Difference between revisions of "High Performance Firewall"

From ArchWiki
Jump to: navigation, search
Line 21: Line 21:
  
 
=The work=
 
=The work=
=VLAN support=
+
==VLAN support==
  
 
The first thing we have to do is give to the kernel the capacity of work with Jumbo Frames. This is done by adding the 8021q module to the kernel
 
The first thing we have to do is give to the kernel the capacity of work with Jumbo Frames. This is done by adding the 8021q module to the kernel
Line 41: Line 41:
 
   etc.
 
   etc.
 
I will not explain the number of host neither the mask....
 
I will not explain the number of host neither the mask....
 +
 +
 +
==The Firewall==
 +
 +
It is really easy make a firewall/nat with ''iptables'' there is a lot of information around there...
 +
 +
Just make in mind that you will work with a lot of traffic, this mean, a lot of CPU usage, so, keep your rules tiny, just the necessary. Accept all by default just want to make NAT, no more....
 +
Maybe is good accelerate some ports, (80,443,25,110,21,20,53 etc) remenber, every packet running trough our firewall will past trough every rule until it match to one or fall in the pool (default policy).
 +
 +
'''The round robin NAT'''
 +
 +
Let's suppose we have a one ip 200.aaa.bbb.4 and our gateway is 200.aaa.bbb.1

Revision as of 19:34, 11 October 2007

Hight Performance Firewall/Nat with iptables and VLANs and iproute2

Introduction

Hi, this is my first intent of making a wiki document, so be warned, this may have some errors or misunderstandings.

Imagine this, you have more than two networks separated by Virtual Lans protocols (IEEE 801.1q) or VLANs, carried to you by a intelligent/manageable switch on one troncal line 10/100/1000 MB HD/FD (naturally the best is 1000 MB FD).

You have to share internet to a really BIG numbers of hosts, and maintain a good performance. The firs choice is separate the networks into a equal numbers of ports and maybe a more numbers of firewalls machines. This is not really cost effective, but works.

The second one is what I did. the history of how this begin is related to a some emergency/burn/crash/out of a group of Cisco PIXs. I will don't deep in that.

The facts:

I have about 4 networks mask 21 i.e a 8 class C each!!! This is a lots of MACs addresses and even more dangerous a really lots of BROADCAST. This is insane but this is the way that my company works.
They gave me 30 publics IPs addresses in 3 groups.
And a machine, a little one, not big deal.... just for testing. Later (about 8 monts) we change the PC. We put a real monster.
Later we add a class C network with a routed lot of increasing subnets.... PLUS!!!!

The work

VLAN support

The first thing we have to do is give to the kernel the capacity of work with Jumbo Frames. This is done by adding the 8021q module to the kernel

# modprobe 8021q

and/or put in modules in /etc/rc.conf

Next we have to create the virtuals NICs with this command vconfig. Let's suppose we have vlans 20,30,40 and 50 working in our core network.

# vconfig add ethX 20
# vconfig add ethX 30
...
# vconfig add ethX 50

Where ethX is the troncal NIC Now if we want to see the interfaces just put ifconfig -a and we will get a list.

So .... next just put the private address as you want. For example (using eth1 like a troncal)

# ifconfig eth1.20 192.168.0.1 netmask 255.255.248.0
# ifconfig eth1.30 192.168.8.1 netmask 255.255.248.0
...
 etc.

I will not explain the number of host neither the mask....


The Firewall

It is really easy make a firewall/nat with iptables there is a lot of information around there...

Just make in mind that you will work with a lot of traffic, this mean, a lot of CPU usage, so, keep your rules tiny, just the necessary. Accept all by default just want to make NAT, no more.... Maybe is good accelerate some ports, (80,443,25,110,21,20,53 etc) remenber, every packet running trough our firewall will past trough every rule until it match to one or fall in the pool (default policy).

The round robin NAT

Let's suppose we have a one ip 200.aaa.bbb.4 and our gateway is 200.aaa.bbb.1