[Firehol-support] DNAT with port redirection.

Grigory Fateyev greg at anastasia.ru
Fri Nov 5 13:11:57 GMT 2004


Hello, Costa!
04 Ноября 2004г. в 22:02 You wrote:

I undestand that you wrote. But my network looks like:
       
	    Public ip 81.18...
		|	
	MAIN server 192.168.0.100
		|
	      HUB
	/	|	\
SECOND   Some IPS from $lan_network
server 
192.168.0.111


version 5

server_dns_port="udp/53"
server_pop3_port="tcp/110"
server_imap_port="tcp/143"

lan_network="192.168.0.0/24"

LAN_IF="eth1"
MAIN_IF="eth0"
MAIN_IP="81.18..."

# Local IP and port of main serever
LAN_IP_SAMBA_SSH="192.168.0.111"
LAN_PORT_SAMBA_SSH="33678"

TRUST_IPS=""

# If necessary add for reserved channel
transparent_squid 3128 proxy inface ${MAIN_IF} src ${lan_network}

#iptables -t nat -A PREROUTING -p tcp -d ${MAIN_IP} --dport
${LAN_PORT_SAMBA_SSH} -j DNAT --to-destination ${LAN_IP_SAMBA_SSH}:22

dnat to 192.168.0.111:22 inface eth0 dst ${MAIN_IP} proto tcp dport
33333

# Trusted network
interface ${LAN_IF} lan src ${lan_network} #not ${UNROUTABLE_IPS}
    policy reject
    server dns accept
    server smtp accept
    server http accept
    server ftp accept src "${LAN_IP}"
    server samba accept
    server pop3 accept
    server imap accept
    server icmp accept
    server squid accept
    server jabberd accept

    client smtp accept
    client samba accept
    client icmp accept
    client squid accept
    client ssh accept
    client ftp accept
    client jabber accept

# Main Internet channel
interface ${MAIN_IF} maininet #src not ${lan_network}
    protection strong 10/sec 10
    server smtp accept
    server ssh accept src "${TRUST_IPS}"
    server ident reject with tcp-reset
    client all accept

# Routing. If we have not any rules for routing, can rem them.
router lan2maininet inface ${LAN_IF} outface ${MAIN_IF}
    masquerade
    route all accept
    client all accept

router maininet2lan inface ${MAIN_IF} outface ${LAN_IF}\
        src not "$UNROUTABLE_IPS" dst "$lan_network"
    masquerade reverse
    server ident reject with tcp-reset
    server ssh accept
    client all accept
    #blacklist all  #absense of quotas

> 
> Grigory,
> 
> I am confused. With this setup:
> 
> 
> client --- MAIN --- SECOND
> 
> >From the client, you want to:
> 
> ssh MAIN -p 33333
> 
> to actually ssh SECOND.
> 
> To do the above, your dnat statement should be given to FireHOL at
> MAIN, and also have a router definition (at MAIN again) that allows
> ssh from the client to SECOND (not from MAIN to SECOND). The fact that
> you can ssh from MAIN to SECOND is irrelevant (even if you actually
> ssh to the public IP of MAIN, because Linux knows that you are talking
> about itself and never routes this traffic through the FORWARD chain
> of iptables).
> 
> Costa
> 
> 
> 
> > Hello, Costa!
> > 03 ____�_ 2004_. _ 21:21 You wrote:
> >
> > Yes firewall allow to SECOND server via ssh. I	come in to MAIN
> > server ssh 81.18... than can come in to SECOND ssh 192.168.0.111.
> >
> >> Hi Grigory,
> >>
> >> dnat is one thing, packet filtering is another. Does the firewall
> >> (i.e. a route or server statement in a router definition) allow the
> >> ssh service to 192.168.0.111?
> >>
> >> Costa
> >>
> >>
> >> > Hello!
> >> >
> >> > Can you help me with DNAT and port redirection?
> >> > I have to servers MAIN and SECOND. MAIN real IP 81.18... and
> >> > interface eth1 and I can enter ssh 81.18... But to the SECOND
> >server> > have lan IP 192.168.0.111 and i want to enter on it through
> >not> > standart port
> >> >
> >> > dnat to 192.168.0.111:22 inface eth1 dst ${MAIN_IP} proto tcp
> >dport> > 33333
> >> >
> >> > but I can not enter ssh 81.18... -p 33333. Why?
> >> >
> >
> >
> > --
> > ÷____ __________!
> > greg at anastasia.ru _�___�__.
> >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by:
> > Sybase ASE Linux Express Edition - download now for FREE
> > LinuxWorld Reader's Choice Award Winner for best database on Linux.
> > http://ads.osdn.com/?ad_idU88&alloc_id065&op=click
> > _______________________________________________
> > Firehol-support mailing list
> > Firehol-support at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/firehol-support
> >
> 
> 


-- 
Всего наилучшего!
greg at anastasia.ru Григорий.





More information about the Firehol-support mailing list