[Firehol-support] SNAT behaviour
Daniel L. Miller
dmiller at amfes.com
Mon Jul 25 16:00:32 BST 2005
Thanx for the reply.
It's still not working for me - I'm wondering if it's the order of the
SNAT/DNAT lines in my file. Could on of those first NAT lines be
conflicting with the re-directs?
On another note, should I be using the external interface for this, or
should I possibly use NAT to re-write to the loopback address?
Brian Snipes wrote:
> I am passing traffic back to an internal serversuccessfully with this
> type of config:
>
> ...
> nat to-destination ${int_groupwise_ip} inface
> ${ext_groupwise_if} proto tcp dport 80 dst ${ext_groupwise_ip}
> nat to-source ${ext_groupwise_ip} outface ${ext_groupwise_if} proto
> tcp sport 80 src ${int_groupwise_ip}
> ...
> interface ${ext_groupwise_if} ext_groupwise dst ${ext_groupwise_ip}
> policy reject
> protection strong
> server icmp accept
> server ident reject with tcp-reset
>
> router i2groupwise inface ${ext_groupwise_if} outface ${int_if}
> route gwim accept
> route gwclient accept
> route http accept
> route https accept
> client all accept
>
> Brian
>
>
> >>>"Daniel L. Miller" <dmiller at amfes.com> 07/19/05 5:40 pm >>>
> Sure enough - using device aliases results in error messages. That's
> not the answer.
>
> Daniel L. Miller wrote:
>
> >I'm not finding that example. In my case, I already defined eth1 -
> >eth1:6 for various addresses.
> >
> >For some reason, I didn't think firehol would work with device aliases
> >- that I had to use the base device name. I'm trying the aliases now
> >to see what changes.
> >
> >Rick Marshall wrote:
> >
> >>this is an excellent howto on this - i think in the firehol examples.
> >>it centres around creating secondary interfaces eth1:0 etc in your
> >>case. i followed it for a setup and it worked very well.
> >>
> >>rick
> >>
> >>Daniel L. Miller wrote:
> >>
> >>>I'm puzzled by the behaviour I'm experiencing with SNAT. I have a
> >>>group of static external IP's, that I'm trying to utilize for
> >>>different purposes. I'd like to keep the IP(s) I use for external
> >>>access from my LAN separate from the IP's I use for outside access
> >>>to my internal services. So . . .
> >>>
> >>>version 5
> >>>FIREHOL_LOG_MODE="ULOG"
> >>>
> >>>AMFESLAN_IF="eth0"
> >>>AMFESLAN_LAN="192.168.0.0/24"
> >>>AMFESLAN_IP="192.168.0.1"
> >>>AMFESLAN_BCAST="192.168.0.255"
> >>>
> >>>AMFESEXT_IF="eth1"
> >>>AMFESEXT_LAN="67.106.235.97/27"
> >>>AMFESEXT_IP="67.106.235.126"
> >>>AMFESEXT_BCAST="67.106.235.127"
> >>>
> >>>PROXY_IF="eth1"
> >>>PROXY_LAN="67.106.235.124/27"
> >>>PROXY_IP="67.106.235.124"
> >>>PROXY_BCAST="67.106.235.127"
> >>>
> >>>BASTION_IP="192.168.0.2"
> >>>ROUTER_IP="192.168.0.1"
> >>>
> >>># provide Internet access for lan
> >>>snat to "${PROXY_IP}" outface "${PROXY_IF}" src "${AMFESLAN_LAN}"
> >>>
> >>># provide web services
> >>>dnat to "${BASTION_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}"
> >>>proto tcp dport 993 log "forwarding imaps"
> >>>dnat to "${BASTION_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}"
> >>>proto tcp dport 80 log "forwarding http"
> >>>
> >>># bittorrent re-direct to one workstation
> >>>dnat to "${DANIEL_IP}" inface "${PROXY_IF}" dst "${PROXY_IP}" proto
> >>>tcp dport 6881:6889 log "forwarding bittorrent"
> >>>dnat to "${DANIEL_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}"
> >>>proto tcp dport 6881:6889 log "forwarding bittorrent"
> >>>
> >>># redirect for external addresses from internal network - this
> >>>allows laptops to use the published imap address in and outside the lan
> >>>snat to "${ROUTER_IP}" outface "${AMFESLAN_IF}" src
> >>>"${AMFESLAN_LAN}" dst "${BASTION_IP}" proto tcp dport 143 log "src
> >>>internal
> >>>dnat to "${BASTION_IP}" inface "${AMFESLAN_IF}" dst "${AMFESEXT_IP}"
> >>>proto tcp dport 143 log "dst internal re-dir"
> >>>snat to "${ROUTER_IP}" outface "${AMFESLAN_IF}" src
> >>>"${AMFESLAN_LAN}" dst "${BASTION_IP}" proto tcp dport 993 log "src
> >>>internal
> >>>dnat to "${BASTION_IP}" inface "${AMFESLAN_IF}" dst "${AMFESEXT_IP}"
> >>>proto tcp dport 993 log "dst internal re-dir"
> >>>
> >>>server_bittorrent_ports="tcp/6881 tcp/6882 tcp/6883 tcp/6884
> >>>tcp/6885 tcp/6886 tcp/6887 tcp/6888 tcp/6889"
> >>>client_bittorrent_ports="default 6881 6882 6883 6884 6885 6886 6887
> >>>6888 6889"
> >>>
> >>>interface "${AMFESLAN_IF}" lan src "${AMFESLAN_LAN}"
> >>> policy accept
> >>>
> >>>interface "${AMFESEXT_IF}" internet src not "${UNROUTABLE_IPS}
> >>>${AMFESLAN_LAN}" dst "${AMFESEXT_IP}"
> >>> protection strong 100/sec 50
> >>># server ident reject with tcp-reset
> >>> server smtp accept
> >>> server smtps accept
> >>> server submission accept
> >>> server dcc accept log "DCC server"
> >>> server ssh accept log "ssh"
> >>> server ntp accept
> >>> server ping accept
> >>> client all accept
> >>>
> >>>interface "${PROXY_IF}" proxy src not "${UNROUTABLE_IPS}
> >>>${AMFESLAN_LAN}" dst "${PROXY_IP}"
> >>> protection strong 100/sec 50
> >>> client all accept
> >>>
> >>>router lan2amfesext inface "${AMFESLAN_IF}" outface "${AMFESEXT_IF}"
> >>>src "${AMFESLAN_LAN}" dst not "${UNROUTABLE_IPS}"
> >>> route all accept
> >>>
> >>>router lan2proxy inface "${AMFESLAN_IF}" outface "${PROXY_IF}" src
> >>>"${AMFESLAN_LAN}" dst not "${UNROUTABLE_IPS}"
> >>> route all accept
> >>>
> >>>router proxy2lan inface "${PROXY_IF}" outface "${AMFESLAN_IF}"
> >>> route bittorrent accept
> >>>
> >>>router internet2lan inface "${AMFESEXT_IF}" outface "${AMFESLAN_IF}"
> >>> protection strong 100/sec 50
> >>># route ident reject with tcp-reset
> >>> route http accept
> >>> route imaps accept
> >>> route bittorrent accept
> >>> route fpadmin accept
> >>> route webmin accept
> >>> route firebird accept
> >>>
> >>>The problem I'm having is that any client that connects to the
> >>>Internet, appears to be connecting from my "${AMFESEXT_IP}" address,
> >>>instead of the "${PROXY_IP}" address. Since the only SNAT line that
> >>>references the Internet uses the proxy address - I'm a little puzzled.
> >>>
> >>>Daniel
> >>
>
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
>
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support
More information about the Firehol-support
mailing list