[Firehol-support] SNAT behaviour

Daniel L. Miller dmiller at amfes.com
Tue Jul 19 23:40:39 BST 2005 

Sure enough - using device aliases results in error messages.  That's 
not the answer.

Daniel L. Miller wrote:

> I'm not finding that example.  In my case, I already defined eth1 - 
> eth1:6 for various addresses.
>
> For some reason, I didn't think firehol would work with device aliases 
> - that I had to use the base device name.  I'm trying the aliases now 
> to see what changes.
>
> Rick Marshall wrote:
>
>> this is an excellent howto on this - i think in the firehol examples. 
>> it centres around creating secondary interfaces eth1:0 etc in your 
>> case. i followed it for a setup and it worked very well.
>>
>> rick
>>
>> Daniel L. Miller wrote:
>>
>>> I'm puzzled by the behaviour I'm experiencing with SNAT.  I have a 
>>> group of static external IP's, that I'm trying to utilize for 
>>> different purposes.  I'd like to keep the IP(s) I use for external 
>>> access from my LAN separate from the IP's I use for outside access 
>>> to my internal services.  So . . .
>>>
>>> version 5
>>> FIREHOL_LOG_MODE="ULOG"
>>>
>>> AMFESLAN_IF="eth0"
>>> AMFESLAN_LAN="192.168.0.0/24"
>>> AMFESLAN_IP="192.168.0.1"
>>> AMFESLAN_BCAST="192.168.0.255"
>>>
>>> AMFESEXT_IF="eth1"
>>> AMFESEXT_LAN="67.106.235.97/27"
>>> AMFESEXT_IP="67.106.235.126"
>>> AMFESEXT_BCAST="67.106.235.127"
>>>
>>> PROXY_IF="eth1"
>>> PROXY_LAN="67.106.235.124/27"
>>> PROXY_IP="67.106.235.124"
>>> PROXY_BCAST="67.106.235.127"
>>>
>>> BASTION_IP="192.168.0.2"
>>> ROUTER_IP="192.168.0.1"
>>>
>>> # provide Internet access for lan
>>> snat to "${PROXY_IP}" outface "${PROXY_IF}" src "${AMFESLAN_LAN}"
>>>
>>> # provide web services
>>> dnat to "${BASTION_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}" 
>>> proto tcp dport 993 log "forwarding imaps"
>>> dnat to "${BASTION_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}" 
>>> proto tcp dport 80 log "forwarding http"
>>>
>>> # bittorrent re-direct to one workstation
>>> dnat to "${DANIEL_IP}" inface "${PROXY_IF}" dst "${PROXY_IP}" proto 
>>> tcp dport 6881:6889 log "forwarding bittorrent"
>>> dnat to "${DANIEL_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}" 
>>> proto tcp dport 6881:6889 log "forwarding bittorrent"
>>>
>>> # redirect for external addresses from internal network - this 
>>> allows laptops to use the published imap address in and outside the lan
>>> snat to "${ROUTER_IP}" outface "${AMFESLAN_IF}" src 
>>> "${AMFESLAN_LAN}" dst "${BASTION_IP}" proto tcp dport 143 log "src 
>>> internal
>>> dnat to "${BASTION_IP}" inface "${AMFESLAN_IF}" dst "${AMFESEXT_IP}" 
>>> proto tcp dport 143 log "dst internal re-dir"
>>> snat to "${ROUTER_IP}" outface "${AMFESLAN_IF}" src 
>>> "${AMFESLAN_LAN}" dst "${BASTION_IP}" proto tcp dport 993 log "src 
>>> internal
>>> dnat to "${BASTION_IP}" inface "${AMFESLAN_IF}" dst "${AMFESEXT_IP}" 
>>> proto tcp dport 993 log "dst internal re-dir"
>>>
>>> server_bittorrent_ports="tcp/6881 tcp/6882 tcp/6883 tcp/6884 
>>> tcp/6885 tcp/6886 tcp/6887 tcp/6888 tcp/6889"
>>> client_bittorrent_ports="default 6881 6882 6883 6884 6885 6886 6887 
>>> 6888 6889"
>>>
>>> interface "${AMFESLAN_IF}" lan src "${AMFESLAN_LAN}"
>>>        policy accept
>>>
>>> interface "${AMFESEXT_IF}" internet src not "${UNROUTABLE_IPS} 
>>> ${AMFESLAN_LAN}" dst "${AMFESEXT_IP}"
>>>        protection strong 100/sec 50
>>> #       server ident reject with tcp-reset
>>>        server smtp accept
>>>        server smtps accept
>>>        server submission accept
>>>        server dcc accept log "DCC server"
>>>        server ssh accept log "ssh"
>>>        server ntp accept
>>>        server ping accept
>>>        client all accept
>>>
>>> interface "${PROXY_IF}" proxy src not "${UNROUTABLE_IPS} 
>>> ${AMFESLAN_LAN}" dst "${PROXY_IP}"
>>>        protection strong 100/sec 50
>>>        client all accept
>>>
>>> router lan2amfesext inface "${AMFESLAN_IF}" outface "${AMFESEXT_IF}" 
>>> src "${AMFESLAN_LAN}" dst not "${UNROUTABLE_IPS}"
>>>        route all accept
>>>
>>> router lan2proxy inface "${AMFESLAN_IF}" outface "${PROXY_IF}" src 
>>> "${AMFESLAN_LAN}" dst not "${UNROUTABLE_IPS}"
>>>        route all accept
>>>
>>> router proxy2lan inface "${PROXY_IF}" outface "${AMFESLAN_IF}"
>>>        route bittorrent accept
>>>
>>> router internet2lan inface "${AMFESEXT_IF}" outface "${AMFESLAN_IF}"
>>>        protection strong 100/sec 50
>>> #       route ident reject with tcp-reset
>>>        route http accept
>>>        route imaps accept
>>>        route bittorrent accept
>>>        route fpadmin accept
>>>        route webmin accept
>>>        route firebird accept
>>>
>>> The problem I'm having is that any client that connects to the 
>>> Internet, appears to be connecting from my "${AMFESEXT_IP}" address, 
>>> instead of the "${PROXY_IP}" address.  Since the only SNAT line that 
>>> references the Internet uses the proxy address - I'm a little puzzled.
>>>
>>> Daniel
>>

More information about the Firehol-support mailing list