[Firehol-support] SNAT behaviour

Daniel L. Miller dmiller at amfes.com
Tue Jul 19 15:41:34 BST 2005


Additionally, does anyone see why my internal-external-internal 
re-directs for imap(s) are not working?  Watching the logs, I can see 
the DNAT rules executing, but not the SNAT rules.

Rick Marshall wrote:

> this is an excellent howto on this - i think in the firehol examples. 
> it centres around creating secondary interfaces eth1:0 etc in your 
> case. i followed it for a setup and it worked very well.
>
> rick
>
> Daniel L. Miller wrote:
>
>> I'm puzzled by the behaviour I'm experiencing with SNAT.  I have a 
>> group of static external IP's, that I'm trying to utilize for 
>> different purposes.  I'd like to keep the IP(s) I use for external 
>> access from my LAN separate from the IP's I use for outside access to 
>> my internal services.  So . . .
>>
>> version 5
>> FIREHOL_LOG_MODE="ULOG"
>>
>> AMFESLAN_IF="eth0"
>> AMFESLAN_LAN="192.168.0.0/24"
>> AMFESLAN_IP="192.168.0.1"
>> AMFESLAN_BCAST="192.168.0.255"
>>
>> AMFESEXT_IF="eth1"
>> AMFESEXT_LAN="67.106.235.97/27"
>> AMFESEXT_IP="67.106.235.126"
>> AMFESEXT_BCAST="67.106.235.127"
>>
>> PROXY_IF="eth1"
>> PROXY_LAN="67.106.235.124/27"
>> PROXY_IP="67.106.235.124"
>> PROXY_BCAST="67.106.235.127"
>>
>> BASTION_IP="192.168.0.2"
>> ROUTER_IP="192.168.0.1"
>>
>> # provide Internet access for lan
>> snat to "${PROXY_IP}" outface "${PROXY_IF}" src "${AMFESLAN_LAN}"
>>
>> # provide web services
>> dnat to "${BASTION_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}" 
>> proto tcp dport 993 log "forwarding imaps"
>> dnat to "${BASTION_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}" 
>> proto tcp dport 80 log "forwarding http"
>>
>> # bittorrent re-direct to one workstation
>> dnat to "${DANIEL_IP}" inface "${PROXY_IF}" dst "${PROXY_IP}" proto 
>> tcp dport 6881:6889 log "forwarding bittorrent"
>> dnat to "${DANIEL_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}" 
>> proto tcp dport 6881:6889 log "forwarding bittorrent"
>>
>> # redirect for external addresses from internal network - this allows 
>> laptops to use the published imap address in and outside the lan
>> snat to "${ROUTER_IP}" outface "${AMFESLAN_IF}" src "${AMFESLAN_LAN}" 
>> dst "${BASTION_IP}" proto tcp dport 143 log "src internal
>> dnat to "${BASTION_IP}" inface "${AMFESLAN_IF}" dst "${AMFESEXT_IP}" 
>> proto tcp dport 143 log "dst internal re-dir"
>> snat to "${ROUTER_IP}" outface "${AMFESLAN_IF}" src "${AMFESLAN_LAN}" 
>> dst "${BASTION_IP}" proto tcp dport 993 log "src internal
>> dnat to "${BASTION_IP}" inface "${AMFESLAN_IF}" dst "${AMFESEXT_IP}" 
>> proto tcp dport 993 log "dst internal re-dir"
>>
>> server_bittorrent_ports="tcp/6881 tcp/6882 tcp/6883 tcp/6884 tcp/6885 
>> tcp/6886 tcp/6887 tcp/6888 tcp/6889"
>> client_bittorrent_ports="default 6881 6882 6883 6884 6885 6886 6887 
>> 6888 6889"
>>
>> interface "${AMFESLAN_IF}" lan src "${AMFESLAN_LAN}"
>>        policy accept
>>
>> interface "${AMFESEXT_IF}" internet src not "${UNROUTABLE_IPS} 
>> ${AMFESLAN_LAN}" dst "${AMFESEXT_IP}"
>>        protection strong 100/sec 50
>> #       server ident reject with tcp-reset
>>        server smtp accept
>>        server smtps accept
>>        server submission accept
>>        server dcc accept log "DCC server"
>>        server ssh accept log "ssh"
>>        server ntp accept
>>        server ping accept
>>        client all accept
>>
>> interface "${PROXY_IF}" proxy src not "${UNROUTABLE_IPS} 
>> ${AMFESLAN_LAN}" dst "${PROXY_IP}"
>>        protection strong 100/sec 50
>>        client all accept
>>
>> router lan2amfesext inface "${AMFESLAN_IF}" outface "${AMFESEXT_IF}" 
>> src "${AMFESLAN_LAN}" dst not "${UNROUTABLE_IPS}"
>>        route all accept
>>
>> router lan2proxy inface "${AMFESLAN_IF}" outface "${PROXY_IF}" src 
>> "${AMFESLAN_LAN}" dst not "${UNROUTABLE_IPS}"
>>        route all accept
>>
>> router proxy2lan inface "${PROXY_IF}" outface "${AMFESLAN_IF}"
>>        route bittorrent accept
>>
>> router internet2lan inface "${AMFESEXT_IF}" outface "${AMFESLAN_IF}"
>>        protection strong 100/sec 50
>> #       route ident reject with tcp-reset
>>        route http accept
>>        route imaps accept
>>        route bittorrent accept
>>        route fpadmin accept
>>        route webmin accept
>>        route firebird accept
>>
>> The problem I'm having is that any client that connects to the 
>> Internet, appears to be connecting from my "${AMFESEXT_IP}" address, 
>> instead of the "${PROXY_IP}" address.  Since the only SNAT line that 
>> references the Internet uses the proxy address - I'm a little puzzled.
>>
>> Daniel
>




More information about the Firehol-support mailing list