Our networks are currently protected by an IPCop machine with Copfilter.
Inside the IPCop DMZ we have a mail server and 3web/application servers. Inbound traffic hits the correct targets because it arrives at IPCop on a unique port for each machine and port forwarding passes it through to the correct server.
Similarly there are some application servers in green that provide web interfaces to external users and again inbound traffic finds them because it reaches IPCop on unique ports and can be forwarded to the correct destination machine.
Recently, in a big spam storm, our IPCop box with Copfilter (red+Green+orange) found itself struggling to cope with load. The crisis is past now but it was a big learning experience and I would prefer not to go through it again.
As well as upgrading the IPCop hardware, I'm thinking to put the IPcop/Copfilter machine inside a second IpCop machine with Red + Green interfaces.
That way, as well as taking the brunt of the internet noise away from the original Copfilter machine, the new outside machine could be configured to assist with the filtering (say to deal with virus filtering leaving the second inside box to deal only with spam filtering).
I've built a test environment and now I'm stuck. The forwarding isn't working. Outbound traffic from machines inside the inner green zone works normally. However inbound traffic is another story.
I'm not expert in this by any means, so here is what I have done - so far without success. I wonder if any one else has done this and can tell me the way forward.
1) On the outside IPCop I created static routes pointing to the networks behind the inside IPCop and giving the red interface of the inside IPCop as the gateway to them.
On the outside IPCop I set up port-forwarding pointing to the actual ports and IPaddresses of the servers in the networks behind the second IPCop
2) When that didn't work I removed the static routes and simply forwarded inbound traffic hitting the outside IPCop to the same ports on the red interface of the inside IPCop. That hasn't worked either
Obviously there's something in the logic of this I'm missing. Can someone set me right?
Welcome to firewall.cx, phonecian. I assume the inside IPCOP will perform all the functions of the original lone IPCOP. In that case you still have the servers in its ORANGE (DMZ) and GREEN zones. I'm also assuming that forwarding is not working for servers in either zone.
To open access to machines behind the inside IPCOP, all you need to do is forward the ports twice i.e. first at the outside IPCOP and then at the inside IPCOP. No need to setup static routes as long as none of the ports are shared.
You seem to have done the above according to your post, so you will need to check for errors, e.g. wrong protocol, port numbers, IP addresses. Have you checked the firewall logs to see how far the packets are getting?
A couple of hours later .....
I've been crawling through many other threads here.
Am I correct that I need to make some configuration to IP Tables on IPCop 2 to allow the port forwarding to work on IPCop 1? That is, to allow specified inbound traffic through the red interface on IPCop 2
Ok ... all done and working now. Problems were a mixed bag of things: I'd forgotten to reset the default gateway on Cop2, the ISP silently went down for a lengthy upgrade & maintenance, and for some reason green could not talk to orange any more in Cop2. But all fixed now and working using two IPcops; cop1 forwarding all necessary ports to the red interface on cop 2 and cop2 forwarding to the machine addresses inside orange and green.
Thanks for sorting me out, DaLight.