[Firehol-support] Reaching public ip of firewall/gateway from lan
Mirko Buffoni
firehol at synthesys.it
Tue Nov 6 17:37:46 GMT 2007
Hi all,
I have setup a linux box doing firewall/gateway plus giving some service.
I have 2 NICs, eth0 is used for public networks, eth1 is used for private lan.
I can route internal PCs through the linux box to internet.
I can reach linux box services from internet.
The 2 networks are phisically separated.
I can reach linux box services from lan through firewall LAN IP.
I cannot reach linux box services from lan through firewall WAN IP.
Relevant part of config
LAN_IF="eth1"
LAN_IP="192.168.0.7"
LAN_NET="192.168.0.0/16"
LAN_SERVICES="all"
WAN_IF="eth0"
WAN_IP="62.94.x.x"
WAN_NET="62.94.x.x/28"
WAN_SERVICES="http icmp"
snat to "${WAN_IP}" outface "${WAN_IF}" src "${LAN_NET}" dst not
"${UNROUTABLE_IPS}"
interface "${LAN_IF}" lan src "${LAN_NET}" dst "${LAN_NET}"
policy reject
server "${LAN_SERVICES}" accept
client all accept
interface "${WAN_IF}" wan src not "${UNROUTABLE_IPS}"
policy drop
protection strong
server "${WAN_SERVICES}" accept
server ident reject with tcp-reset
client all accept
router wan2lan inface "${WAN_IF}" outface "${LAN_IF}" src not
"${UNROUTABLE_IPS}"
server ident reject with tcp-reset
client all accept
From the logs I can see it cannot find WAN_NET in input chain. So I added
interface "${LAN_IF}" lanwan src "${LAN_NET}" dst "${WAN_NET}"
server "${LAN_SERVICES}" accept
client all accept
If I PING for example WAN_IP, the packet pass input chain, but the icmp-reply
cames back from eth0, which doesn't match the reverse part of the previous
interface definition.
How can I ping or reach WAN services from the LAN network with this
configuration?
Thanks for your help
Mirko
More information about the Firehol-support
mailing list