[Firehol-support] Reaching public ip of firewall/gateway from lan

Mirko Buffoni firehol at synthesys.it
Tue Nov 6 17:37:46 GMT 2007


Hi all,

I have setup a linux box doing firewall/gateway plus giving some service.
I have 2 NICs, eth0 is used for public networks, eth1 is used for private lan.

I can route internal PCs through the linux box to internet.
I can reach linux box services from internet.
The 2 networks are phisically separated.
I can reach linux box services from lan through firewall LAN IP.
I cannot reach linux box services from lan through firewall WAN IP.


Relevant part of config

LAN_IF="eth1"
LAN_IP="192.168.0.7"
LAN_NET="192.168.0.0/16"
LAN_SERVICES="all"

WAN_IF="eth0"
WAN_IP="62.94.x.x"
WAN_NET="62.94.x.x/28"
WAN_SERVICES="http icmp"

snat to "${WAN_IP}" outface "${WAN_IF}" src "${LAN_NET}" dst not 
"${UNROUTABLE_IPS}"

interface "${LAN_IF}" lan src "${LAN_NET}" dst "${LAN_NET}"
	policy reject
	server "${LAN_SERVICES}" accept
	client all accept

interface "${WAN_IF}" wan src not "${UNROUTABLE_IPS}"
	policy drop
	protection strong
	server "${WAN_SERVICES}" accept
	server ident    reject with tcp-reset
	client all      accept

router wan2lan inface "${WAN_IF}" outface "${LAN_IF}" src not 
"${UNROUTABLE_IPS}"
	server ident reject with tcp-reset
	client all accept


 From the logs I can see it cannot find WAN_NET in input chain. So I added

interface "${LAN_IF}" lanwan src "${LAN_NET}" dst "${WAN_NET}"
	server "${LAN_SERVICES}" accept
	client all accept

If I PING for example WAN_IP, the packet pass input chain, but the icmp-reply
cames back from eth0, which doesn't match the reverse part of the previous
interface definition.

How can I ping or reach WAN services from the LAN network with this 
configuration?

Thanks for your help

Mirko





More information about the Firehol-support mailing list