[Firehol-support] SNAT behaviour

Daniel L. Miller dmiller at amfes.com
Tue Jul 26 00:36:44 BST 2005 

Well, I think I found my apparent external IP problem.  I also use 
squid, and apparently squid was reporting the IP address of my 
interface.  Adding the 'tcp_outgoing_address' to my squid.conf took care 
of that - so now my SNAT has been adjusted to only divulge my 'proxy' 
address.

I'm still fighting to get my internal DNAT re-direct working.  I've 
started looking at the actual iptables rules using the webmin firewall 
tool, and I found something interesting.  In the NAT table, I'm finding 
a SNAT entry for port 1433 - yet I don't have anything referencing 1433 
in my firehol.conf file.  Where is this coming from?

Daniel L. Miller wrote:

> Thanx for the reply.
>
> It's still not working for me - I'm wondering if it's the order of the 
> SNAT/DNAT lines in my file.  Could on of those first NAT lines be 
> conflicting with the re-directs?
>
> On another note, should I be using the external interface for this, or 
> should I possibly use NAT to re-write to the loopback address?
>
> Brian Snipes wrote:
>
>> I am passing traffic back to an internal serversuccessfully with this 
>> type of config:
>>  
>> ...
>> nat to-destination ${int_groupwise_ip} inface ${ext_groupwise_if} 
>> proto tcp dport 80 dst ${ext_groupwise_ip}
>> nat to-source ${ext_groupwise_ip} outface ${ext_groupwise_if} proto 
>> tcp sport 80 src ${int_groupwise_ip}
>> ...
>> interface ${ext_groupwise_if} ext_groupwise dst ${ext_groupwise_ip}
>>         policy reject
>>         protection      strong
>>         server icmp     accept
>>         server ident    reject with tcp-reset
>>  
>> router i2groupwise inface ${ext_groupwise_if} outface ${int_if}
>>         route gwim      accept
>>         route gwclient  accept
>>         route http      accept
>>         route https     accept
>>         client all      accept
>>  
>> Brian
>>  
>>
>> >>>"Daniel L. Miller" <dmiller at amfes.com> 07/19/05 5:40 pm >>>
>> Sure enough - using device aliases results in error messages.  That's
>> not the answer.
>>
>> Daniel L. Miller wrote:
>>
>> >I'm not finding that example.  In my case, I already defined eth1 -
>> >eth1:6 for various addresses.
>> >
>> >For some reason, I didn't think firehol would work with device aliases
>> >- that I had to use the base device name.  I'm trying the aliases now
>> >to see what changes.
>> >
>> >Rick Marshall wrote:
>> >
>> >>this is an excellent howto on this - i think in the firehol examples.
>> >>it centres around creating secondary interfaces eth1:0 etc in your
>> >>case. i followed it for a setup and it worked very well.
>> >>
>> >>rick
>> >>
>> >>Daniel L. Miller wrote:
>> >>
>> >>>I'm puzzled by the behaviour I'm experiencing with SNAT.  I have a
>> >>>group of static external IP's, that I'm trying to utilize for
>> >>>different purposes.  I'd like to keep the IP(s) I use for external
>> >>>access from my LAN separate from the IP's I use for outside access
>> >>>to my internal services.  So . . .
>> >>>
>> >>>version 5
>> >>>FIREHOL_LOG_MODE="ULOG"
>> >>>
>> >>>AMFESLAN_IF="eth0"
>> >>>AMFESLAN_LAN="192.168.0.0/24"
>> >>>AMFESLAN_IP="192.168.0.1"
>> >>>AMFESLAN_BCAST="192.168.0.255"
>> >>>
>> >>>AMFESEXT_IF="eth1"
>> >>>AMFESEXT_LAN="67.106.235.97/27"
>> >>>AMFESEXT_IP="67.106.235.126"
>> >>>AMFESEXT_BCAST="67.106.235.127"
>> >>>
>> >>>PROXY_IF="eth1"
>> >>>PROXY_LAN="67.106.235.124/27"
>> >>>PROXY_IP="67.106.235.124"
>> >>>PROXY_BCAST="67.106.235.127"
>> >>>
>> >>>BASTION_IP="192.168.0.2"
>> >>>ROUTER_IP="192.168.0.1"
>> >>>
>> >>># provide Internet access for lan
>> >>>snat to "${PROXY_IP}" outface "${PROXY_IF}" src "${AMFESLAN_LAN}"
>> >>>
>> >>># provide web services
>> >>>dnat to "${BASTION_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}"
>> >>>proto tcp dport 993 log "forwarding imaps"
>> >>>dnat to "${BASTION_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}"
>> >>>proto tcp dport 80 log "forwarding http"
>> >>>
>> >>># bittorrent re-direct to one workstation
>> >>>dnat to "${DANIEL_IP}" inface "${PROXY_IF}" dst "${PROXY_IP}" proto
>> >>>tcp dport 6881:6889 log "forwarding bittorrent"
>> >>>dnat to "${DANIEL_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}"
>> >>>proto tcp dport 6881:6889 log "forwarding bittorrent"
>> >>>
>> >>># redirect for external addresses from internal network - this
>> >>>allows laptops to use the published imap address in and outside 
>> the lan
>> >>>snat to "${ROUTER_IP}" outface "${AMFESLAN_IF}" src
>> >>>"${AMFESLAN_LAN}" dst "${BASTION_IP}" proto tcp dport 143 log "src
>> >>>internal
>> >>>dnat to "${BASTION_IP}" inface "${AMFESLAN_IF}" dst "${AMFESEXT_IP}"
>> >>>proto tcp dport 143 log "dst internal re-dir"
>> >>>snat to "${ROUTER_IP}" outface "${AMFESLAN_IF}" src
>> >>>"${AMFESLAN_LAN}" dst "${BASTION_IP}" proto tcp dport 993 log "src
>> >>>internal
>> >>>dnat to "${BASTION_IP}" inface "${AMFESLAN_IF}" dst "${AMFESEXT_IP}"
>> >>>proto tcp dport 993 log "dst internal re-dir"
>> >>>
>> >>>server_bittorrent_ports="tcp/6881 tcp/6882 tcp/6883 tcp/6884
>> >>>tcp/6885 tcp/6886 tcp/6887 tcp/6888 tcp/6889"
>> >>>client_bittorrent_ports="default 6881 6882 6883 6884 6885 6886 6887
>> >>>6888 6889"
>> >>>
>> >>>interface "${AMFESLAN_IF}" lan src "${AMFESLAN_LAN}"
>> >>>       policy accept
>> >>>
>> >>>interface "${AMFESEXT_IF}" internet src not "${UNROUTABLE_IPS}
>> >>>${AMFESLAN_LAN}" dst "${AMFESEXT_IP}"
>> >>>       protection strong 100/sec 50
>> >>>#       server ident reject with tcp-reset
>> >>>       server smtp accept
>> >>>       server smtps accept
>> >>>       server submission accept
>> >>>       server dcc accept log "DCC server"
>> >>>       server ssh accept log "ssh"
>> >>>       server ntp accept
>> >>>       server ping accept
>> >>>       client all accept
>> >>>
>> >>>interface "${PROXY_IF}" proxy src not "${UNROUTABLE_IPS}
>> >>>${AMFESLAN_LAN}" dst "${PROXY_IP}"
>> >>>       protection strong 100/sec 50
>> >>>       client all accept
>> >>>
>> >>>router lan2amfesext inface "${AMFESLAN_IF}" outface "${AMFESEXT_IF}"
>> >>>src "${AMFESLAN_LAN}" dst not "${UNROUTABLE_IPS}"
>> >>>       route all accept
>> >>>
>> >>>router lan2proxy inface "${AMFESLAN_IF}" outface "${PROXY_IF}" src
>> >>>"${AMFESLAN_LAN}" dst not "${UNROUTABLE_IPS}"
>> >>>       route all accept
>> >>>
>> >>>router proxy2lan inface "${PROXY_IF}" outface "${AMFESLAN_IF}"
>> >>>       route bittorrent accept
>> >>>
>> >>>router internet2lan inface "${AMFESEXT_IF}" outface "${AMFESLAN_IF}"
>> >>>       protection strong 100/sec 50
>> >>>#       route ident reject with tcp-reset
>> >>>       route http accept
>> >>>       route imaps accept
>> >>>       route bittorrent accept
>> >>>       route fpadmin accept
>> >>>       route webmin accept
>> >>>       route firebird accept
>> >>>
>> >>>The problem I'm having is that any client that connects to the
>> >>>Internet, appears to be connecting from my "${AMFESEXT_IP}" address,
>> >>>instead of the "${PROXY_IP}" address.  Since the only SNAT line that
>> >>>references the Internet uses the proxy address - I'm a little 
>> puzzled.
>

More information about the Firehol-support mailing list