses I found that configuring the firewall manually was the simplest way to get it working.
References:
http://community.smoothwall.org/forum/viewtopic.php?t=11446
http://community.smoothwall.org/forum/viewtopic.php?t=4820
http://www.smoothwall.org/
http://pigtail.net/LRP/broadcast.html
