[Firehol-support] redirecting ports

Costa Tsaousis costa at tsaousis.gr
Tue Sep 9 01:00:44 CEST 2003


Hi,

here it is:


--- snip ---


# --- DEFINITIONS ---
# This section will make the configuration
# more readable.

PUBLIC_IF="eth0"
PUBLIC_IP="140.232.1.1"    # fix this

HOME_IF="eth1"
HOME_IP="192.168.0.1"
HOME_LAN="192.168.0.0/24"  # fix this
HOME_BCAST="192.168.0.255" # fix this

HOME_HTTP_IP="192.168.0.2"
HOME_IRC_IP="192.168.0.2"


# --- CUSTOM SERVICE DEFINITIONS ---
# emtpy if you don't need any


# --- NAT ---

# Change destination for port tcp/80
dnat to "$HOME_HTTP_IP" \
      inface "$PUBLIC_IF" dst "$PUBLIC_IP proto" tcp dport 80

# Change destination for port tcp/6667
dnat to "$HOME_IRC_IP" \
      inface "$PUBLIC_IF" dst "$PUBLIC_IP" proto tcp dport 6667


# --- FIREWALL ---

interface "$HOME_IF" home \
      src "$HOME_LAN" dst "$HOME_IP $HOME_BCAST"

   policy reject

   server ssh accept
   server icmp accept
   server http accept
   server dhcp accept
   server cvspserver accept

   client ssh accept
   client cvspserver accept
   client http accept

# NOTE: your home is very tight.
# This is very nice for production systems, but
# if this your HOME, it might be a source of problems.


interface "$PUBLIC_IF" internet \
      src not "$UNROUTABLE_IPS" dst "$PUBLIC_IP"

   # always protect yourself from bad things
   protection strong 1000/sec 1000

   server http accept
   server cvspserver accept
   server ssh accept

   client all accept


router internet2home \
      inface eth0 outface eth1 \
      src not "$UNROUTABLE_IPS" dst "$HOME_LAN"

   masquerade reverse

   protection strong 1000/sec 1000

   client all   accept

   server ident reject # with tcp-reset is also the default

   # The following are needed for satisfying your
   # DNATs. If ommitted, your DNAT will work, but
   # your firewall will block them.
   server http accept dst "$HOME_HTTP_IP"
   server irc  accept dst "$HOME_IRC_IP"


--- snip ---


DNAT = change the destination IP to X
       for all traffic matching the parameters.

You use DNAT to forward incomming traffic to some other host.


SNAT = change the source IP to X
       for all traffic matching the parameters.

You use SNAT to make the destination host reply to you instead
the sender.


You would need both DNAT and SNAT if the destination host had a
different default gateway (not the host made the DNAT).
Using SNAT you force the destination host to send the reply back
to you, which you can then send back to the original sender,
since you have all the information needed (you made both DNAT
and SNAT).


REDIRECT = DNAT to 127.0.0.1
       for all traffic matching the parameters.

You use REDIRECT to catch the traffic and send it to a locally
running application (commonly used in transparent caches).


In all cases, your firewall rules (packet filtering) must allow
the traffic.

NOTE: IRC needs a kernel module for it to be NATed. Although FireHOL will
try to load it, make sure it exists (you will get a warning if it is not
there).


I hope these will help...

-- 
Costa Tsaousis


> Hi i just started using Firehol on my firewall and I'm kinda confused.
> My Firewall/Gateway is 192.168.0.1(int)/140.232.x.x(ext) and i have some
> servers running behind that 192.168.0.2 hosts a webserver and a IRC
> server for example, now i want to know what the best way is to redirect
> ports 80 and 6667 on the gateway to 192.168.0.2:80 and 192.168.0.2:6667
> respectively. I'm not sure whether to use dnat, snat, redirect or
> whatever.
> Thanks alot.
> So far i'm really liking how FireHol is running on my system. I will
> post my firehol.conf below.
>
> Jule
>
> note: i still have to add the rules for the IRC server
> --conf--
>> version 5
>>
>> interface eth1 home
>>         server ssh accept
>>         server icmp accept
>>         server http accept
>>         server dhcp accept
>>         server cvspserver accept
>>
>>         client ssh accept
>>         client cvspserver accept
>>         client http accept
>>
>> interface eth0 internet
>>         server http accept
>>         server cvspserver accept
>>         server ssh accept
>>
>>         client all accept
>>
>> router internet2home inface eth0 outface eth1
>>         masquerade reverse
>>         client all   accept
>>         server ident reject with tcp-reset





More information about the Firehol-support mailing list