[Firehol-support] Aliased external interface

Daniel L. Miller dmiller at amfes.com
Tue Jul 13 21:56:10 BST 2004 

I'm showing my current config below - I've made quite a few changes.  
Any further insights would be appreciated.

It took me some time to get SNAT working for me.  One major problem I 
had was performing SNAT and DNAT on the same external IP - perhaps it's 
not allowed, or I just wasn't doing it right.  Since I had spare IP 
addresses, I simply dedicated one of them for SNAT use.  Getting Squid 
to work was particularly touchy - I'm using an automatic proxy config 
script in my LAN - and when I had SNAT on the same IP I was DNAT'ing on 
- particularly http - it didn't work.  I WOULD like to understand this 
better . . .

My external IP's have been masked to protect the guilty.

version 5

FIREHOL_LOG_MODE="ULOG"

AMFESLAN_IF="eth0"
AMFESLAN_LAN="192.168.0.0/24"
AMFESLAN_IP="192.168.0.1"
AMFESLAN_BCAST="192.168.0.255"

AMFESEXT_IF="eth1"
AMFESEXT_LAN="x.x.x.97/27"
AMFESEXT_IP="x.x.x.126"
AMFESEXT_BCAST="x.x.x.127"

AMFESUS_IF="eth1"
AMFESUS_LAN="x.x.x.97/27"
AMFESUS_IP="x.x.x.125"
AMFESUS_BCAST="x.x.x.127"

PROXY_IF="eth1"
PROXY_LAN="x.x.x.124/27"
PROXY_IP="x.x.x.124"
PROXY_BCAST="x.x.x.127"

BASTION_IP="192.168.0.2"

nat to-destination $BASTION_IP inface "${AMFESEXT_IF}" dst 
"${AMFESEXT_IP}" proto tcp dport 993 log "forwarding imaps"
nat to-source $AMFESEXT_IP outface "${AMFESEXT_IF}" src "${AMFESLAN_LAN}"
snat to "${PROXY_IP}" outface "${PROXY_IF}" src "${AMFESLAN_LAN}"
nat to-destination $BASTION_IP inface "${AMFESEXT_IF}" dst 
"${AMFESEXT_IP}" proto tcp dport 80 log "forwarding http"

interface "${AMFESLAN_IF}" lan src "${AMFESLAN_LAN}"
        policy accept

interface "${AMFESEXT_IF}" internet src not "${UNROUTABLE_IPS} 
${AMFESLAN_LAN}" dst "${AMFESEXT_IP}"
        protection strong 100/sec 50
        server dcc accept log "DCC server"
        server smtp accept
        server ssh accept log "ssh"
        server custom s_ipnat udp/4500 any accept log "IPSEC_NAT inbound"
        server isakmp accept log "ISAKMP inbound"
        server ESP accept log "ESP inbound"
        server AH accept log "AH inbound"
        server ident reject with tcp-reset
        client all accept

interface "${AMFESUS_IF}" amfes-us src not "${UNROUTABLE_IPS} 
${AMFESLAN_LAN}" dst "${AMFESUS_IP}"
        protection strong 100/sec 50
        server dns accept log "dns server - amfes.us"
        server http accept
        server ssh accept
        server smtp accept
        server imap accept
        server ident reject with tcp-reset
        client dns accept log "dns client - amfes.us"
        client all accept

interface "${PROXY_IF}" proxy src not "${UNROUTABLE_IPS} 
${AMFESLAN_LAN}" dst "${PROXY_IP}"
        protection strong 100/sec 50
        client all accept

router lan2internet inface "${AMFESLAN_IF}" outface "${AMFESEXT_IF}" src 
"${AMFESLAN_LAN}" dst not "${UNROUTABLE_IPS}"
        route all accept

router internet2lan inface "${AMFESEXT_IF}" outface "${AMFESLAN_IF}"
        protection strong 100/sec 50
        server http accept
        server imaps accept
        route ident reject with tcp-reset

Daniel

More information about the Firehol-support mailing list