[Firehol-support] Can't get DNAT to port forward SSH

Moacyr Leite da Silva moacyrs at akadnyx.com.br
Wed Jan 7 22:56:33 GMT 2004 

I canĀ“t get  DNAT to forward ssh to a internal host

here my firehol.conf

Thanks for any clues. Acctually because of aliases I am a bit lost here.

I also would like to have some examples for dnat.

I tried

nat to-destination 10.0.0.73 inface eth0 dst 200.xxx.xxx.73
nat to-source 200.xxx.xxx.73 outface eth0

also tried to specify the alias like eth0:73, looks like:
nat to-destination 10.0.0.73 inface eth0:73 dst 200.xxx.xxx.73
nat to-source 200.xxx.xxx.73 outface eth0:73

but seens to have no efect.

TIA

Moacyr



> public_ip="200.xxx.xxx.67 200.xxx.xxx.66 200.xxx.xxx.68 200.xxx.xxx.69
200.xxx.xxx.70 200.xxx.xxx.71 200.xxx.xxx.72 200.xxx.xxx.73"
>
> dmz_ip="192.168.0.0/24"
>
> lan_ip="10.0.0.0/16"
>
>
> #BLACKLIST
> #blacklist full 11.11.11.11 12.12.12.12
>
>
> # regras de NAT
>
> # NAT
> # set up SNAT/DNAT instead of MASQUERADE
> #nat to-source "${public_ip}" outface eth0+
> nat to-source 200.xxx.xxx.67 outface eth0
>
> # NAT Mercurio
> nat to-destination 10.0.0.3 inface eth0 proto tcp dport 80 dst
200.xxx.xxx.69
> nat to-destination 10.0.0.3 inface eth0 proto tcp dport 443 dst
200.xxx.xxx.69
>
> # NAT Zeus
> nat to-destination 192.168.0.2 inface eth0 proto tcp dport 80 dst
200.xxx.xxx.66
> nat to-destination 192.168.0.2 inface eth0 proto tcp dport 20 dst
200.xxx.xxx.66
> nat to-destination 192.168.0.2 inface eth0 proto tcp dport 21 dst
200.xxx.xxx.66
> nat to-destination 192.168.0.2 inface eth0 proto tcp dport 443 dst
200.xxx.xxx.66
>
> # NAT Protheus
> nat to-destination 10.0.0.5 inface eth0 proto tcp dport 80 dst
200.xxx.xxx.68
>
> # NAT SNMPC
> nat to-destination 10.0.0.70 inface eth0 proto tcp dport http     dst
200.xxx.xxx.70
> nat to-destination 10.0.0.70 inface eth0 proto tcp dport https   dst
200.xxx.xxx.70
> nat to-destination 10.0.0.70 inface eth0 proto tcp dport ftp   dst
200.xxx.xxx.70
> nat to-destination 10.0.0.70 inface eth0 proto tcp dport snmp   dst
200.xxx.xxx.70
> nat to-destination 10.0.0.70 inface eth0 proto udp dport snmp     dst
200.xxx.xxx.70
> nat to-destination 10.0.0.70 inface eth0 proto udp dport snmptrap dst
200.xxx.xxx.70
>
> # NAT citosina
> nat to-destination 10.0.0.71 inface eth0 proto tcp dport http   dst
200.xxx.xxx.71
> nat to-destination 10.0.0.71 inface eth0 proto tcp dport https    dst
200.xxx.xxx.71
> nat to-destination 10.0.0.71 inface eth0 proto tcp dport ftp      dst
200.xxx.xxx.71
> nat to-destination 10.0.0.71 inface eth0 proto tcp dport ntp      dst
200.xxx.xxx.71
> nat to-destination 10.0.0.71 inface eth0 proto tcp dport ssh      dst
200.xxx.xxx.71
> nat to-destination 10.0.0.71 inface eth0 proto tcp dport daytime  dst
200.xxx.xxx.71
>
> # NAT Vision
> nat to-destination 10.0.0.73 inface eth0 proto tcp dport http     dst
200.xxx.xxx.73
> nat to-destination 10.0.0.73 inface eth0 proto tcp dport https    dst
200.xxx.xxx.73
> nat to-destination 10.0.0.73 inface eth0 proto tcp dport ftp      dst
200.xxx.xxx.73
> nat to-destination 10.0.0.73 inface eth0 proto tcp dport snmp     dst
200.xxx.xxx.73
> nat to-destination 10.0.0.73 inface eth0 proto udp dport snmp     dst
200.xxx.xxx.73
> nat to-destination 10.0.0.73 inface eth0 proto udp dport snmptrap dst
200.xxx.xxx.73
>
> # regras de firewall
>
> # internet
> interface eth0+ internet src not "${UNROUTABLE_IPS}" dst "${public_ip}"
>
>         policy drop
>         protection strong 10/sec 10
>         server ident reject with tcp-reset
>
>         server http     accept
>         server https    accept
>         server dns      accept
>         server smtp     accept
>         server pop3 accept
>         server ping accept dst "200.xxx.xxx.71"
>         server imap accept
>
>         server "webcache ssh" accept src "200.207.50.175"
>
>         client all accept
>
>
>
> interface eth1 lan
>
>         policy drop
>         protection strong 10/sec 10
>         server ident reject with tcp-reset
>
>         server http accept
>         server https    accept
>         server ping accept
>         server dns      accept
>         server smtp     accept
>         server pop3     accept
>         server imap     accept
>         server webcache accept
>
>         client all accept
>
>
>
> interface eth2 dmz
>
>         policy drop
>         protection strong 10/sec 10
>         server ident reject with tcp-reset
>
>         server http     accept
>         server https    accept
>         server dns      accept
>         server smtp     accept
>         server pop3     accept
>         server imap     accept
>
>         client all accept
>
>
>
>
>
> ## INTERNET
>
> router internet2dmz inface eth0+ outface eth2
>
>         server ident reject with tcp-reset
>         server "dns http https ftp" accept
>
>
>
> router internet2lan inface eth0+ outface eth1
>
>         server ident reject with tcp-reset
>         server "http https ftp" accept
>         server "daytime ftp ICMP icmp ping ntp ssh" accept dst
"200.xxx.xxx.71"
>         server "snmp snmptrap" accept dst "200.xxx.xxx.70 200.xxx.xxx.73"
>
>
>
> ## LAN
>
> router lan2internet inface eth1 outface eth0+
>
>         server ident reject with tcp-reset
>         server "ping dns" accept
>         server "daytime ftp smtp ICMP icmp ping ntp ssh" accept src
"10.0.0.71"
>         server "snmp snmptrap" accept src "10.0.0.70 10.0.0.73"
>
>
>
>
> router lan2dmz inface eth1 outface eth2
>
>         server ident reject with tcp-reset
>         server "dns http https ftp" accept
>
>
>
>
> ## DMZ
>
> router dmz2lan inface eth2 outface eth1
>
> server ident reject with tcp-reset
> server "ping dns http https ftp" accept
>
>
> router dmz2internet inface eth2 outface eth0+
>
>         server ident reject with tcp-reset
>         server "ping dns http https ftp" accept
>
>

More information about the Firehol-support mailing list