[Firehol-support] Re: [Firehol-support] Can't get DNAT to port forwa[Firehol-support] Can't get DNAT to port forward SSH
Costa Tsaousis
costa at tsaousis.gr
Thu Jan 8 19:02:39 CET 2004
Hi,
Case 1: Aliases
---------------
As far as iptables (and FireHOL) is concerned aliases do not exist. eth0,
eth0:1, eth0:5 and eth0:123 are all eth0.
To differentiate interfaces, routers or individual rules for each alias,
you use the src/dst parameters. Example:
interface eth0 lan1 src 10.0.0.0/8 dst 10.0.0.1
...
interface eth0 lan2 src 192.168.0.0/16 dst 192.168.1.1
...
router inface eth0 outface eth0 src 10.0.0.0/8 dst 192.168.0.0/16
...
etc.
So, forget the aliases. Think of the real interface only.
Case 2: dnat
------------
Simplify your life. There are two points that control what will get to the
internal machines: NAT and FILTERING. Don't use both. It is a waste of
efford.
I suggest to NAT everything and then use FILTERING to control what gets
passed. Also I suggest to remember that firehol.conf is a BASH script too.
Use it as such:
fullnat() {
# $1 is the internal IP
# $2 is the public IP
# Incomming traffic
dnat to "$1" inface eth0 dst "$2"
# Outgoing traffic
snat to "$2" outface eth0 src "$1"
}
fullnat 10.0.0.3 200.xxx.xxx.69 # Mercurio
fullnat 10.0.0.2 200.xxx.xxx.66 # Zeus
fullnat 10.0.0.5 200.xxx.xxx.68 # Protheus
...
As you understand this will DNAT everything send to the public IP. There
will be no selection/filtering here. Also, this will SNAT the internal IP
to the public one, so that the internal machine can go out using its own
IP.
Of course, if the internal machine does not have this linux host as its
default gateway, you will need another SNAT in the incomming direction to
force it reply back to the linux host. I assume you know this...
Then, it comes to FILTERING. You have two options here: 1) one router with
all the rules for all machines or 2) multiple routers one for each
machine. I choose the second for clarity:
router mercurio inface eth0 outface eth1 \
src not "${UNROUTABLE_IPS}" dst 10.0.0.3
# protection strong
server http accept
server https accept
client all accept
router zeus inface eth0 outface eth1 \
src not "${UNROUTABLE_IPS}" dst 10.0.0.2
# protection strong
server http accept
server https accept
server ftp accept
client all accept
etc.
So simple...
Costa
> I can΄t get DNAT to forward ssh to a internal host
>
> here my firehol.conf
>
> Thanks for any clues. Acctually because of aliases I am a bit lost here.
>
> I also would like to have some examples for dnat.
>
> I tried
>
> nat to-destination 10.0.0.73 inface eth0 dst 200.xxx.xxx.73
> nat to-source 200.xxx.xxx.73 outface eth0
>
> also tried to specify the alias like eth0:73, looks like:
> nat to-destination 10.0.0.73 inface eth0:73 dst 200.xxx.xxx.73
> nat to-source 200.xxx.xxx.73 outface eth0:73
>
> but seens to have no efect.
>
> TIA
>
> Moacyr
>
>
>
>> public_ip="200.xxx.xxx.67 200.xxx.xxx.66 200.xxx.xxx.68 200.xxx.xxx.69
> 200.xxx.xxx.70 200.xxx.xxx.71 200.xxx.xxx.72 200.xxx.xxx.73"
>>
>> dmz_ip="192.168.0.0/24"
>>
>> lan_ip="10.0.0.0/16"
>>
>>
>> #BLACKLIST
>> #blacklist full 11.11.11.11 12.12.12.12
>>
>>
>> # regras de NAT
>>
>> # NAT
>> # set up SNAT/DNAT instead of MASQUERADE
>> #nat to-source "${public_ip}" outface eth0+
>> nat to-source 200.xxx.xxx.67 outface eth0
>>
>> # NAT Mercurio
>> nat to-destination 10.0.0.3 inface eth0 proto tcp dport 80 dst
> 200.xxx.xxx.69
>> nat to-destination 10.0.0.3 inface eth0 proto tcp dport 443 dst
> 200.xxx.xxx.69
>>
>> # NAT Zeus
>> nat to-destination 192.168.0.2 inface eth0 proto tcp dport 80 dst
> 200.xxx.xxx.66
>> nat to-destination 192.168.0.2 inface eth0 proto tcp dport 20 dst
> 200.xxx.xxx.66
>> nat to-destination 192.168.0.2 inface eth0 proto tcp dport 21 dst
> 200.xxx.xxx.66
>> nat to-destination 192.168.0.2 inface eth0 proto tcp dport 443 dst
> 200.xxx.xxx.66
>>
>> # NAT Protheus
>> nat to-destination 10.0.0.5 inface eth0 proto tcp dport 80 dst
> 200.xxx.xxx.68
>>
>> # NAT SNMPC
>> nat to-destination 10.0.0.70 inface eth0 proto tcp dport http dst
> 200.xxx.xxx.70
>> nat to-destination 10.0.0.70 inface eth0 proto tcp dport https dst
> 200.xxx.xxx.70
>> nat to-destination 10.0.0.70 inface eth0 proto tcp dport ftp dst
> 200.xxx.xxx.70
>> nat to-destination 10.0.0.70 inface eth0 proto tcp dport snmp dst
> 200.xxx.xxx.70
>> nat to-destination 10.0.0.70 inface eth0 proto udp dport snmp dst
> 200.xxx.xxx.70
>> nat to-destination 10.0.0.70 inface eth0 proto udp dport snmptrap dst
> 200.xxx.xxx.70
>>
>> # NAT citosina
>> nat to-destination 10.0.0.71 inface eth0 proto tcp dport http dst
> 200.xxx.xxx.71
>> nat to-destination 10.0.0.71 inface eth0 proto tcp dport https dst
> 200.xxx.xxx.71
>> nat to-destination 10.0.0.71 inface eth0 proto tcp dport ftp dst
> 200.xxx.xxx.71
>> nat to-destination 10.0.0.71 inface eth0 proto tcp dport ntp dst
> 200.xxx.xxx.71
>> nat to-destination 10.0.0.71 inface eth0 proto tcp dport ssh dst
> 200.xxx.xxx.71
>> nat to-destination 10.0.0.71 inface eth0 proto tcp dport daytime dst
> 200.xxx.xxx.71
>>
>> # NAT Vision
>> nat to-destination 10.0.0.73 inface eth0 proto tcp dport http dst
> 200.xxx.xxx.73
>> nat to-destination 10.0.0.73 inface eth0 proto tcp dport https dst
> 200.xxx.xxx.73
>> nat to-destination 10.0.0.73 inface eth0 proto tcp dport ftp dst
> 200.xxx.xxx.73
>> nat to-destination 10.0.0.73 inface eth0 proto tcp dport snmp dst
> 200.xxx.xxx.73
>> nat to-destination 10.0.0.73 inface eth0 proto udp dport snmp dst
> 200.xxx.xxx.73
>> nat to-destination 10.0.0.73 inface eth0 proto udp dport snmptrap dst
> 200.xxx.xxx.73
>>
>> # regras de firewall
>>
>> # internet
>> interface eth0+ internet src not "${UNROUTABLE_IPS}" dst "${public_ip}"
>>
>> policy drop
>> protection strong 10/sec 10
>> server ident reject with tcp-reset
>>
>> server http accept
>> server https accept
>> server dns accept
>> server smtp accept
>> server pop3 accept
>> server ping accept dst "200.xxx.xxx.71"
>> server imap accept
>>
>> server "webcache ssh" accept src "200.207.50.175"
>>
>> client all accept
>>
>>
>>
>> interface eth1 lan
>>
>> policy drop
>> protection strong 10/sec 10
>> server ident reject with tcp-reset
>>
>> server http accept
>> server https accept
>> server ping accept
>> server dns accept
>> server smtp accept
>> server pop3 accept
>> server imap accept
>> server webcache accept
>>
>> client all accept
>>
>>
>>
>> interface eth2 dmz
>>
>> policy drop
>> protection strong 10/sec 10
>> server ident reject with tcp-reset
>>
>> server http accept
>> server https accept
>> server dns accept
>> server smtp accept
>> server pop3 accept
>> server imap accept
>>
>> client all accept
>>
>>
>>
>>
>>
>> ## INTERNET
>>
>> router internet2dmz inface eth0+ outface eth2
>>
>> server ident reject with tcp-reset
>> server "dns http https ftp" accept
>>
>>
>>
>> router internet2lan inface eth0+ outface eth1
>>
>> server ident reject with tcp-reset
>> server "http https ftp" accept
>> server "daytime ftp ICMP icmp ping ntp ssh" accept dst
> "200.xxx.xxx.71"
>> server "snmp snmptrap" accept dst "200.xxx.xxx.70
>> 200.xxx.xxx.73"
>>
>>
>>
>> ## LAN
>>
>> router lan2internet inface eth1 outface eth0+
>>
>> server ident reject with tcp-reset
>> server "ping dns" accept
>> server "daytime ftp smtp ICMP icmp ping ntp ssh" accept src
> "10.0.0.71"
>> server "snmp snmptrap" accept src "10.0.0.70 10.0.0.73"
>>
>>
>>
>>
>> router lan2dmz inface eth1 outface eth2
>>
>> server ident reject with tcp-reset
>> server "dns http https ftp" accept
>>
>>
>>
>>
>> ## DMZ
>>
>> router dmz2lan inface eth2 outface eth1
>>
>> server ident reject with tcp-reset
>> server "ping dns http https ftp" accept
>>
>>
>> router dmz2internet inface eth2 outface eth0+
>>
>> server ident reject with tcp-reset
>> server "ping dns http https ftp" accept
>>
More information about the Firehol-support
mailing list