[Firehol-support] SNAT behaviour

Rick Marshall rjm at zenucom.com
Tue Jul 19 07:05:37 BST 2005 

this is an excellent howto on this - i think in the firehol examples. it 
centres around creating secondary interfaces eth1:0 etc in your case. i 
followed it for a setup and it worked very well.

rick

Daniel L. Miller wrote:

> I'm puzzled by the behaviour I'm experiencing with SNAT.  I have a 
> group of static external IP's, that I'm trying to utilize for 
> different purposes.  I'd like to keep the IP(s) I use for external 
> access from my LAN separate from the IP's I use for outside access to 
> my internal services.  So . . .
>
> version 5
> FIREHOL_LOG_MODE="ULOG"
>
> AMFESLAN_IF="eth0"
> AMFESLAN_LAN="192.168.0.0/24"
> AMFESLAN_IP="192.168.0.1"
> AMFESLAN_BCAST="192.168.0.255"
>
> AMFESEXT_IF="eth1"
> AMFESEXT_LAN="67.106.235.97/27"
> AMFESEXT_IP="67.106.235.126"
> AMFESEXT_BCAST="67.106.235.127"
>
> PROXY_IF="eth1"
> PROXY_LAN="67.106.235.124/27"
> PROXY_IP="67.106.235.124"
> PROXY_BCAST="67.106.235.127"
>
> BASTION_IP="192.168.0.2"
> ROUTER_IP="192.168.0.1"
>
> # provide Internet access for lan
> snat to "${PROXY_IP}" outface "${PROXY_IF}" src "${AMFESLAN_LAN}"
>
> # provide web services
> dnat to "${BASTION_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}" 
> proto tcp dport 993 log "forwarding imaps"
> dnat to "${BASTION_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}" 
> proto tcp dport 80 log "forwarding http"
>
> # bittorrent re-direct to one workstation
> dnat to "${DANIEL_IP}" inface "${PROXY_IF}" dst "${PROXY_IP}" proto 
> tcp dport 6881:6889 log "forwarding bittorrent"
> dnat to "${DANIEL_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}" 
> proto tcp dport 6881:6889 log "forwarding bittorrent"
>
> # redirect for external addresses from internal network - this allows 
> laptops to use the published imap address in and outside the lan
> snat to "${ROUTER_IP}" outface "${AMFESLAN_IF}" src "${AMFESLAN_LAN}" 
> dst "${BASTION_IP}" proto tcp dport 143 log "src internal
> dnat to "${BASTION_IP}" inface "${AMFESLAN_IF}" dst "${AMFESEXT_IP}" 
> proto tcp dport 143 log "dst internal re-dir"
> snat to "${ROUTER_IP}" outface "${AMFESLAN_IF}" src "${AMFESLAN_LAN}" 
> dst "${BASTION_IP}" proto tcp dport 993 log "src internal
> dnat to "${BASTION_IP}" inface "${AMFESLAN_IF}" dst "${AMFESEXT_IP}" 
> proto tcp dport 993 log "dst internal re-dir"
>
> server_bittorrent_ports="tcp/6881 tcp/6882 tcp/6883 tcp/6884 tcp/6885 
> tcp/6886 tcp/6887 tcp/6888 tcp/6889"
> client_bittorrent_ports="default 6881 6882 6883 6884 6885 6886 6887 
> 6888 6889"
>
> interface "${AMFESLAN_IF}" lan src "${AMFESLAN_LAN}"
>        policy accept
>
> interface "${AMFESEXT_IF}" internet src not "${UNROUTABLE_IPS} 
> ${AMFESLAN_LAN}" dst "${AMFESEXT_IP}"
>        protection strong 100/sec 50
> #       server ident reject with tcp-reset
>        server smtp accept
>        server smtps accept
>        server submission accept
>        server dcc accept log "DCC server"
>        server ssh accept log "ssh"
>        server ntp accept
>        server ping accept
>        client all accept
>
> interface "${PROXY_IF}" proxy src not "${UNROUTABLE_IPS} 
> ${AMFESLAN_LAN}" dst "${PROXY_IP}"
>        protection strong 100/sec 50
>        client all accept
>
> router lan2amfesext inface "${AMFESLAN_IF}" outface "${AMFESEXT_IF}" 
> src "${AMFESLAN_LAN}" dst not "${UNROUTABLE_IPS}"
>        route all accept
>
> router lan2proxy inface "${AMFESLAN_IF}" outface "${PROXY_IF}" src 
> "${AMFESLAN_LAN}" dst not "${UNROUTABLE_IPS}"
>        route all accept
>
> router proxy2lan inface "${PROXY_IF}" outface "${AMFESLAN_IF}"
>        route bittorrent accept
>
> router internet2lan inface "${AMFESEXT_IF}" outface "${AMFESLAN_IF}"
>        protection strong 100/sec 50
> #       route ident reject with tcp-reset
>        route http accept
>        route imaps accept
>        route bittorrent accept
>        route fpadmin accept
>        route webmin accept
>        route firebird accept
>
> The problem I'm having is that any client that connects to the 
> Internet, appears to be connecting from my "${AMFESEXT_IP}" address, 
> instead of the "${PROXY_IP}" address.  Since the only SNAT line that 
> references the Internet uses the proxy address - I'm a little puzzled.
>
> Daniel
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support
>
> !DSPAM:42dc897040358540336812!
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rjm.vcf
Type: text/x-vcard
Size: 146 bytes
Desc: not available
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20050719/26d41041/attachment-0003.vcf>

More information about the Firehol-support mailing list