I'm having tons of problems with configuring IP Chains to firewall my entire subnet.

Basically I want my firewall to act as a gateway for all outgoing and incoming traffic. It seems like it can do so if there was only 1 external ip address. However, I need to do this for all of my internal servers that have many public ip addresses.

The problem with IP Chains is that it doesn't seem to do 1-to-1 NATing.

Can someone help?

Err, why are you using NAT at all? NAT = Network Address Translation... if you have a public IP address for each machine I don't see why you need any translation.

Or am I missing something?

Ok here's the thing with IP Chains. It seems to be geared toward home users that have one public IP on the outside and many computers using private ips (192.168.0.xxx) on the inside who want to share internet connectivity for all their inside computers.

I mean, put it this way. I want this:

Internet <----> Firewall <----> Webservers (8 of them with 8 ips)

Does this mean my firewall would have to have all 8 ip's as its alias? If so wouldn't the internal webservers have to have different ips? In this case private ones? Thus the following translations would take place:
1.1.1.1 (public) <-------> 192.168.0.1
1.1.1.2 (public) <-------> 192.168.0.2
1.1.1.3 (public) <-------> 192.168.0.3
1.1.1.4 (public) <-------> 192.168.0.4
... and so on

But it seems IP Chains can't do this readily.

Or is my setup wrong and there's another way to go about this? Do people place firewalls on every single one of their webservers?

Take a peek at OpenBSD and ipfilter. The bridging capability of ipfilter may be your ticket.

http://www.obfuscation.org/ipf/ipf-howto.html#TOC_48

... or maybe one-to-one mapping. Put in one bimap command for each host.

http://www.obfuscation.org/ipf/ipf-howto.html#TOC_32

:)

I fail to understand why you want to use ipchains. It isn't designed to do what you want to do, so why not use a tool which is?

In particular, I would give each of your webservers their public IP address (ie don't use the non-routable addresses at all) and set up a machine running OpenBSD with ipfw as a router/firewall. If you want to be really elegant, you could make it a transparent router/firewall but that isn't really necessary.

So to pull this off I'd need a dedicated openbsd box? Is there anything available for Redhat boxes?

And where does ip chains fit in all of this?

Sorry, I'm new at this.