[Firehol-support] SNAT behaviour

Daniel L. Miller dmiller at amfes.com
Tue Jul 19 05:55:41 BST 2005 

I'm puzzled by the behaviour I'm experiencing with SNAT.  I have a group 
of static external IP's, that I'm trying to utilize for different 
purposes.  I'd like to keep the IP(s) I use for external access from my 
LAN separate from the IP's I use for outside access to my internal 
services.  So . . .

version 5
FIREHOL_LOG_MODE="ULOG"

AMFESLAN_IF="eth0"
AMFESLAN_LAN="192.168.0.0/24"
AMFESLAN_IP="192.168.0.1"
AMFESLAN_BCAST="192.168.0.255"

AMFESEXT_IF="eth1"
AMFESEXT_LAN="67.106.235.97/27"
AMFESEXT_IP="67.106.235.126"
AMFESEXT_BCAST="67.106.235.127"

PROXY_IF="eth1"
PROXY_LAN="67.106.235.124/27"
PROXY_IP="67.106.235.124"
PROXY_BCAST="67.106.235.127"

BASTION_IP="192.168.0.2"
ROUTER_IP="192.168.0.1"

# provide Internet access for lan
snat to "${PROXY_IP}" outface "${PROXY_IF}" src "${AMFESLAN_LAN}"

# provide web services
dnat to "${BASTION_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}" 
proto tcp dport 993 log "forwarding imaps"
dnat to "${BASTION_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}" 
proto tcp dport 80 log "forwarding http"

# bittorrent re-direct to one workstation
dnat to "${DANIEL_IP}" inface "${PROXY_IF}" dst "${PROXY_IP}" proto tcp 
dport 6881:6889 log "forwarding bittorrent"
dnat to "${DANIEL_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}" 
proto tcp dport 6881:6889 log "forwarding bittorrent"

# redirect for external addresses from internal network - this allows 
laptops to use the published imap address in and outside the lan
snat to "${ROUTER_IP}" outface "${AMFESLAN_IF}" src "${AMFESLAN_LAN}" 
dst "${BASTION_IP}" proto tcp dport 143 log "src internal
dnat to "${BASTION_IP}" inface "${AMFESLAN_IF}" dst "${AMFESEXT_IP}" 
proto tcp dport 143 log "dst internal re-dir"
snat to "${ROUTER_IP}" outface "${AMFESLAN_IF}" src "${AMFESLAN_LAN}" 
dst "${BASTION_IP}" proto tcp dport 993 log "src internal
dnat to "${BASTION_IP}" inface "${AMFESLAN_IF}" dst "${AMFESEXT_IP}" 
proto tcp dport 993 log "dst internal re-dir"

server_bittorrent_ports="tcp/6881 tcp/6882 tcp/6883 tcp/6884 tcp/6885 
tcp/6886 tcp/6887 tcp/6888 tcp/6889"
client_bittorrent_ports="default 6881 6882 6883 6884 6885 6886 6887 6888 
6889"

interface "${AMFESLAN_IF}" lan src "${AMFESLAN_LAN}"
        policy accept

interface "${AMFESEXT_IF}" internet src not "${UNROUTABLE_IPS} 
${AMFESLAN_LAN}" dst "${AMFESEXT_IP}"
        protection strong 100/sec 50
#       server ident reject with tcp-reset
        server smtp accept
        server smtps accept
        server submission accept
        server dcc accept log "DCC server"
        server ssh accept log "ssh"
        server ntp accept
        server ping accept
        client all accept

interface "${PROXY_IF}" proxy src not "${UNROUTABLE_IPS} 
${AMFESLAN_LAN}" dst "${PROXY_IP}"
        protection strong 100/sec 50
        client all accept

router lan2amfesext inface "${AMFESLAN_IF}" outface "${AMFESEXT_IF}" src 
"${AMFESLAN_LAN}" dst not "${UNROUTABLE_IPS}"
        route all accept

router lan2proxy inface "${AMFESLAN_IF}" outface "${PROXY_IF}" src 
"${AMFESLAN_LAN}" dst not "${UNROUTABLE_IPS}"
        route all accept

router proxy2lan inface "${PROXY_IF}" outface "${AMFESLAN_IF}"
        route bittorrent accept

router internet2lan inface "${AMFESEXT_IF}" outface "${AMFESLAN_IF}"
        protection strong 100/sec 50
#       route ident reject with tcp-reset
        route http accept
        route imaps accept
        route bittorrent accept
        route fpadmin accept
        route webmin accept
        route firebird accept

The problem I'm having is that any client that connects to the Internet, 
appears to be connecting from my "${AMFESEXT_IP}" address, instead of 
the "${PROXY_IP}" address.  Since the only SNAT line that references the 
Internet uses the proxy address - I'm a little puzzled.

Daniel

More information about the Firehol-support mailing list