[Firehol-support] another port forwarding question...

Costa Tsaousis costa at tsaousis.gr
Sat Sep 20 03:22:55 BST 2003

Hi Alan,

you have two methods to do this, although you can use both of them at the
same time if you like:

1. limiting the DNAT

As with all FireHOL statements, the optional rule parameters (src/dst
inface/outface, proto, sport/dport, etc) are used to limit the traffic to
be matched. This means that:

dnat to
   will dnat EVERYTHING (...don't do this)

dnat to inface eth1 dst
   will dnat only the traffic comming from eth1 and targeting

dnat to inface eth1 dst proto tcp dport 80 src
   will dnat only the traffic comming from eth1 AND targeting
      AND is TCP AND is going to port 80 AND is comming from

This is how you can control which traffic to be nated.

2. limiting the routed traffic

As you might already know, even if you dnat something, if you don't allow
it in your packet filtering firewall, the traffic will be blocked. So,
assuming that you have done:

dnat to inface eth1 dst proto tcp dport 80

you can then, in the router, do:

server http accept src

The above means that although you will dnat all http traffic, only such
traffic comming from will be allowed to pass. All other will be
dropped at the packet filtering firewall.

Of course, you can use: src "a.host another.host a.third.host" in all
statements, but also:

trusted="a.host another.host a.third.host"

dnat to ... src "$trusted"


server http accept src "$trusted"

which will enable both checks (although there is no point for the extra

Now, about the SNAT:

Although DNAT changes the destination of the packet, SNAT changes the
source. This is usefull in situations where the firewall/router box that
will DNAT the traffic is not the gateway for the clients accessing the
service. Here is an example:

                          | A
                          | B
             Router ------+------ Server

We are sitting on MyBOX (A is its public IP and B its internal).

Our stealth Server has the Router as default gateway. Server and Router
communicate with MyBOX using fake IP addresses.

Some day, you decide that the Internet should use a service on the Server,
but since it is a stealth server there is no way of getting the traffic
there. You think again and you decide to DNAT some traffic on MyBOX using

dnat to Server dst MyBOX.A proto tcp dport 80

Of course you put the relative server statement in a router config of
FireHOL on MyBOX and you try to hit the service.

It does not work. The problem is that although the packet will go the
Server it cannot come back to the Internet, because the Server has default
gateway the Router and the Router is not connected to the Internet. So the
HTTP reply is lost. Even if the Router was connected to the Internet, the
reply would go back to the sender with a wrong source address (Server)
which would make it to drop the reply because it does not match the

To fix this situation, you have to instruct Server to send the reply back
to MyBOX, since MyBOX knows what to do with it. To do this you can place,
after the dnat:

snat to MyBOX.B dst Server proto tcp dport 80

This changes the source of packets to the internal IP of MyBOX, so that
the Server is thinking "hey, MyBOX.B is asking..." and therefore it sends
the reply back to MyBOX. Then MyBOX sees that the reply matches the SNAT
and changes back the source IP address of the original packet, and next it
figures out that it also matches the DNAT which makes it to change back
the original destination too. So the packet goes back to the sender as if
MyBOX.A was replying to it.

In large setups with complex network topologies, SNAT is very helpful
since in combination with DNAT, it allows you to route the traffic in
otherwise unroutable ways.

Costa Tsaousis

> Hi, I have read the FAQ for port forward issues and have
> found it very helping, but I still have an issue that
> I has not yet been resolved.  :(
> I have a firewall/gateway configured this way...
> eth0 => internet
> eth1 => lan
> I would like to dnat http requests coming on eth0, to a
> machine on the lan (I know how to do this), BUT only if it
> comes from some given trusted machines on the internet
> (this I don't know)...
> also, what is SNAT? I believe it to be Source NAT, but I
> can't figure out a concrete example of why I would want to
> do this... unless it is releated to I am trying to do?
> Thansk for any help...
> Oh, btw... firehol is a really great product... hope it
> will not fall into oblivion, because I really don't have
> that much time to spend reading and writing iptables
> scripts... :)
> =====
> ______________________________________________________
> Alain Bacon - Application Architect
> Mobilair IntĪ¹gration Inc. 1-800-341-4124
> PGP public key: http://pages.infinit.net/syntek

More information about the Firehol-support mailing list