[Firehol-support] redirecting ports
Costa Tsaousis
costa at tsaousis.gr
Tue Sep 9 00:00:44 BST 2003
Hi,
here it is:
--- snip ---
# --- DEFINITIONS ---
# This section will make the configuration
# more readable.
PUBLIC_IF="eth0"
PUBLIC_IP="140.232.1.1" # fix this
HOME_IF="eth1"
HOME_IP="192.168.0.1"
HOME_LAN="192.168.0.0/24" # fix this
HOME_BCAST="192.168.0.255" # fix this
HOME_HTTP_IP="192.168.0.2"
HOME_IRC_IP="192.168.0.2"
# --- CUSTOM SERVICE DEFINITIONS ---
# emtpy if you don't need any
# --- NAT ---
# Change destination for port tcp/80
dnat to "$HOME_HTTP_IP" \
inface "$PUBLIC_IF" dst "$PUBLIC_IP proto" tcp dport 80
# Change destination for port tcp/6667
dnat to "$HOME_IRC_IP" \
inface "$PUBLIC_IF" dst "$PUBLIC_IP" proto tcp dport 6667
# --- FIREWALL ---
interface "$HOME_IF" home \
src "$HOME_LAN" dst "$HOME_IP $HOME_BCAST"
policy reject
server ssh accept
server icmp accept
server http accept
server dhcp accept
server cvspserver accept
client ssh accept
client cvspserver accept
client http accept
# NOTE: your home is very tight.
# This is very nice for production systems, but
# if this your HOME, it might be a source of problems.
interface "$PUBLIC_IF" internet \
src not "$UNROUTABLE_IPS" dst "$PUBLIC_IP"
# always protect yourself from bad things
protection strong 1000/sec 1000
server http accept
server cvspserver accept
server ssh accept
client all accept
router internet2home \
inface eth0 outface eth1 \
src not "$UNROUTABLE_IPS" dst "$HOME_LAN"
masquerade reverse
protection strong 1000/sec 1000
client all accept
server ident reject # with tcp-reset is also the default
# The following are needed for satisfying your
# DNATs. If ommitted, your DNAT will work, but
# your firewall will block them.
server http accept dst "$HOME_HTTP_IP"
server irc accept dst "$HOME_IRC_IP"
--- snip ---
DNAT = change the destination IP to X
for all traffic matching the parameters.
You use DNAT to forward incomming traffic to some other host.
SNAT = change the source IP to X
for all traffic matching the parameters.
You use SNAT to make the destination host reply to you instead
the sender.
You would need both DNAT and SNAT if the destination host had a
different default gateway (not the host made the DNAT).
Using SNAT you force the destination host to send the reply back
to you, which you can then send back to the original sender,
since you have all the information needed (you made both DNAT
and SNAT).
REDIRECT = DNAT to 127.0.0.1
for all traffic matching the parameters.
You use REDIRECT to catch the traffic and send it to a locally
running application (commonly used in transparent caches).
In all cases, your firewall rules (packet filtering) must allow
the traffic.
NOTE: IRC needs a kernel module for it to be NATed. Although FireHOL will
try to load it, make sure it exists (you will get a warning if it is not
there).
I hope these will help...
--
Costa Tsaousis
> Hi i just started using Firehol on my firewall and I'm kinda confused.
> My Firewall/Gateway is 192.168.0.1(int)/140.232.x.x(ext) and i have some
> servers running behind that 192.168.0.2 hosts a webserver and a IRC
> server for example, now i want to know what the best way is to redirect
> ports 80 and 6667 on the gateway to 192.168.0.2:80 and 192.168.0.2:6667
> respectively. I'm not sure whether to use dnat, snat, redirect or
> whatever.
> Thanks alot.
> So far i'm really liking how FireHol is running on my system. I will
> post my firehol.conf below.
>
> Jule
>
> note: i still have to add the rules for the IRC server
> --conf--
>> version 5
>>
>> interface eth1 home
>> server ssh accept
>> server icmp accept
>> server http accept
>> server dhcp accept
>> server cvspserver accept
>>
>> client ssh accept
>> client cvspserver accept
>> client http accept
>>
>> interface eth0 internet
>> server http accept
>> server cvspserver accept
>> server ssh accept
>>
>> client all accept
>>
>> router internet2home inface eth0 outface eth1
>> masquerade reverse
>> client all accept
>> server ident reject with tcp-reset
More information about the Firehol-support
mailing list