[Firehol-support] Can't get DNAT to port forward SSH

Moacyr Leite da Silva moacyrs at akadnyx.com.br
Thu Jan 8 14:21:57 GMT 2004


I changed the firehol.conf and now its working but this is not ok for me!


its running ok

router internet2lan inface eth0+ outface eth1

        server ident reject with tcp-reset
# add entry ssh here allows to access ssh internal host
        server "http https ftp ssh" accept
        server "daytime ftp ICMP icmp ping ntp ssh" accept dst
"200.xxx.xxx.71"
        server "snmp snmptrap" accept dst "200.xxx.xxx.70 200.xxx.xxx.73"


it is not working
router internet2lan inface eth0+ outface eth1

        server ident reject with tcp-reset
# remove entry ssh here deny access ssh internal host
        server "http https ftp" accept
# this entry is supposed to allow ssh to internal host
        server "daytime ftp ICMP icmp ping ntp ssh" accept dst
"200.xxx.xxx.71"
        server "snmp snmptrap" accept dst "200.xxx.xxx.70 200.xxx.xxx.73"


Some tip?

Thanks
Moacyr






***

public_ip="200.xxx.xxx.67 200.xxx.xxx.66 200.xxx.xxx.68 200.xxx.xxx.69
200.xxx.xxx.70 200.xxx.xxx.71 200.xxx.xxx.72 200.xxx.xxx.73"

dmz_ip="192.168.0.0/24"

lan_ip="10.0.0.0/16"

#BLACKLIST
#blacklist full 11.11.11.11 12.12.12.12


# regras de NAT

# NAT
# set up SNAT/DNAT instead of MASQUERADE
#nat to-source "${public_ip}" outface eth0+
nat to-source 200.xxx.xxx.67 outface eth0


# NAT Mercurio
dnat to 10.0.0.3 proto tcp dst 200.xxx.xxx.69  dport "http https"


# NAT Zeus
dnat to 192.168.0.2 proto tcp dst 200.xxx.xxx.66 dport "http https ftp"


# NAT Protheus
dnat to 10.0.0.5 proto tcp dst 200.xxx.xxx.68  dport "http"


# NAT SNMPC
dnat to 10.0.0.70 proto tcp dst 200.xxx.xxx.70 dport "http https ftp snmp"
dnat to 10.0.0.70 proto udp dst 200.xxx.xxx.70 dport "snmp snmptrap"


# NAT citosina
dnat to 10.0.0.71 proto tcp dst 200.xxx.xxx.71 dport "http https ftp ntp
daytime ssh"
dnat to 10.0.0.71 proto udp dst 200.xxx.xxx.71 dport "ssh"


# NAT Vision
dnat to 10.0.0.73 proto tcp dst 200.xxx.xxx.73 dport "http https ftp snmp"
dnat to 10.0.0.73 proto udp dst 200.xxx.xxx.73 dport "snmp snmptrap"

# regras de firewall

# internet
#interface eth0 internet src not "${UNROUTABLE_IPS}" dst "${public_ip}"
interface eth0+ internet dst "${public_ip}"

        policy drop
        protection strong 10/sec 10
        server ident reject with tcp-reset

        server http     accept
        server https    accept
        server dns      accept
        server smtp     accept
server pop3 accept
server ping accept dst "200.xxx.xxx.71"
server imap accept

        server "webcache ssh" accept src "200.207.50.175"

        client all accept



interface eth1 lan

        policy drop
        protection strong 10/sec 10
        server ident reject with tcp-reset

        server http accept
        server https    accept
server ping accept
server dns      accept
        server smtp     accept
        server pop3     accept
        server imap     accept
server webcache accept

        client all accept



interface eth2 dmz

        policy drop
        protection strong 10/sec 10
        server ident reject with tcp-reset

        server http     accept
        server https    accept
        server dns      accept
        server smtp     accept
        server pop3     accept
        server imap     accept

        client all accept





## INTERNET

router internet2dmz inface eth0+ outface eth2

        server ident reject with tcp-reset
server "dns http https ftp" accept



router internet2lan inface eth0+ outface eth1

        server ident reject with tcp-reset
server "http https ftp ssh" accept
server "daytime ftp ICMP icmp ping ntp ssh" accept dst "200.xxx.xxx.71"
server "snmp snmptrap" accept dst "200.xxx.xxx.70 200.xxx.xxx.73"



## LAN

router lan2internet inface eth1 outface eth0+

        server ident reject with tcp-reset
server "ping dns" accept
server "daytime ftp smtp ICMP icmp ping ntp ssh" accept src "10.0.0.71"
server "snmp snmptrap" accept src "10.0.0.70 10.0.0.73"




router lan2dmz inface eth1 outface eth2

        server ident reject with tcp-reset
server "dns http https ftp" accept




## DMZ

router dmz2lan inface eth2 outface eth1

server ident reject with tcp-reset
server "ping dns http https ftp" accept


router dmz2internet inface eth2 outface eth0+

        server ident reject with tcp-reset
        server "ping dns http https ftp" accept






More information about the Firehol-support mailing list