[Firehol-support] SNAT behaviour
Brian Snipes
Brian at hwnn.com
Wed Jul 20 17:34:32 BST 2005
I am passing traffic back to an internal serversuccessfully with this type of config:
...
nat to-destination ${int_groupwise_ip} inface ${ext_groupwise_if} proto tcp dport 80 dst ${ext_groupwise_ip}
nat to-source ${ext_groupwise_ip} outface ${ext_groupwise_if} proto tcp sport 80 src ${int_groupwise_ip}
...
interface ${ext_groupwise_if} ext_groupwise dst ${ext_groupwise_ip}
policy reject
protection strong
server icmp accept
server ident reject with tcp-reset
router i2groupwise inface ${ext_groupwise_if} outface ${int_if}
route gwim accept
route gwclient accept
route http accept
route https accept
client all accept
Brian
>>>Daniel L. Miller <dmiller at amfes.com> 07/19/05 5:40 pm >>>
Sure enough - using device aliases results in error messages. That's
not the answer.
Daniel L. Miller wrote:
>I'm not finding that example. In my case, I already defined eth1 -
>eth1:6 for various addresses.
>
>For some reason, I didn't think firehol would work with device aliases
>- that I had to use the base device name. I'm trying the aliases now
>to see what changes.
>
>Rick Marshall wrote:
>
>>this is an excellent howto on this - i think in the firehol examples.
>>it centres around creating secondary interfaces eth1:0 etc in your
>>case. i followed it for a setup and it worked very well.
>>
>>rick
>>
>>Daniel L. Miller wrote:
>>
>>>I'm puzzled by the behaviour I'm experiencing with SNAT. I have a
>>>group of static external IP's, that I'm trying to utilize for
>>>different purposes. I'd like to keep the IP(s) I use for external
>>>access from my LAN separate from the IP's I use for outside access
>>>to my internal services. So . . .
>>>
>>>version 5
>>>FIREHOL_LOG_MODE=ULOG
>>>
>>>AMFESLAN_IF=eth0
>>>AMFESLAN_LAN=192.168.0.0/24
>>>AMFESLAN_IP=192.168.0.1
>>>AMFESLAN_BCAST=192.168.0.255
>>>
>>>AMFESEXT_IF=eth1
>>>AMFESEXT_LAN=67.106.235.97/27
>>>AMFESEXT_IP=67.106.235.126
>>>AMFESEXT_BCAST=67.106.235.127
>>>
>>>PROXY_IF=eth1
>>>PROXY_LAN=67.106.235.124/27
>>>PROXY_IP=67.106.235.124
>>>PROXY_BCAST=67.106.235.127
>>>
>>>BASTION_IP=192.168.0.2
>>>ROUTER_IP=192.168.0.1
>>>
>>># provide Internet access for lan
>>>snat to ${PROXY_IP} outface ${PROXY_IF} src ${AMFESLAN_LAN}
>>>
>>># provide web services
>>>dnat to ${BASTION_IP} inface ${AMFESEXT_IF} dst ${AMFESEXT_IP}
>>>proto tcp dport 993 log forwarding imaps
>>>dnat to ${BASTION_IP} inface ${AMFESEXT_IF} dst ${AMFESEXT_IP}
>>>proto tcp dport 80 log forwarding http
>>>
>>># bittorrent re-direct to one workstation
>>>dnat to ${DANIEL_IP} inface ${PROXY_IF} dst ${PROXY_IP} proto
>>>tcp dport 6881:6889 log forwarding bittorrent
>>>dnat to ${DANIEL_IP} inface ${AMFESEXT_IF} dst ${AMFESEXT_IP}
>>>proto tcp dport 6881:6889 log forwarding bittorrent
>>>
>>># redirect for external addresses from internal network - this
>>>allows laptops to use the published imap address in and outside the lan
>>>snat to ${ROUTER_IP} outface ${AMFESLAN_IF} src
>>>${AMFESLAN_LAN} dst ${BASTION_IP} proto tcp dport 143 log src
>>>internal
>>>dnat to ${BASTION_IP} inface ${AMFESLAN_IF} dst ${AMFESEXT_IP}
>>>proto tcp dport 143 log dst internal re-dir
>>>snat to ${ROUTER_IP} outface ${AMFESLAN_IF} src
>>>${AMFESLAN_LAN} dst ${BASTION_IP} proto tcp dport 993 log src
>>>internal
>>>dnat to ${BASTION_IP} inface ${AMFESLAN_IF} dst ${AMFESEXT_IP}
>>>proto tcp dport 993 log dst internal re-dir
>>>
>>>server_bittorrent_ports=tcp/6881 tcp/6882 tcp/6883 tcp/6884
>>>tcp/6885 tcp/6886 tcp/6887 tcp/6888 tcp/6889
>>>client_bittorrent_ports=default 6881 6882 6883 6884 6885 6886 6887
>>>6888 6889
>>>
>>>interface ${AMFESLAN_IF} lan src ${AMFESLAN_LAN}
>>> policy accept
>>>
>>>interface ${AMFESEXT_IF} internet src not ${UNROUTABLE_IPS}
>>>${AMFESLAN_LAN} dst ${AMFESEXT_IP}
>>> protection strong 100/sec 50
>>># server ident reject with tcp-reset
>>> server smtp accept
>>> server smtps accept
>>> server submission accept
>>> server dcc accept log DCC server
>>> server ssh accept log ssh
>>> server ntp accept
>>> server ping accept
>>> client all accept
>>>
>>>interface ${PROXY_IF} proxy src not ${UNROUTABLE_IPS}
>>>${AMFESLAN_LAN} dst ${PROXY_IP}
>>> protection strong 100/sec 50
>>> client all accept
>>>
>>>router lan2amfesext inface ${AMFESLAN_IF} outface ${AMFESEXT_IF}
>>>src ${AMFESLAN_LAN} dst not ${UNROUTABLE_IPS}
>>> route all accept
>>>
>>>router lan2proxy inface ${AMFESLAN_IF} outface ${PROXY_IF} src
>>>${AMFESLAN_LAN} dst not ${UNROUTABLE_IPS}
>>> route all accept
>>>
>>>router proxy2lan inface ${PROXY_IF} outface ${AMFESLAN_IF}
>>> route bittorrent accept
>>>
>>>router internet2lan inface ${AMFESEXT_IF} outface ${AMFESLAN_IF}
>>> protection strong 100/sec 50
>>># route ident reject with tcp-reset
>>> route http accept
>>> route imaps accept
>>> route bittorrent accept
>>> route fpadmin accept
>>> route webmin accept
>>> route firebird accept
>>>
>>>The problem I'm having is that any client that connects to the
>>>Internet, appears to be connecting from my ${AMFESEXT_IP} address,
>>>instead of the ${PROXY_IP} address. Since the only SNAT line that
>>>references the Internet uses the proxy address - I'm a little puzzled.
>>>
>>>Daniel
>>
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Firehol-support mailing list
Firehol-support at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/firehol-support
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20050720/7332fd7a/attachment-0003.html>
More information about the Firehol-support
mailing list