[Firehol-support] another port forwarding question...
costa at tsaousis.gr
Sat Sep 20 03:22:55 BST 2003
you have two methods to do this, although you can use both of them at the
same time if you like:
1. limiting the DNAT
As with all FireHOL statements, the optional rule parameters (src/dst
inface/outface, proto, sport/dport, etc) are used to limit the traffic to
be matched. This means that:
dnat to 126.96.36.199
will dnat EVERYTHING (...don't do this)
dnat to 188.8.131.52 inface eth1 dst 184.108.40.206
will dnat only the traffic comming from eth1 and targeting 220.127.116.11
dnat to 18.104.22.168 inface eth1 dst 22.214.171.124 proto tcp dport 80 src 126.96.36.199
will dnat only the traffic comming from eth1 AND targeting 188.8.131.52
AND is TCP AND is going to port 80 AND is comming from 184.108.40.206
This is how you can control which traffic to be nated.
2. limiting the routed traffic
As you might already know, even if you dnat something, if you don't allow
it in your packet filtering firewall, the traffic will be blocked. So,
assuming that you have done:
dnat to 220.127.116.11 inface eth1 dst 18.104.22.168 proto tcp dport 80
you can then, in the router, do:
server http accept src 22.214.171.124
The above means that although you will dnat all http traffic, only such
traffic comming from 126.96.36.199 will be allowed to pass. All other will be
dropped at the packet filtering firewall.
Of course, you can use: src "a.host another.host a.third.host" in all
statements, but also:
trusted="a.host another.host a.third.host"
dnat to ... src "$trusted"
server http accept src "$trusted"
which will enable both checks (although there is no point for the extra
Now, about the SNAT:
Although DNAT changes the destination of the packet, SNAT changes the
source. This is usefull in situations where the firewall/router box that
will DNAT the traffic is not the gateway for the clients accessing the
service. Here is an example:
Router ------+------ Server
We are sitting on MyBOX (A is its public IP and B its internal).
Our stealth Server has the Router as default gateway. Server and Router
communicate with MyBOX using fake IP addresses.
Some day, you decide that the Internet should use a service on the Server,
but since it is a stealth server there is no way of getting the traffic
there. You think again and you decide to DNAT some traffic on MyBOX using
dnat to Server dst MyBOX.A proto tcp dport 80
Of course you put the relative server statement in a router config of
FireHOL on MyBOX and you try to hit the service.
It does not work. The problem is that although the packet will go the
Server it cannot come back to the Internet, because the Server has default
gateway the Router and the Router is not connected to the Internet. So the
HTTP reply is lost. Even if the Router was connected to the Internet, the
reply would go back to the sender with a wrong source address (Server)
which would make it to drop the reply because it does not match the
To fix this situation, you have to instruct Server to send the reply back
to MyBOX, since MyBOX knows what to do with it. To do this you can place,
after the dnat:
snat to MyBOX.B dst Server proto tcp dport 80
This changes the source of packets to the internal IP of MyBOX, so that
the Server is thinking "hey, MyBOX.B is asking..." and therefore it sends
the reply back to MyBOX. Then MyBOX sees that the reply matches the SNAT
and changes back the source IP address of the original packet, and next it
figures out that it also matches the DNAT which makes it to change back
the original destination too. So the packet goes back to the sender as if
MyBOX.A was replying to it.
In large setups with complex network topologies, SNAT is very helpful
since in combination with DNAT, it allows you to route the traffic in
otherwise unroutable ways.
> Hi, I have read the FAQ for port forward issues and have
> found it very helping, but I still have an issue that
> I has not yet been resolved. :(
> I have a firewall/gateway configured this way...
> eth0 => internet
> eth1 => lan
> I would like to dnat http requests coming on eth0, to a
> machine on the lan (I know how to do this), BUT only if it
> comes from some given trusted machines on the internet
> (this I don't know)...
> also, what is SNAT? I believe it to be Source NAT, but I
> can't figure out a concrete example of why I would want to
> do this... unless it is releated to I am trying to do?
> Thansk for any help...
> Oh, btw... firehol is a really great product... hope it
> will not fall into oblivion, because I really don't have
> that much time to spend reading and writing iptables
> scripts... :)
> Alain Bacon - Application Architect
> Mobilair Intιgration Inc. 1-800-341-4124
> PGP public key: http://pages.infinit.net/syntek
More information about the Firehol-support