[Firehol-support] firehol and snat

Costa Tsaousis costa at tsaousis.gr
Wed Oct 3 21:09:03 CEST 2007


O/H rich at thevillas.eclipse.co.uk έγραψε:
> I think I should be able to simply rewrite the source address in (b) 
> to the internal
> address of my firewall so that all replies from the webserver come
> back via the firewall and can be correctly de-mangled. In other words
> all communiction between LAN clients and my webserver will be
> dog-legged via the firewall.
>
Thats right.
> BUT, this doesn't work with my current firehol config.
> Please please could someone point out where my config is wrong?
> I have spent hours and hours one this but can't figure it out
>
I don't see an snat for this purpose in your config.

You need:

snat to "${HOME_MYIP}"                 \
        outface "${HOME_MYIF}"            \
        src "${HOME_LAN}" dst "192.168.0.11"

which means: for all packets coming from HOME_LAN and going to 
192.168.0.11 via my HOME_MYIF, change their source to HOME_MYIP.

Remember that snat is applied when a packet goes out, and dnat when it 
comes in.
This means that dnat rules are always applied before the snat ones for 
any given packet.

Costa

PS: Once you solve the problem, please update the forum thread you 
started, so that others will find the answer too. Thanks!





More information about the Firehol-support mailing list