[Firehol-support] SNAT behaviour

Brian Snipes Brian at hwnn.com
Wed Jul 20 17:34:32 BST 2005

I am passing traffic back to an internal serversuccessfully with this type of config: 
nat to-destination ${int_groupwise_ip} inface ${ext_groupwise_if} proto tcp dport 80 dst ${ext_groupwise_ip} 
nat to-source ${ext_groupwise_ip} outface ${ext_groupwise_if} proto tcp sport 80 src ${int_groupwise_ip} 
interface ${ext_groupwise_if} ext_groupwise dst ${ext_groupwise_ip} 
        policy reject 
        protection      strong 
        server icmp     accept 
        server ident    reject with tcp-reset 
router i2groupwise inface ${ext_groupwise_if} outface ${int_if} 
        route gwim      accept 
        route gwclient  accept 
        route http      accept 
        route https     accept 
        client all      accept 

>>>Daniel L. Miller <dmiller at amfes.com> 07/19/05 5:40 pm >>>
Sure enough - using device aliases results in error messages.  That's
not the answer.

Daniel L. Miller wrote:

>I'm not finding that example.  In my case, I already defined eth1 -
>eth1:6 for various addresses.
>For some reason, I didn't think firehol would work with device aliases
>- that I had to use the base device name.  I'm trying the aliases now
>to see what changes.
>Rick Marshall wrote:
>>this is an excellent howto on this - i think in the firehol examples.
>>it centres around creating secondary interfaces eth1:0 etc in your
>>case. i followed it for a setup and it worked very well.
>>Daniel L. Miller wrote:
>>>I'm puzzled by the behaviour I'm experiencing with SNAT.  I have a
>>>group of static external IP's, that I'm trying to utilize for
>>>different purposes.  I'd like to keep the IP(s) I use for external
>>>access from my LAN separate from the IP's I use for outside access
>>>to my internal services.  So . . .
>>>version 5
>>># provide Internet access for lan
>>>snat to ${PROXY_IP} outface ${PROXY_IF} src ${AMFESLAN_LAN}
>>># provide web services
>>>dnat to ${BASTION_IP} inface ${AMFESEXT_IF} dst ${AMFESEXT_IP}
>>>proto tcp dport 993 log forwarding imaps
>>>dnat to ${BASTION_IP} inface ${AMFESEXT_IF} dst ${AMFESEXT_IP}
>>>proto tcp dport 80 log forwarding http
>>># bittorrent re-direct to one workstation
>>>dnat to ${DANIEL_IP} inface ${PROXY_IF} dst ${PROXY_IP} proto
>>>tcp dport 6881:6889 log forwarding bittorrent
>>>dnat to ${DANIEL_IP} inface ${AMFESEXT_IF} dst ${AMFESEXT_IP}
>>>proto tcp dport 6881:6889 log forwarding bittorrent
>>># redirect for external addresses from internal network - this
>>>allows laptops to use the published imap address in and outside the lan
>>>snat to ${ROUTER_IP} outface ${AMFESLAN_IF} src
>>>${AMFESLAN_LAN} dst ${BASTION_IP} proto tcp dport 143 log src
>>>dnat to ${BASTION_IP} inface ${AMFESLAN_IF} dst ${AMFESEXT_IP}
>>>proto tcp dport 143 log dst internal re-dir
>>>snat to ${ROUTER_IP} outface ${AMFESLAN_IF} src
>>>${AMFESLAN_LAN} dst ${BASTION_IP} proto tcp dport 993 log src
>>>dnat to ${BASTION_IP} inface ${AMFESLAN_IF} dst ${AMFESEXT_IP}
>>>proto tcp dport 993 log dst internal re-dir
>>>server_bittorrent_ports=tcp/6881 tcp/6882 tcp/6883 tcp/6884
>>>tcp/6885 tcp/6886 tcp/6887 tcp/6888 tcp/6889
>>>client_bittorrent_ports=default 6881 6882 6883 6884 6885 6886 6887
>>>6888 6889
>>>interface ${AMFESLAN_IF} lan src ${AMFESLAN_LAN}
>>>       policy accept
>>>interface ${AMFESEXT_IF} internet src not ${UNROUTABLE_IPS}
>>>       protection strong 100/sec 50
>>>#       server ident reject with tcp-reset
>>>       server smtp accept
>>>       server smtps accept
>>>       server submission accept
>>>       server dcc accept log DCC server
>>>       server ssh accept log ssh
>>>       server ntp accept
>>>       server ping accept
>>>       client all accept
>>>interface ${PROXY_IF} proxy src not ${UNROUTABLE_IPS}
>>>       protection strong 100/sec 50
>>>       client all accept
>>>router lan2amfesext inface ${AMFESLAN_IF} outface ${AMFESEXT_IF}
>>>src ${AMFESLAN_LAN} dst not ${UNROUTABLE_IPS}
>>>       route all accept
>>>router lan2proxy inface ${AMFESLAN_IF} outface ${PROXY_IF} src
>>>       route all accept
>>>router proxy2lan inface ${PROXY_IF} outface ${AMFESLAN_IF}
>>>       route bittorrent accept
>>>router internet2lan inface ${AMFESEXT_IF} outface ${AMFESLAN_IF}
>>>       protection strong 100/sec 50
>>>#       route ident reject with tcp-reset
>>>       route http accept
>>>       route imaps accept
>>>       route bittorrent accept
>>>       route fpadmin accept
>>>       route webmin accept
>>>       route firebird accept
>>>The problem I'm having is that any client that connects to the
>>>Internet, appears to be connecting from my ${AMFESEXT_IP} address,
>>>instead of the ${PROXY_IP} address.  Since the only SNAT line that
>>>references the Internet uses the proxy address - I'm a little puzzled.

SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

Firehol-support mailing list
Firehol-support at lists.sourceforge.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20050720/7332fd7a/attachment-0003.html>

More information about the Firehol-support mailing list