[Firehol-support] Can't get DNAT to port forward SSH
Moacyr Leite da Silva
moacyrs at akadnyx.com.br
Thu Jan 8 14:21:57 GMT 2004
I changed the firehol.conf and now its working but this is not ok for me!
its running ok
router internet2lan inface eth0+ outface eth1
server ident reject with tcp-reset
# add entry ssh here allows to access ssh internal host
server "http https ftp ssh" accept
server "daytime ftp ICMP icmp ping ntp ssh" accept dst
"200.xxx.xxx.71"
server "snmp snmptrap" accept dst "200.xxx.xxx.70 200.xxx.xxx.73"
it is not working
router internet2lan inface eth0+ outface eth1
server ident reject with tcp-reset
# remove entry ssh here deny access ssh internal host
server "http https ftp" accept
# this entry is supposed to allow ssh to internal host
server "daytime ftp ICMP icmp ping ntp ssh" accept dst
"200.xxx.xxx.71"
server "snmp snmptrap" accept dst "200.xxx.xxx.70 200.xxx.xxx.73"
Some tip?
Thanks
Moacyr
***
public_ip="200.xxx.xxx.67 200.xxx.xxx.66 200.xxx.xxx.68 200.xxx.xxx.69
200.xxx.xxx.70 200.xxx.xxx.71 200.xxx.xxx.72 200.xxx.xxx.73"
dmz_ip="192.168.0.0/24"
lan_ip="10.0.0.0/16"
#BLACKLIST
#blacklist full 11.11.11.11 12.12.12.12
# regras de NAT
# NAT
# set up SNAT/DNAT instead of MASQUERADE
#nat to-source "${public_ip}" outface eth0+
nat to-source 200.xxx.xxx.67 outface eth0
# NAT Mercurio
dnat to 10.0.0.3 proto tcp dst 200.xxx.xxx.69 dport "http https"
# NAT Zeus
dnat to 192.168.0.2 proto tcp dst 200.xxx.xxx.66 dport "http https ftp"
# NAT Protheus
dnat to 10.0.0.5 proto tcp dst 200.xxx.xxx.68 dport "http"
# NAT SNMPC
dnat to 10.0.0.70 proto tcp dst 200.xxx.xxx.70 dport "http https ftp snmp"
dnat to 10.0.0.70 proto udp dst 200.xxx.xxx.70 dport "snmp snmptrap"
# NAT citosina
dnat to 10.0.0.71 proto tcp dst 200.xxx.xxx.71 dport "http https ftp ntp
daytime ssh"
dnat to 10.0.0.71 proto udp dst 200.xxx.xxx.71 dport "ssh"
# NAT Vision
dnat to 10.0.0.73 proto tcp dst 200.xxx.xxx.73 dport "http https ftp snmp"
dnat to 10.0.0.73 proto udp dst 200.xxx.xxx.73 dport "snmp snmptrap"
# regras de firewall
# internet
#interface eth0 internet src not "${UNROUTABLE_IPS}" dst "${public_ip}"
interface eth0+ internet dst "${public_ip}"
policy drop
protection strong 10/sec 10
server ident reject with tcp-reset
server http accept
server https accept
server dns accept
server smtp accept
server pop3 accept
server ping accept dst "200.xxx.xxx.71"
server imap accept
server "webcache ssh" accept src "200.207.50.175"
client all accept
interface eth1 lan
policy drop
protection strong 10/sec 10
server ident reject with tcp-reset
server http accept
server https accept
server ping accept
server dns accept
server smtp accept
server pop3 accept
server imap accept
server webcache accept
client all accept
interface eth2 dmz
policy drop
protection strong 10/sec 10
server ident reject with tcp-reset
server http accept
server https accept
server dns accept
server smtp accept
server pop3 accept
server imap accept
client all accept
## INTERNET
router internet2dmz inface eth0+ outface eth2
server ident reject with tcp-reset
server "dns http https ftp" accept
router internet2lan inface eth0+ outface eth1
server ident reject with tcp-reset
server "http https ftp ssh" accept
server "daytime ftp ICMP icmp ping ntp ssh" accept dst "200.xxx.xxx.71"
server "snmp snmptrap" accept dst "200.xxx.xxx.70 200.xxx.xxx.73"
## LAN
router lan2internet inface eth1 outface eth0+
server ident reject with tcp-reset
server "ping dns" accept
server "daytime ftp smtp ICMP icmp ping ntp ssh" accept src "10.0.0.71"
server "snmp snmptrap" accept src "10.0.0.70 10.0.0.73"
router lan2dmz inface eth1 outface eth2
server ident reject with tcp-reset
server "dns http https ftp" accept
## DMZ
router dmz2lan inface eth2 outface eth1
server ident reject with tcp-reset
server "ping dns http https ftp" accept
router dmz2internet inface eth2 outface eth0+
server ident reject with tcp-reset
server "ping dns http https ftp" accept
More information about the Firehol-support
mailing list