[Firehol-support] DNAT with port redirection.
Grigory Fateyev
greg at anastasia.ru
Fri Nov 5 13:11:57 GMT 2004
Hello, Costa!
04 Ноября 2004г. в 22:02 You wrote:
I undestand that you wrote. But my network looks like:
Public ip 81.18...
|
MAIN server 192.168.0.100
|
HUB
/ | \
SECOND Some IPS from $lan_network
server
192.168.0.111
version 5
server_dns_port="udp/53"
server_pop3_port="tcp/110"
server_imap_port="tcp/143"
lan_network="192.168.0.0/24"
LAN_IF="eth1"
MAIN_IF="eth0"
MAIN_IP="81.18..."
# Local IP and port of main serever
LAN_IP_SAMBA_SSH="192.168.0.111"
LAN_PORT_SAMBA_SSH="33678"
TRUST_IPS=""
# If necessary add for reserved channel
transparent_squid 3128 proxy inface ${MAIN_IF} src ${lan_network}
#iptables -t nat -A PREROUTING -p tcp -d ${MAIN_IP} --dport
${LAN_PORT_SAMBA_SSH} -j DNAT --to-destination ${LAN_IP_SAMBA_SSH}:22
dnat to 192.168.0.111:22 inface eth0 dst ${MAIN_IP} proto tcp dport
33333
# Trusted network
interface ${LAN_IF} lan src ${lan_network} #not ${UNROUTABLE_IPS}
policy reject
server dns accept
server smtp accept
server http accept
server ftp accept src "${LAN_IP}"
server samba accept
server pop3 accept
server imap accept
server icmp accept
server squid accept
server jabberd accept
client smtp accept
client samba accept
client icmp accept
client squid accept
client ssh accept
client ftp accept
client jabber accept
# Main Internet channel
interface ${MAIN_IF} maininet #src not ${lan_network}
protection strong 10/sec 10
server smtp accept
server ssh accept src "${TRUST_IPS}"
server ident reject with tcp-reset
client all accept
# Routing. If we have not any rules for routing, can rem them.
router lan2maininet inface ${LAN_IF} outface ${MAIN_IF}
masquerade
route all accept
client all accept
router maininet2lan inface ${MAIN_IF} outface ${LAN_IF}\
src not "$UNROUTABLE_IPS" dst "$lan_network"
masquerade reverse
server ident reject with tcp-reset
server ssh accept
client all accept
#blacklist all #absense of quotas
>
> Grigory,
>
> I am confused. With this setup:
>
>
> client --- MAIN --- SECOND
>
> >From the client, you want to:
>
> ssh MAIN -p 33333
>
> to actually ssh SECOND.
>
> To do the above, your dnat statement should be given to FireHOL at
> MAIN, and also have a router definition (at MAIN again) that allows
> ssh from the client to SECOND (not from MAIN to SECOND). The fact that
> you can ssh from MAIN to SECOND is irrelevant (even if you actually
> ssh to the public IP of MAIN, because Linux knows that you are talking
> about itself and never routes this traffic through the FORWARD chain
> of iptables).
>
> Costa
>
>
>
> > Hello, Costa!
> > 03 ____�_ 2004_. _ 21:21 You wrote:
> >
> > Yes firewall allow to SECOND server via ssh. I come in to MAIN
> > server ssh 81.18... than can come in to SECOND ssh 192.168.0.111.
> >
> >> Hi Grigory,
> >>
> >> dnat is one thing, packet filtering is another. Does the firewall
> >> (i.e. a route or server statement in a router definition) allow the
> >> ssh service to 192.168.0.111?
> >>
> >> Costa
> >>
> >>
> >> > Hello!
> >> >
> >> > Can you help me with DNAT and port redirection?
> >> > I have to servers MAIN and SECOND. MAIN real IP 81.18... and
> >> > interface eth1 and I can enter ssh 81.18... But to the SECOND
> >server> > have lan IP 192.168.0.111 and i want to enter on it through
> >not> > standart port
> >> >
> >> > dnat to 192.168.0.111:22 inface eth1 dst ${MAIN_IP} proto tcp
> >dport> > 33333
> >> >
> >> > but I can not enter ssh 81.18... -p 33333. Why?
> >> >
> >
> >
> > --
> > ÷____ __________!
> > greg at anastasia.ru _�___�__.
> >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by:
> > Sybase ASE Linux Express Edition - download now for FREE
> > LinuxWorld Reader's Choice Award Winner for best database on Linux.
> > http://ads.osdn.com/?ad_idU88&alloc_id�065&op=click
> > _______________________________________________
> > Firehol-support mailing list
> > Firehol-support at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/firehol-support
> >
>
>
--
Всего наилучшего!
greg at anastasia.ru Григорий.
More information about the Firehol-support
mailing list