[Firehol-support] Re: [Firehol-support] Can't get DNAT to port forwa[Firehol-support] Can't get DNAT to port forward SSH

Costa Tsaousis costa at tsaousis.gr
Thu Jan 8 18:02:39 GMT 2004


Hi,

Case 1: Aliases
---------------
As far as iptables (and FireHOL) is concerned aliases do not exist. eth0,
eth0:1, eth0:5 and eth0:123 are all eth0.

To differentiate interfaces, routers or individual rules for each alias,
you use the src/dst parameters. Example:

interface eth0 lan1 src 10.0.0.0/8 dst 10.0.0.1
...

interface eth0 lan2 src 192.168.0.0/16 dst 192.168.1.1
...

router inface eth0 outface eth0 src 10.0.0.0/8 dst 192.168.0.0/16
...

etc.
So, forget the aliases. Think of the real interface only.


Case 2: dnat
------------
Simplify your life. There are two points that control what will get to the
internal machines: NAT and FILTERING. Don't use both. It is a waste of
efford.

I suggest to NAT everything and then use FILTERING to control what gets
passed. Also I suggest to remember that firehol.conf is a BASH script too.
Use it as such:


fullnat() {
   # $1 is the internal IP
   # $2 is the public IP

   # Incomming traffic
   dnat to "$1" inface eth0 dst "$2"

   # Outgoing traffic
   snat to "$2" outface eth0 src "$1"
}

fullnat 10.0.0.3 200.xxx.xxx.69 # Mercurio
fullnat 10.0.0.2 200.xxx.xxx.66 # Zeus
fullnat 10.0.0.5 200.xxx.xxx.68 # Protheus
...

As you understand this will DNAT everything send to the public IP. There
will be no selection/filtering here. Also, this will SNAT the internal IP
to the public one, so that the internal machine can go out using its own
IP.

Of course, if the internal machine does not have this linux host as its
default gateway, you will need another SNAT in the incomming direction to
force it reply back to the linux host. I assume you know this...

Then, it comes to FILTERING. You have two options here: 1) one router with
all the rules for all machines or 2) multiple routers one for each
machine. I choose the second for clarity:

router mercurio inface eth0 outface eth1 \
      src not "${UNROUTABLE_IPS}" dst 10.0.0.3

   # protection strong

   server http accept
   server https accept

   client all accept


router zeus inface eth0 outface eth1 \
      src not "${UNROUTABLE_IPS}" dst 10.0.0.2

   # protection strong

   server http accept
   server https accept
   server ftp accept

   client all accept

etc.

So simple...

Costa

> I can΄t get  DNAT to forward ssh to a internal host
>
> here my firehol.conf
>
> Thanks for any clues. Acctually because of aliases I am a bit lost here.
>
> I also would like to have some examples for dnat.
>
> I tried
>
> nat to-destination 10.0.0.73 inface eth0 dst 200.xxx.xxx.73
> nat to-source 200.xxx.xxx.73 outface eth0
>
> also tried to specify the alias like eth0:73, looks like:
> nat to-destination 10.0.0.73 inface eth0:73 dst 200.xxx.xxx.73
> nat to-source 200.xxx.xxx.73 outface eth0:73
>
> but seens to have no efect.
>
> TIA
>
> Moacyr
>
>
>
>> public_ip="200.xxx.xxx.67 200.xxx.xxx.66 200.xxx.xxx.68 200.xxx.xxx.69
> 200.xxx.xxx.70 200.xxx.xxx.71 200.xxx.xxx.72 200.xxx.xxx.73"
>>
>> dmz_ip="192.168.0.0/24"
>>
>> lan_ip="10.0.0.0/16"
>>
>>
>> #BLACKLIST
>> #blacklist full 11.11.11.11 12.12.12.12
>>
>>
>> # regras de NAT
>>
>> # NAT
>> # set up SNAT/DNAT instead of MASQUERADE
>> #nat to-source "${public_ip}" outface eth0+
>> nat to-source 200.xxx.xxx.67 outface eth0
>>
>> # NAT Mercurio
>> nat to-destination 10.0.0.3 inface eth0 proto tcp dport 80 dst
> 200.xxx.xxx.69
>> nat to-destination 10.0.0.3 inface eth0 proto tcp dport 443 dst
> 200.xxx.xxx.69
>>
>> # NAT Zeus
>> nat to-destination 192.168.0.2 inface eth0 proto tcp dport 80 dst
> 200.xxx.xxx.66
>> nat to-destination 192.168.0.2 inface eth0 proto tcp dport 20 dst
> 200.xxx.xxx.66
>> nat to-destination 192.168.0.2 inface eth0 proto tcp dport 21 dst
> 200.xxx.xxx.66
>> nat to-destination 192.168.0.2 inface eth0 proto tcp dport 443 dst
> 200.xxx.xxx.66
>>
>> # NAT Protheus
>> nat to-destination 10.0.0.5 inface eth0 proto tcp dport 80 dst
> 200.xxx.xxx.68
>>
>> # NAT SNMPC
>> nat to-destination 10.0.0.70 inface eth0 proto tcp dport http     dst
> 200.xxx.xxx.70
>> nat to-destination 10.0.0.70 inface eth0 proto tcp dport https   dst
> 200.xxx.xxx.70
>> nat to-destination 10.0.0.70 inface eth0 proto tcp dport ftp   dst
> 200.xxx.xxx.70
>> nat to-destination 10.0.0.70 inface eth0 proto tcp dport snmp   dst
> 200.xxx.xxx.70
>> nat to-destination 10.0.0.70 inface eth0 proto udp dport snmp     dst
> 200.xxx.xxx.70
>> nat to-destination 10.0.0.70 inface eth0 proto udp dport snmptrap dst
> 200.xxx.xxx.70
>>
>> # NAT citosina
>> nat to-destination 10.0.0.71 inface eth0 proto tcp dport http   dst
> 200.xxx.xxx.71
>> nat to-destination 10.0.0.71 inface eth0 proto tcp dport https    dst
> 200.xxx.xxx.71
>> nat to-destination 10.0.0.71 inface eth0 proto tcp dport ftp      dst
> 200.xxx.xxx.71
>> nat to-destination 10.0.0.71 inface eth0 proto tcp dport ntp      dst
> 200.xxx.xxx.71
>> nat to-destination 10.0.0.71 inface eth0 proto tcp dport ssh      dst
> 200.xxx.xxx.71
>> nat to-destination 10.0.0.71 inface eth0 proto tcp dport daytime  dst
> 200.xxx.xxx.71
>>
>> # NAT Vision
>> nat to-destination 10.0.0.73 inface eth0 proto tcp dport http     dst
> 200.xxx.xxx.73
>> nat to-destination 10.0.0.73 inface eth0 proto tcp dport https    dst
> 200.xxx.xxx.73
>> nat to-destination 10.0.0.73 inface eth0 proto tcp dport ftp      dst
> 200.xxx.xxx.73
>> nat to-destination 10.0.0.73 inface eth0 proto tcp dport snmp     dst
> 200.xxx.xxx.73
>> nat to-destination 10.0.0.73 inface eth0 proto udp dport snmp     dst
> 200.xxx.xxx.73
>> nat to-destination 10.0.0.73 inface eth0 proto udp dport snmptrap dst
> 200.xxx.xxx.73
>>
>> # regras de firewall
>>
>> # internet
>> interface eth0+ internet src not "${UNROUTABLE_IPS}" dst "${public_ip}"
>>
>>         policy drop
>>         protection strong 10/sec 10
>>         server ident reject with tcp-reset
>>
>>         server http     accept
>>         server https    accept
>>         server dns      accept
>>         server smtp     accept
>>         server pop3 accept
>>         server ping accept dst "200.xxx.xxx.71"
>>         server imap accept
>>
>>         server "webcache ssh" accept src "200.207.50.175"
>>
>>         client all accept
>>
>>
>>
>> interface eth1 lan
>>
>>         policy drop
>>         protection strong 10/sec 10
>>         server ident reject with tcp-reset
>>
>>         server http accept
>>         server https    accept
>>         server ping accept
>>         server dns      accept
>>         server smtp     accept
>>         server pop3     accept
>>         server imap     accept
>>         server webcache accept
>>
>>         client all accept
>>
>>
>>
>> interface eth2 dmz
>>
>>         policy drop
>>         protection strong 10/sec 10
>>         server ident reject with tcp-reset
>>
>>         server http     accept
>>         server https    accept
>>         server dns      accept
>>         server smtp     accept
>>         server pop3     accept
>>         server imap     accept
>>
>>         client all accept
>>
>>
>>
>>
>>
>> ## INTERNET
>>
>> router internet2dmz inface eth0+ outface eth2
>>
>>         server ident reject with tcp-reset
>>         server "dns http https ftp" accept
>>
>>
>>
>> router internet2lan inface eth0+ outface eth1
>>
>>         server ident reject with tcp-reset
>>         server "http https ftp" accept
>>         server "daytime ftp ICMP icmp ping ntp ssh" accept dst
> "200.xxx.xxx.71"
>>         server "snmp snmptrap" accept dst "200.xxx.xxx.70
>> 200.xxx.xxx.73"
>>
>>
>>
>> ## LAN
>>
>> router lan2internet inface eth1 outface eth0+
>>
>>         server ident reject with tcp-reset
>>         server "ping dns" accept
>>         server "daytime ftp smtp ICMP icmp ping ntp ssh" accept src
> "10.0.0.71"
>>         server "snmp snmptrap" accept src "10.0.0.70 10.0.0.73"
>>
>>
>>
>>
>> router lan2dmz inface eth1 outface eth2
>>
>>         server ident reject with tcp-reset
>>         server "dns http https ftp" accept
>>
>>
>>
>>
>> ## DMZ
>>
>> router dmz2lan inface eth2 outface eth1
>>
>> server ident reject with tcp-reset
>> server "ping dns http https ftp" accept
>>
>>
>> router dmz2internet inface eth2 outface eth0+
>>
>>         server ident reject with tcp-reset
>>         server "ping dns http https ftp" accept
>>




More information about the Firehol-support mailing list