[Firehol-support] SNAT behaviour

Daniel L. Miller dmiller at amfes.com
Tue Jul 26 00:57:23 BST 2005 

I remember having a typo before with 1433 - but I've corrected it 
since.  I've been making changes and testing via "firehol try".  It 
seems that some of the rules for which definitions no longer exist in my 
config file are not being deleted.

Having said that - I thought I'd take another look.  My rule "problem" 
was webmin - the default setup operates on the iptables save file, 
instead of the live ruleset.  My bad - hope this helps someone else.

I'm still trying to figure out the internal DNAT/SNAT setup though - any 
help would be appreciated.

Daniel L. Miller wrote:

> Well, I think I found my apparent external IP problem.  I also use 
> squid, and apparently squid was reporting the IP address of my 
> interface.  Adding the 'tcp_outgoing_address' to my squid.conf took 
> care of that - so now my SNAT has been adjusted to only divulge my 
> 'proxy' address.
>
> I'm still fighting to get my internal DNAT re-direct working.  I've 
> started looking at the actual iptables rules using the webmin firewall 
> tool, and I found something interesting.  In the NAT table, I'm 
> finding a SNAT entry for port 1433 - yet I don't have anything 
> referencing 1433 in my firehol.conf file.  Where is this coming from?
>
> Daniel L. Miller wrote:
>
>> Thanx for the reply.
>>
>> It's still not working for me - I'm wondering if it's the order of 
>> the SNAT/DNAT lines in my file.  Could on of those first NAT lines be 
>> conflicting with the re-directs?
>>
>> On another note, should I be using the external interface for this, 
>> or should I possibly use NAT to re-write to the loopback address?
>>
>> Brian Snipes wrote:
>>
>>> I am passing traffic back to an internal serversuccessfully with 
>>> this type of config:
>>>  
>>> ...
>>> nat to-destination ${int_groupwise_ip} inface ${ext_groupwise_if} 
>>> proto tcp dport 80 dst ${ext_groupwise_ip}
>>> nat to-source ${ext_groupwise_ip} outface ${ext_groupwise_if} proto 
>>> tcp sport 80 src ${int_groupwise_ip}
>>> ...
>>> interface ${ext_groupwise_if} ext_groupwise dst ${ext_groupwise_ip}
>>>         policy reject
>>>         protection      strong
>>>         server icmp     accept
>>>         server ident    reject with tcp-reset
>>>  
>>> router i2groupwise inface ${ext_groupwise_if} outface ${int_if}
>>>         route gwim      accept
>>>         route gwclient  accept
>>>         route http      accept
>>>         route https     accept
>>>         client all      accept
>>>  
>>> Brian
>>>  
>>>
>>> >>>"Daniel L. Miller" <dmiller at amfes.com> 07/19/05 5:40 pm >>>
>>> Sure enough - using device aliases results in error messages.  That's
>>> not the answer.
>>>
>>> Daniel L. Miller wrote:
>>>
>>> >I'm not finding that example.  In my case, I already defined eth1 -
>>> >eth1:6 for various addresses.
>>> >
>>> >For some reason, I didn't think firehol would work with device aliases
>>> >- that I had to use the base device name.  I'm trying the aliases now
>>> >to see what changes.
>>> >
>>> >Rick Marshall wrote:
>>> >
>>> >>this is an excellent howto on this - i think in the firehol examples.
>>> >>it centres around creating secondary interfaces eth1:0 etc in your
>>> >>case. i followed it for a setup and it worked very well.
>>> >>
>>> >>rick
>>> >>
>>> >>Daniel L. Miller wrote:
>>> >>
>>> >>>I'm puzzled by the behaviour I'm experiencing with SNAT.  I have a
>>> >>>group of static external IP's, that I'm trying to utilize for
>>> >>>different purposes.  I'd like to keep the IP(s) I use for external
>>> >>>access from my LAN separate from the IP's I use for outside access
>>> >>>to my internal services.  So . . .
>>> >>>
>>> >>>version 5
>>> >>>FIREHOL_LOG_MODE="ULOG"
>>> >>>
>>> >>>AMFESLAN_IF="eth0"
>>> >>>AMFESLAN_LAN="192.168.0.0/24"
>>> >>>AMFESLAN_IP="192.168.0.1"
>>> >>>AMFESLAN_BCAST="192.168.0.255"
>>> >>>
>>> >>>AMFESEXT_IF="eth1"
>>> >>>AMFESEXT_LAN="67.106.235.97/27"
>>> >>>AMFESEXT_IP="67.106.235.126"
>>> >>>AMFESEXT_BCAST="67.106.235.127"
>>> >>>
>>> >>>PROXY_IF="eth1"
>>> >>>PROXY_LAN="67.106.235.124/27"
>>> >>>PROXY_IP="67.106.235.124"
>>> >>>PROXY_BCAST="67.106.235.127"
>>> >>>
>>> >>>BASTION_IP="192.168.0.2"
>>> >>>ROUTER_IP="192.168.0.1"
>>> >>>
>>> >>># provide Internet access for lan
>>> >>>snat to "${PROXY_IP}" outface "${PROXY_IF}" src "${AMFESLAN_LAN}"
>>> >>>
>>> >>># provide web services
>>> >>>dnat to "${BASTION_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}"
>>> >>>proto tcp dport 993 log "forwarding imaps"
>>> >>>dnat to "${BASTION_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}"
>>> >>>proto tcp dport 80 log "forwarding http"
>>> >>>
>>> >>># bittorrent re-direct to one workstation
>>> >>>dnat to "${DANIEL_IP}" inface "${PROXY_IF}" dst "${PROXY_IP}" proto
>>> >>>tcp dport 6881:6889 log "forwarding bittorrent"
>>> >>>dnat to "${DANIEL_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}"
>>> >>>proto tcp dport 6881:6889 log "forwarding bittorrent"
>>> >>>
>>> >>># redirect for external addresses from internal network - this
>>> >>>allows laptops to use the published imap address in and outside 
>>> the lan
>>> >>>snat to "${ROUTER_IP}" outface "${AMFESLAN_IF}" src
>>> >>>"${AMFESLAN_LAN}" dst "${BASTION_IP}" proto tcp dport 143 log "src
>>> >>>internal
>>> >>>dnat to "${BASTION_IP}" inface "${AMFESLAN_IF}" dst "${AMFESEXT_IP}"
>>> >>>proto tcp dport 143 log "dst internal re-dir"
>>> >>>snat to "${ROUTER_IP}" outface "${AMFESLAN_IF}" src
>>> >>>"${AMFESLAN_LAN}" dst "${BASTION_IP}" proto tcp dport 993 log "src
>>> >>>internal
>>> >>>dnat to "${BASTION_IP}" inface "${AMFESLAN_IF}" dst "${AMFESEXT_IP}"
>>> >>>proto tcp dport 993 log "dst internal re-dir"
>>> >>>
>>> >>>server_bittorrent_ports="tcp/6881 tcp/6882 tcp/6883 tcp/6884
>>> >>>tcp/6885 tcp/6886 tcp/6887 tcp/6888 tcp/6889"
>>> >>>client_bittorrent_ports="default 6881 6882 6883 6884 6885 6886 6887
>>> >>>6888 6889"
>>> >>>
>>> >>>interface "${AMFESLAN_IF}" lan src "${AMFESLAN_LAN}"
>>> >>>       policy accept
>>> >>>
>>> >>>interface "${AMFESEXT_IF}" internet src not "${UNROUTABLE_IPS}
>>> >>>${AMFESLAN_LAN}" dst "${AMFESEXT_IP}"
>>> >>>       protection strong 100/sec 50
>>> >>>#       server ident reject with tcp-reset
>>> >>>       server smtp accept
>>> >>>       server smtps accept
>>> >>>       server submission accept
>>> >>>       server dcc accept log "DCC server"
>>> >>>       server ssh accept log "ssh"
>>> >>>       server ntp accept
>>> >>>       server ping accept
>>> >>>       client all accept
>>> >>>
>>> >>>interface "${PROXY_IF}" proxy src not "${UNROUTABLE_IPS}
>>> >>>${AMFESLAN_LAN}" dst "${PROXY_IP}"
>>> >>>       protection strong 100/sec 50
>>> >>>       client all accept
>>> >>>
>>> >>>router lan2amfesext inface "${AMFESLAN_IF}" outface "${AMFESEXT_IF}"
>>> >>>src "${AMFESLAN_LAN}" dst not "${UNROUTABLE_IPS}"
>>> >>>       route all accept
>>> >>>
>>> >>>router lan2proxy inface "${AMFESLAN_IF}" outface "${PROXY_IF}" src
>>> >>>"${AMFESLAN_LAN}" dst not "${UNROUTABLE_IPS}"
>>> >>>       route all accept
>>> >>>
>>> >>>router proxy2lan inface "${PROXY_IF}" outface "${AMFESLAN_IF}"
>>> >>>       route bittorrent accept
>>> >>>
>>> >>>router internet2lan inface "${AMFESEXT_IF}" outface "${AMFESLAN_IF}"
>>> >>>       protection strong 100/sec 50
>>> >>>#       route ident reject with tcp-reset
>>> >>>       route http accept
>>> >>>       route imaps accept
>>> >>>       route bittorrent accept
>>> >>>       route fpadmin accept
>>> >>>       route webmin accept
>>> >>>       route firebird accept
>>> >>>
>>> >>>The problem I'm having is that any client that connects to the
>>> >>>Internet, appears to be connecting from my "${AMFESEXT_IP}" address,
>>> >>>instead of the "${PROXY_IP}" address.  Since the only SNAT line that
>>> >>>references the Internet uses the proxy address - I'm a little 
>>> puzzled.
>>

More information about the Firehol-support mailing list