[Firehol-support] SNAT behaviour

Daniel L. Miller dmiller at amfes.com
Mon Jul 25 16:00:32 BST 2005 

Thanx for the reply.

It's still not working for me - I'm wondering if it's the order of the 
SNAT/DNAT lines in my file.  Could on of those first NAT lines be 
conflicting with the re-directs?

On another note, should I be using the external interface for this, or 
should I possibly use NAT to re-write to the loopback address?

Brian Snipes wrote:

> I am passing traffic back to an internal serversuccessfully with this 
> type of config:
>  
> ...
> nat to-destination ${int_groupwise_ip} inface 
> ${ext_groupwise_if} proto tcp dport 80 dst ${ext_groupwise_ip}
> nat to-source ${ext_groupwise_ip} outface ${ext_groupwise_if} proto 
> tcp sport 80 src ${int_groupwise_ip}
> ...
> interface ${ext_groupwise_if} ext_groupwise dst ${ext_groupwise_ip}
>         policy reject
>         protection      strong
>         server icmp     accept
>         server ident    reject with tcp-reset
>  
> router i2groupwise inface ${ext_groupwise_if} outface ${int_if}
>         route gwim      accept
>         route gwclient  accept
>         route http      accept
>         route https     accept
>         client all      accept
>  
> Brian
>  
>
> >>>"Daniel L. Miller" <dmiller at amfes.com> 07/19/05 5:40 pm >>>
> Sure enough - using device aliases results in error messages.  That's
> not the answer.
>
> Daniel L. Miller wrote:
>
> >I'm not finding that example.  In my case, I already defined eth1 -
> >eth1:6 for various addresses.
> >
> >For some reason, I didn't think firehol would work with device aliases
> >- that I had to use the base device name.  I'm trying the aliases now
> >to see what changes.
> >
> >Rick Marshall wrote:
> >
> >>this is an excellent howto on this - i think in the firehol examples.
> >>it centres around creating secondary interfaces eth1:0 etc in your
> >>case. i followed it for a setup and it worked very well.
> >>
> >>rick
> >>
> >>Daniel L. Miller wrote:
> >>
> >>>I'm puzzled by the behaviour I'm experiencing with SNAT.  I have a
> >>>group of static external IP's, that I'm trying to utilize for
> >>>different purposes.  I'd like to keep the IP(s) I use for external
> >>>access from my LAN separate from the IP's I use for outside access
> >>>to my internal services.  So . . .
> >>>
> >>>version 5
> >>>FIREHOL_LOG_MODE="ULOG"
> >>>
> >>>AMFESLAN_IF="eth0"
> >>>AMFESLAN_LAN="192.168.0.0/24"
> >>>AMFESLAN_IP="192.168.0.1"
> >>>AMFESLAN_BCAST="192.168.0.255"
> >>>
> >>>AMFESEXT_IF="eth1"
> >>>AMFESEXT_LAN="67.106.235.97/27"
> >>>AMFESEXT_IP="67.106.235.126"
> >>>AMFESEXT_BCAST="67.106.235.127"
> >>>
> >>>PROXY_IF="eth1"
> >>>PROXY_LAN="67.106.235.124/27"
> >>>PROXY_IP="67.106.235.124"
> >>>PROXY_BCAST="67.106.235.127"
> >>>
> >>>BASTION_IP="192.168.0.2"
> >>>ROUTER_IP="192.168.0.1"
> >>>
> >>># provide Internet access for lan
> >>>snat to "${PROXY_IP}" outface "${PROXY_IF}" src "${AMFESLAN_LAN}"
> >>>
> >>># provide web services
> >>>dnat to "${BASTION_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}"
> >>>proto tcp dport 993 log "forwarding imaps"
> >>>dnat to "${BASTION_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}"
> >>>proto tcp dport 80 log "forwarding http"
> >>>
> >>># bittorrent re-direct to one workstation
> >>>dnat to "${DANIEL_IP}" inface "${PROXY_IF}" dst "${PROXY_IP}" proto
> >>>tcp dport 6881:6889 log "forwarding bittorrent"
> >>>dnat to "${DANIEL_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}"
> >>>proto tcp dport 6881:6889 log "forwarding bittorrent"
> >>>
> >>># redirect for external addresses from internal network - this
> >>>allows laptops to use the published imap address in and outside the lan
> >>>snat to "${ROUTER_IP}" outface "${AMFESLAN_IF}" src
> >>>"${AMFESLAN_LAN}" dst "${BASTION_IP}" proto tcp dport 143 log "src
> >>>internal
> >>>dnat to "${BASTION_IP}" inface "${AMFESLAN_IF}" dst "${AMFESEXT_IP}"
> >>>proto tcp dport 143 log "dst internal re-dir"
> >>>snat to "${ROUTER_IP}" outface "${AMFESLAN_IF}" src
> >>>"${AMFESLAN_LAN}" dst "${BASTION_IP}" proto tcp dport 993 log "src
> >>>internal
> >>>dnat to "${BASTION_IP}" inface "${AMFESLAN_IF}" dst "${AMFESEXT_IP}"
> >>>proto tcp dport 993 log "dst internal re-dir"
> >>>
> >>>server_bittorrent_ports="tcp/6881 tcp/6882 tcp/6883 tcp/6884
> >>>tcp/6885 tcp/6886 tcp/6887 tcp/6888 tcp/6889"
> >>>client_bittorrent_ports="default 6881 6882 6883 6884 6885 6886 6887
> >>>6888 6889"
> >>>
> >>>interface "${AMFESLAN_IF}" lan src "${AMFESLAN_LAN}"
> >>>       policy accept
> >>>
> >>>interface "${AMFESEXT_IF}" internet src not "${UNROUTABLE_IPS}
> >>>${AMFESLAN_LAN}" dst "${AMFESEXT_IP}"
> >>>       protection strong 100/sec 50
> >>>#       server ident reject with tcp-reset
> >>>       server smtp accept
> >>>       server smtps accept
> >>>       server submission accept
> >>>       server dcc accept log "DCC server"
> >>>       server ssh accept log "ssh"
> >>>       server ntp accept
> >>>       server ping accept
> >>>       client all accept
> >>>
> >>>interface "${PROXY_IF}" proxy src not "${UNROUTABLE_IPS}
> >>>${AMFESLAN_LAN}" dst "${PROXY_IP}"
> >>>       protection strong 100/sec 50
> >>>       client all accept
> >>>
> >>>router lan2amfesext inface "${AMFESLAN_IF}" outface "${AMFESEXT_IF}"
> >>>src "${AMFESLAN_LAN}" dst not "${UNROUTABLE_IPS}"
> >>>       route all accept
> >>>
> >>>router lan2proxy inface "${AMFESLAN_IF}" outface "${PROXY_IF}" src
> >>>"${AMFESLAN_LAN}" dst not "${UNROUTABLE_IPS}"
> >>>       route all accept
> >>>
> >>>router proxy2lan inface "${PROXY_IF}" outface "${AMFESLAN_IF}"
> >>>       route bittorrent accept
> >>>
> >>>router internet2lan inface "${AMFESEXT_IF}" outface "${AMFESLAN_IF}"
> >>>       protection strong 100/sec 50
> >>>#       route ident reject with tcp-reset
> >>>       route http accept
> >>>       route imaps accept
> >>>       route bittorrent accept
> >>>       route fpadmin accept
> >>>       route webmin accept
> >>>       route firebird accept
> >>>
> >>>The problem I'm having is that any client that connects to the
> >>>Internet, appears to be connecting from my "${AMFESEXT_IP}" address,
> >>>instead of the "${PROXY_IP}" address.  Since the only SNAT line that
> >>>references the Internet uses the proxy address - I'm a little puzzled.
> >>>
> >>>Daniel
> >>
>
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
>
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support

More information about the Firehol-support mailing list