[pr0n]

If you don't need details skip first paragraph to get the gist of it.

I have a webserver that requires a public IP for licensing purpose it's on a CentOS server and I'm currently using iptables for a firewall. I've been getting UDP DDoS floods recently that although they are filtered by iptables (very top rule) they are raping my dual Xeon CPUs. Granted the CPUs are already doing a lot of work but still that's a TON of packets. Enough so that the services become inaccessible for a few minutes. So I want to put a separate firewall in front of this web server. I plan to use Untangle which is a linux based firewall OS.


But my question is how do I configure a firewall to have a public IP behind it? NAT won't work for this because the software on the server checks the IP on the NIC and verifies it with an outside licensing database. I haven't tried anything yet because this service can't be down except in the middle of the night so I would like to have a solid plan before I start messing around.


//I'm a DBA but networking isn't my forte, any help would be appreciated.

Thanks in advance!

-Preston




incase it helps:

_______
|Modem\|
| Router |
-----|-----
-----|-----
|Proposed|
| Firewall |
-----|-----
-----|-----
|Server|

//Q&D ASCI ART FTW

Edited by pr0n, 15 April 2010 - 02:41 PM.

[Advertisements]

This should give you an idea.

http://www.freebsdon...t/view/454/470/

[DaffyKantReed]

This should give you an idea.

http://www.freebsdon...t/view/454/470/

[pr0n]

I read through that article (which strangely enough google didn't bring to be after searching for the article's headline for an hour) and it appears that according to what the author said the actual server's NIC has a private ip address.
Unfortunately that won't work for me because my software will send 10.0.0.x (private IP the network card is attached to) to the software manufacturer to which the software manufacturer will say that doesn't mach 173.18.x.x (public) your license is void and remotely shut me down.

The server requires a public IP it will not function at all if it is assigned a private ip address no matter how you route it.

Correct me if I'm completely missing something in the article.

-Preston

[diabillic]

I would first contact your ISP about enabling more filtering on their end first before worrying about configuring an additional firewall on your end.

You can configure the firewall to pass on the public IP but it will pretty much make the firewall completely translucent. Best security practices teach that nothing on your internal network should never have a public IP address as that exposes it to the wonders and thrills of the internet, which is probably why its getting hit with UDP floods. That's what NAT is for. It's pretty much like putting your server in a DMZ. I would also try to ping dsenette as well and get his input, his networking knowledge is quite extensive as well.

Edited by diabillic, 16 April 2010 - 09:44 AM.

[dsenette]

The server requires a public IP it will not function at all if it is assigned a private ip address no matter how you route it.

what you're wanting to do won't work.

the only way to have something behind a firewall is for it to be privately addressed, then you'd have to NAT that internal IP out to a public IP. have you contacted the software vendor to see what their solution is? i can't imagine any software on a web server that can't handle NAT translations and is actually secure. anything that's plugged directly to the internet is going to get attacked relentlessly. the proper method would be to have the server behind a firewall, and have it NAT out to the outside world and ONLY open the ports that are required for it to work (i.e. port 80)

[pr0n]

I was pretty sure when I started this thread that these would be the only responses I would get I had little hope of there being a real solution, but thanks for the help. The software in question if you're curious is Direct Admin... yeah it's fairly ridiculous, what you're saying dsenette is basically the argument I've been having with their less than fantastic tech support via email for the last 3 or 4 days. If worse comes to worse then we will switch to CPanel for lots more $$$.

Thanks for the help guys.

[diabillic]

I figured as much, no real way to do that. It would be incredibly insecure, as dsenette said. If your having any other issues, please follow up.

[pr0n]

funny you ask I had planned on closing this chapter here but I talked to my ISP. I'm going to provide them with some packet sniffing captures but really all they can do is send nasty letters to other ISPs they have no filtering capability.

So here's my options I'd like to know what you guys think
1: change statics
---con: pain in the [bleep]
---con: probably won't work with the amount of FQDNs that are tied to this IP they wouldn't have trouble finding us again
2: spend some ridiculous amount of money on a modem with a built in firewall that can handle this kind of traffic
---con:I'm not sure if this exists in cable modem form. I haven't done any research on it. asside from that I already have a fairly new motorola DOCSIS 3.0 modem that at times dies from the flood and requires a reboot.

Doing estimated math in my head average average packet size of 128 bytes and judging by the fact that my packet sniffer is dropping a lot of the packets and many of them are getting dropped at the modem, we're probably getting about 50-100 million or more packets pushed to us over the course of less than a minute. I'm not sure NASA has a computer that can handle this. But in reality I'd just like to know if there's a way to fix this without spending 2-3 grand on a Cisco cable modem which would not even be DOCSIS 3

Edited by pr0n, 18 April 2010 - 01:23 AM.

[diabillic]

Even Cisco equipment wouldnt help you unless its configured properly. A suggestion would be is to change ISP's if they cant get anywhere, at least all the ddos traffic will be hitting the wrong IP now