[Firehol-support] firehol and snat
Rick Marshall
rjm at zenucom.com
Sat Oct 6 01:28:29 CEST 2007
Hi Rich
I put considerable work into the snat option before realising that it
was going to be too difficult. iptables seems t get confused when you
are trying to do too much with the same subnet. I don't know why, but it
just didn't work.
More importantly, we host a number of sites on different back end
servers and then have to provide site statistics to all of them.
This is where the reverse proxy really came into its own. (Using apache
of course ;) - IIS can't do it :( ) The proxy knows the URL that has
been requested and so the a combination of named virtual hosts and
reverse proxy can redirect almost anything reliably to the internal
servers. Including internal traffic. However this does mean that all
internal traffic also goes through the firewall - on sites with high
internal volumes you really don't want this - hence servers with dual
interfaces. The internal servers think the traffic comes from the
firewall so you need to set up site statistics against logs on the
firewall, not the actual servers.
Google etc for apache reverse proxy - plenty of online help and discussion.
Here is a snippet from one of our apache setups:
<VirtualHost *:80>
ServerName www.rmkshoes.com.au
ServerAlias rmkshoes.com.au www.rmkshoes.com rmkshoes.com
ServerAdmin root at cadetshoes.com.au
ErrorLog logs/rmkshoes.com.au-error_log
CustomLog logs/rmkshoes.com.au-access_log combined
ProxyPreserveHost On
<Location / >
ProxyPass http://192.168.1.153/
ProxyPassReverse http://192.168.1.153/
</Location>
</VirtualHost>
Also please note that this does not solve the problem for mail servers
on the same internal subnet.
Option b) as I said is to overload the ip address on an interface card.
To do this set the ip address on the web/mail server to a different
subnet eg 192.168.1.0/24. Then in firehol on the firewall add the ip
commands to add addresses to an interface (in addition to the default
address present when the firewall starts):
eg
ip addr add 192.168.1.1 dev eth0
ip route add 192.168.1.0/24 dev eth0
You can have 2 interface definitions for the same interface ! and then
redirect traffic accordingly. This is an effective strategy. Here is the
firehol.conf from one of my smaller sites:
In this case I have made sure that the intranet comes up correctly and
then overlay the internet onto the (single) ethernet adapter. Physically
there is a satellite link connected to my switch along with the
server/firewall and a wireless switch.
We're now using this in small shop setups too so that we can use
standard IBM POS units with multiple subregisters.
Anyway I hope this helps you and others.
Regards
Rick
#
# $Id: office.conf,v 1.4 2002/12/31 15:44:34 ktsaou Exp $
#
# CASE:
# Firewall for a host with only one Ethernet interface connected to
# a LAN where the traffic coming in is:
#
# source 10.0.0.0/16 intranet traffic
# any other source internet traffic
#
# The host can reach the internet via a gateway that SNATs the fake
# address this host has to its Ethernet interface to a real one.
# We assume that this NAT is bi-directional, meaning that the
# gateway will DNAT requests sent from the internet to the real IP
# of our host in order to enter the intranet and reach our server.
#
# If this NAT is not bi-directional (only SNAT but no DNAT), then
# the 'internet' and 'trusted' services bellow will simply not
# work (FireHOL will not complain).
#
# SOLUTION:
# The following FireHOL configuration script assumes there are a few
# network zones with different roles:
#
# intranet our company's intranet
# department our department within the intranet
# personal our PCs within the company
# internet the whole internet
# trusted computers on the internet we need to provide
# services to
#
# For each of the above, there are two definitions:
# 1. The IP addresses or address space
# 2. The services they can access on this host.
#
# If you want to disable something, simply comment out or empty the
# variables defined for this.
#
# Other notes:
# - idents are rejected
# - our host is also a workstation that can run any client
# - our host does not route any traffic
version 5
# ----------------------------------------------------------------------
# Definitions
# ----------------------------------------------------------------------
# The network the company's intranet is using
ip addr add 61.88.230.142 dev eth0
ip route add 61.88.230.140/30 dev eth0
ip route add default via 61.88.230.141
intranet="192.168.12.0/24"
intranet_servers="icmp http smtp dns dhcp cups ssh samba"
# The rest of the traffic is internet.
# Define here the servers for the internet traffic, if any
internet="61.88.230.142"
internet_if="eth0"
internet_servers="icmp smtp ssh dns"
# How many requests per second should we allow?
intranet_requests="50/sec"
internet_requests="10/sec"
# New servers
server_drop_ports="tcp/135 udp/1025:65535 tcp/1025:65535"
client_drop_ports="default"
# NAT
snat to "${internet}" outface "${internet_if}" src "${intranet}" dst not
"${UNROUTABLE_IPS}"
# TCPMSS
tcpmss 256
# TRANSPARENT PROXY
#proxy_port=""
# Setup a transparent proxy on this host.
#if [ ! -z "${proxy_port}" ]
#then
# iptables -t nat -A PREROUTING -s ${intranet} -p tcp --dport 80
-j REDIRECT --to-port ${proxy_port}
#fi
# ----------------------------------------------------------------------
# Normally, you don't have to do anything bellow this point.
# ----------------------------------------------------------------------
# The intranet
interface eth0 intranet src "${intranet}"
policy reject # be friendly to the intranet to prevent timeouts
protection strong ${intranet_requests}
# Servers for the company's intranet
if [ ! -z "${intranet_servers}" ]
then
server "${intranet_servers}" accept
fi
# Prevent ident from timing out
server ident reject with tcp-reset
# This is an Intranet workstation
client all accept # To have good accounting, this should
be last.
# The internet
interface eth0 internet src not "${intranet} ${UNROUTABLE_IPS}"
policy drop # this is also the default
protection strong ${internet_requests}
# Public internet servers
if [ ! -z "${internet_servers}" ]
then
server "${internet_servers}" accept
fi
# Servers for our trusted PCs
if [ ! -z "${trusted}" -a ! -z "${trusted_servers}" ]
then
server "${trusted_servers}" accept src "${trusted}"
fi
# Prevent ident from timing out
server ident reject with tcp-reset
# Get rid of other crap
server "drop" drop
server "samba" drop
# This is an Internet workstation too
client all accept # To have good accounting, this should
be last.
#
----------------------------------------------------------------------------
# PROTECT ROUTING
#
----------------------------------------------------------------------------
# Protect the LAN...
# Route traffic for the clients on the LAN
router internet2lan inface "${internet_if}" outface "eth0" src not
"${UNROUTABLE_IPS}" dst "${intranet}"
# route all client traffic
client all accept
router lan2internet inface "eth0" outface "${internet_if}"
route all accept
rich at thevillas.eclipse.co.uk wrote:
>
>
>
> Thanks Rick, great help. I think the reverse proxy sounds like a great
> idea and looks simple to implement. I need the webserver to be on the
> same subnet as the lan.
>
> Did you attempt the snat option or did you just go straight for one of
> the 3 below? I'm puzzled as to why it won't work for me.
>
> cheers
>
> Rich
>
> *On Wed Oct 3 21:10 , Rick Marshall sent:
>
> *
>
> Hi Rich
>
> Minor note - your LAN is 192.168.0.0/24 - but this doesn't affect the
> rest of your problem.
>
> I have this scenario working well, but I have done it using one of
> three
> tricks.
>
> 1. Extra address. Put the web server on a different subnet - say
> 192.168.1.... You can overload the IP addresses on the firewall to
> access the web server through the same interface card.
>
> 2. Run a copy of apache on the firewall and use ReverseProxy to
> access
> the internal web server. If you do this you need to run your web site
> stats program on the firewall.
>
> 3. More complex setup for a busy office puts the web server in a DMZ
> with 2 interface cards, run a second name server to give internal
> addresses to internal machines which are on the internal lan and
> run a
> third interface card on the firewall to keep the traffic separated.
>
> Regards
> Rick
>
> rich at thevillas.eclipse.co.uk
> <javascript:top.opencompose('rich at thevillas.eclipse.co.uk','','','')>
> wrote:
> >
> > Hi,
> > I have a LAN that accesses the internet through a single firewall
> > machine which has 2 network cards.
> > I use SNAT to give all of my LAN machines the static external IP of
> > this firewall machine when they venture out.
> > For internet traffic coming in to the firewall i use DNAT to
> forward
> > it to my webserver on the LAN.
> >
> > So, assuming that:
> >
> > 1) my LAN has private addresses:
> > 192.168.0.0/16
> > 2) my firewall has the external internet-visible address:
> > x.x.x.x
> > 3) my firewall has the internal LAN-visible address:
> > 192.168.0.18
> > 4) my webserver has my LAN private address:
> > 192.168.0.11
> >
> > I have an iptables DNAT (destination nat) rule to redirect
> traffic thus:
> > tcp x.x.x.x:80 -> 192.168.0.11:80
> >
> > However whilst this is lovely for external clients, it doesn't
> work for
> > my LAN because:
> > a) LAN client 192.168.0.Y contacts x.x.x.x via the default
> > route (the firewall).
> > b) firewall DNATs the connection to LAN webserver destination
> > 192.168.1.110 but leaves the source address unchanged as 192.168.0.Y
> > c) LAN webserver 192.168.0.11 replies direct to LAN client
> > 192.168.0.Y because it is on the same network, but LAN client wasn't
> > talking to 192.168.0.11 when it started the connection and therefore
> > ignores these packets.
> >
> > I think I should be able to simply rewrite the source address in
> (b)
> > to the internal
> > address of my firewall so that all replies from the webserver come
> > back via the firewall and can be correctly de-mangled. In other
> words
> > all communiction between LAN clients and my webserver will be
> > dog-legged via the firewall.
> >
> > BUT, this doesn't work with my current firehol config.
> > Please please could someone point out where my config is wrong?
> > I have spent hours and hours one this but can't figure it out
> >
> > Thanks in advance
> > #####################CONFIG BELOW######################
> >
> >
> > # The definition of our HOME LAN.
> > HOME_MYIP="192.168.0.18" # The IP on our HOME LAN
> > HOME_MYIF="eth1" # The HOME LAN interface
> > HOME_BCAST="192.168.1.255" # The HOME LAN broadcast
> > HOME_LAN="192.168.1.0/255.255.255.0" # The HOME LAN
> > HOME_SERVICES="all"
> >
> > HOME_DHCP=0 # Set to 0 to disable
> >
> >
> > # --- PUBLIC ---
> >
> > # The definition of our PUBLIC interface.
> > PUBLIC_MYIP="x.x.x.x" # Leave empty for dynamic IP
> > PUBLIC_MYIF="eth0" # The public interface
> > PUBLIC_SERVICES="ssh http https"
> >
> > # Is the PPP interface a DIAL-ON-DEMAND?
> > DIAL_ON_DEMAND=0 # Set to 0 to disable
> >
> >
> > # --- TRUSTED ---
> >
> > # Hosts in the internet I trust for accessing private services
> > # Empty these to disable.
> > TRUSTED_IPS=""
> > TRUSTED_SERVICES=""
> >
> >
> >
> > # --- BLACKLIST ---
> >
> > # A space-separated list of IPs to be blocked.
> > blacklist=""
> >
> >
> > #
> >
> ----------------------------------------------------------------------------
> > # HELPERS
> > #
> >
> ----------------------------------------------------------------------------
> >
> > # Block all traffic from/to certain IPs
> > if [ ! -z "${blacklist}" ]
> > then
> > blacklist full "${blacklist}"
> > fi
> >
> >
> >
> > #
> >
> ----------------------------------------------------------------------------
> > # NETWORK ADDRESS TRANSLATION
> > #
> >
> ----------------------------------------------------------------------------
> > # Change the source/destination of packets...
> >
> > # Should we do SNAT or MASQUERADE?
> > # If there is a PUBLIC_MYIP defined, we should do SNAT,
> otherwise MASQ.
> > #
> > if [ ! -z "${PUBLIC_MYIP}" ]
> > then
> >
> > snat to "${PUBLIC_MYIP}" \
> > outface "${PUBLIC_MYIF}" \
> > src "${HOME_LAN}" dst not "${UNROUTABLE_IPS}"
> >
> > snat to "${HOME_MYIP}" \
> > outface "${HOME_MYIF}" \
> > src "${HOME_LAN}" dst "${PUBLIC_MYIP}"
> >
> > else
> > masquerade "${PUBLIC_MYIF}"
> > fi
> >
> >
> > # To have some public service hit an internal machine, do this:
> >
> > dnat to 192.168.0.11:80 \
> > inface "${PUBLIC_MYIF}" \
> > src not "${HOME_LAN} ${UNROUTABLE_IPS}" \
> > proto tcp dport 80
> >
> >
> >
> > #
> >
> ----------------------------------------------------------------------------
> > # PROTECT SELF
> > #
> >
> ----------------------------------------------------------------------------
> > # Protect the firewall host...
> >
> > # --- HOME ---
> >
> > # Protect us from the HOME LAN
> > interface "${HOME_MYIF}" home src "${HOME_LAN}" dst "${HOME_MYIP}
> > ${HOME_BCAST}"
> > policy reject
> >
> > server "${HOME_SERVICES}" accept
> >
> > client all accept
> >
> >
> > # DHCP needs 0.0.0.0/255.255.255.255 access.
> > if [ ${HOME_DHCP} -eq 1 ]
> > then
> > interface "${HOME_MYIF}" dhcp
> > server dhcp accept
> > fi
> >
> >
> > # --- PUBLIC ---
> >
> > # Protect us from the PUBLIC
> > interface "${PUBLIC_MYIF}" internet \
> > src not "${UNROUTABLE_IPS}" \
> > `test ! -z "${PUBLIC_MYIP}" && echo "dst '${PUBLIC_MYIP}'"`
> >
> > protection strong
> > policy drop
> >
> > # Are there any trusted PCs/services?
> > if [ ! -z "${TRUSTED_PCS}" -a ! -z "${TRUSTED_SERVICES}" ]
> > then
> > server "${TRUSTED_SERVICES}" accept src "${TRUSTED_PCS}"
> > fi
> >
> > server "${PUBLIC_SERVICES}" accept
> >
> > client all accept
> >
> > # DIAL-ON-DEMAND needs this in case there is a PUBLIC_MYIP defined.
> > if [ ${DIAL_ON_DEMAND} -eq 1 ]
> > then
> > interface "${PUBLIC_MYIF}" dialup
> > client all accept
> > fi
> >
> >
> > #
> >
> ----------------------------------------------------------------------------
> > # PROTECT ROUTING
> > #
> >
> ----------------------------------------------------------------------------
> > # Protect the LAN...
> >
> > # Route traffic for the clients on the LAN
> > router internet2lan inface "${PUBLIC_MYIF}" outface "${HOME_MYIF}" \
> > src not "${UNROUTABLE_IPS}" dst "${HOME_LAN}"
> >
> > # route all client traffic
> > client all accept
> >
> > # For the dnat example above, this is needed:
> > server http accept dst 192.168.0.11
> >
> >
> >
> ------------------------------------------------------------------------
> >
> >
> -------------------------------------------------------------------------
> > This SF.net email is sponsored by: Splunk Inc.
> > Still grepping through log files to find problems? Stop.
> > Now Search log events and configuration files using AJAX and a
> browser.
> > Download your FREE copy of Splunk now >> http://get.splunk.com/
> <parse.pl?redirect=http%3A%2F%2Fget.splunk.com%2F>
> >
> ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Firehol-support mailing list
> > Firehol-support at lists.sourceforge.net
> <javascript:top.opencompose('Firehol-support at lists.sourceforge.net','','','')>
> > https://lists.sourceforge.net/lists/listinfo/firehol-support
> <parse.pl?redirect=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Ffirehol-support>
> >
>
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> ------------------------------------------------------------------------
>
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support
>
More information about the Firehol-support
mailing list