<html>
<head>
<style type="text/css">
<!--
body { margin-right: 4px; font-variant: normal; margin-bottom: 1px; margin-top: 4px; margin-left: 4px; line-height: normal }
-->
</style>
</head>
<body style="margin-right: 4px; margin-bottom: 1px; margin-top: 4px; margin-left: 4px">
<DIV> I am passing traffic back to an internal serversuccessfully with this type of config:
</DIV>
<DIV> </DIV>
<DIV>...
</DIV>
<DIV>nat to-destination ${int_groupwise_ip} inface ${ext_groupwise_if} proto tcp dport 80 dst ${ext_groupwise_ip}
</DIV>
<DIV>nat to-source ${ext_groupwise_ip} outface ${ext_groupwise_if} proto tcp sport 80 src ${int_groupwise_ip}
</DIV>
<DIV>...<br>interface ${ext_groupwise_if} ext_groupwise dst ${ext_groupwise_ip}
</DIV>
<DIV> policy reject
</DIV>
<DIV> protection strong
</DIV>
<DIV> server icmp accept
</DIV>
<DIV> server ident reject with tcp-reset
</DIV>
<DIV> </DIV>
<DIV>router i2groupwise inface ${ext_groupwise_if} outface ${int_if}
</DIV>
<DIV> route gwim accept
</DIV>
<DIV> route gwclient accept
</DIV>
<DIV> route http accept
</DIV>
<DIV> route https accept
</DIV>
<DIV> client all accept
</DIV>
<DIV> </DIV>
<DIV>Brian
</DIV>
<DIV> </DIV>
<DIV><br>>>>"Daniel L. Miller" <dmiller@amfes.com> 07/19/05 5:40 pm >>><br>Sure enough - using device aliases results in error messages. That's<br>not the answer.<br><br>Daniel L. Miller wrote:<br><br>>I'm not finding that example. In my case, I already defined eth1 -<br>>eth1:6 for various addresses.<br>><br>>For some reason, I didn't think firehol would work with device aliases<br>>- that I had to use the base device name. I'm trying the aliases now<br>>to see what changes.<br>><br>>Rick Marshall wrote:<br>><br>>>this is an excellent howto on this - i think in the firehol examples.<br>>>it centres around creating secondary interfaces eth1:0 etc in your<br>>>case. i followed it for a setup and it worked very well.<br>>><br>>>rick<br>>><br>>>Daniel L. Miller wrote:<br>>><br>>>>I'm puzzled by the behaviour I'm experiencing with SNAT. I have a<br>>>>group of static external IP's, that I'm trying to utilize for<br>>>>different purposes. I'd like to keep the IP(s) I use for external<br>>>>access from my LAN separate from the IP's I use for outside access<br>>>>to my internal services. So . . .<br>>>><br>>>>version 5<br>>>>FIREHOL_LOG_MODE="ULOG"<br>>>><br>>>>AMFESLAN_IF="eth0"<br>>>>AMFESLAN_LAN="192.168.0.0/24"<br>>>>AMFESLAN_IP="192.168.0.1"<br>>>>AMFESLAN_BCAST="192.168.0.255"<br>>>><br>>>>AMFESEXT_IF="eth1"<br>>>>AMFESEXT_LAN="67.106.235.97/27"<br>>>>AMFESEXT_IP="67.106.235.126"<br>>>>AMFESEXT_BCAST="67.106.235.127"<br>>>><br>>>>PROXY_IF="eth1"<br>>>>PROXY_LAN="67.106.235.124/27"<br>>>>PROXY_IP="67.106.235.124"<br>>>>PROXY_BCAST="67.106.235.127"<br>>>><br>>>>BASTION_IP="192.168.0.2"<br>>>>ROUTER_IP="192.168.0.1"<br>>>><br>>>># provide Internet access for lan<br>>>>snat to "${PROXY_IP}" outface "${PROXY_IF}" src "${AMFESLAN_LAN}"<br>>>><br>>>># provide web services<br>>>>dnat to "${BASTION_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}"<br>>>>proto tcp dport 993 log "forwarding imaps"<br>>>>dnat to "${BASTION_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}"<br>>>>proto tcp dport 80 log "forwarding http"<br>>>><br>>>># bittorrent re-direct to one workstation<br>>>>dnat to "${DANIEL_IP}" inface "${PROXY_IF}" dst "${PROXY_IP}" proto<br>>>>tcp dport 6881:6889 log "forwarding bittorrent"<br>>>>dnat to "${DANIEL_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}"<br>>>>proto tcp dport 6881:6889 log "forwarding bittorrent"<br>>>><br>>>># redirect for external addresses from internal network - this<br>>>>allows laptops to use the published imap address in and outside the lan<br>>>>snat to "${ROUTER_IP}" outface "${AMFESLAN_IF}" src<br>>>>"${AMFESLAN_LAN}" dst "${BASTION_IP}" proto tcp dport 143 log "src<br>>>>internal<br>>>>dnat to "${BASTION_IP}" inface "${AMFESLAN_IF}" dst "${AMFESEXT_IP}"<br>>>>proto tcp dport 143 log "dst internal re-dir"<br>>>>snat to "${ROUTER_IP}" outface "${AMFESLAN_IF}" src<br>>>>"${AMFESLAN_LAN}" dst "${BASTION_IP}" proto tcp dport 993 log "src<br>>>>internal<br>>>>dnat to "${BASTION_IP}" inface "${AMFESLAN_IF}" dst "${AMFESEXT_IP}"<br>>>>proto tcp dport 993 log "dst internal re-dir"<br>>>><br>>>>server_bittorrent_ports="tcp/6881 tcp/6882 tcp/6883 tcp/6884<br>>>>tcp/6885 tcp/6886 tcp/6887 tcp/6888 tcp/6889"<br>>>>client_bittorrent_ports="default 6881 6882 6883 6884 6885 6886 6887<br>>>>6888 6889"<br>>>><br>>>>interface "${AMFESLAN_IF}" lan src "${AMFESLAN_LAN}"<br>>>> policy accept<br>>>><br>>>>interface "${AMFESEXT_IF}" internet src not "${UNROUTABLE_IPS}<br>>>>${AMFESLAN_LAN}" dst "${AMFESEXT_IP}"<br>>>> protection strong 100/sec 50<br>>>># server ident reject with tcp-reset<br>>>> server smtp accept<br>>>> server smtps accept<br>>>> server submission accept<br>>>> server dcc accept log "DCC server"<br>>>> server ssh accept log "ssh"<br>>>> server ntp accept<br>>>> server ping accept<br>>>> client all accept<br>>>><br>>>>interface "${PROXY_IF}" proxy src not "${UNROUTABLE_IPS}<br>>>>${AMFESLAN_LAN}" dst "${PROXY_IP}"<br>>>> protection strong 100/sec 50<br>>>> client all accept<br>>>><br>>>>router lan2amfesext inface "${AMFESLAN_IF}" outface "${AMFESEXT_IF}"<br>>>>src "${AMFESLAN_LAN}" dst not "${UNROUTABLE_IPS}"<br>>>> route all accept<br>>>><br>>>>router lan2proxy inface "${AMFESLAN_IF}" outface "${PROXY_IF}" src<br>>>>"${AMFESLAN_LAN}" dst not "${UNROUTABLE_IPS}"<br>>>> route all accept<br>>>><br>>>>router proxy2lan inface "${PROXY_IF}" outface "${AMFESLAN_IF}"<br>>>> route bittorrent accept<br>>>><br>>>>router internet2lan inface "${AMFESEXT_IF}" outface "${AMFESLAN_IF}"<br>>>> protection strong 100/sec 50<br>>>># route ident reject with tcp-reset<br>>>> route http accept<br>>>> route imaps accept<br>>>> route bittorrent accept<br>>>> route fpadmin accept<br>>>> route webmin accept<br>>>> route firebird accept<br>>>><br>>>>The problem I'm having is that any client that connects to the<br>>>>Internet, appears to be connecting from my "${AMFESEXT_IP}" address,<br>>>>instead of the "${PROXY_IP}" address. Since the only SNAT line that<br>>>>references the Internet uses the proxy address - I'm a little puzzled.<br>>>><br>>>>Daniel<br>>><br><br><br><br><br>-------------------------------------------------------<br>SF.Net email is sponsored by: Discover Easy Linux Migration Strategies<br>from IBM. Find simple to follow Roadmaps, straightforward articles,<br>informative Webcasts and more! Get everything you need to get up to<br>speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click<br><br>Firehol-support mailing list<br>Firehol-support@lists.sourceforge.net<br>https://lists.sourceforge.net/lists/listinfo/firehol-support<br> </DIV>
</body>
</html>