[Firehol-support] firehol and snat

Rick Marshall rjm at zenucom.com
Wed Oct 3 22:10:29 BST 2007 

Hi Rich

Minor note - your LAN is 192.168.0.0/24 - but this doesn't affect the 
rest of your problem.

I have this scenario working well, but I have done it using one of three 
tricks.

1. Extra address. Put the web server on a different subnet - say 
192.168.1.... You can overload the IP addresses on the firewall to 
access the web server through the same interface card.

2. Run a copy of apache on the firewall and use ReverseProxy to access 
the internal web server. If you do this you need to run your web site 
stats program on the firewall.

3. More complex setup for a busy office puts the web server in a DMZ 
with 2 interface cards, run a second name server to give internal 
addresses to internal machines which are on the internal lan and run a 
third interface card on the firewall to keep the traffic separated.

Regards
Rick

rich at thevillas.eclipse.co.uk wrote:
>
> Hi,
> I have a LAN that accesses the internet through a single firewall 
> machine which has 2 network cards.
> I use SNAT to give all of my LAN machines the static external IP of 
> this firewall machine when they venture out.
> For internet traffic coming in to the firewall i use DNAT to forward 
> it to my webserver on the LAN.
>
> So, assuming that:
>
>   1) my LAN has private addresses:
>      192.168.0.0/16
>   2) my firewall has the external internet-visible address:
>      x.x.x.x
>   3) my firewall has the internal LAN-visible address:
>      192.168.0.18
>   4) my webserver has my LAN private address:
>      192.168.0.11
>
> I have an iptables DNAT (destination nat) rule to redirect traffic thus:
>    tcp x.x.x.x:80 -> 192.168.0.11:80
>
> However whilst this is lovely for external clients, it doesn't work for
> my LAN because:
>   a) LAN client 192.168.0.Y contacts x.x.x.x via the default
> route (the firewall).
>   b) firewall DNATs the connection to LAN webserver destination
> 192.168.1.110 but leaves the source address unchanged as 192.168.0.Y
>   c) LAN webserver 192.168.0.11 replies direct to LAN client
> 192.168.0.Y because it is on the same network, but LAN client wasn't
> talking to 192.168.0.11 when it started the connection and therefore
> ignores these packets.
>
> I think I should be able to simply rewrite the source address in (b) 
> to the internal
> address of my firewall so that all replies from the webserver come
> back via the firewall and can be correctly de-mangled. In other words
> all communiction between LAN clients and my webserver will be
> dog-legged via the firewall.
>
> BUT, this doesn't work with my current firehol config.
> Please please could someone point out where my config is wrong?
> I have spent hours and hours one this but can't figure it out
>
> Thanks in advance
> #####################CONFIG BELOW######################
>
>
> # The definition of our HOME LAN.
> HOME_MYIP="192.168.0.18"    # The IP on our HOME LAN
> HOME_MYIF="eth1"        # The HOME LAN interface
> HOME_BCAST="192.168.1.255"    # The HOME LAN broadcast
> HOME_LAN="192.168.1.0/255.255.255.0"        # The HOME LAN
> HOME_SERVICES="all"
>
> HOME_DHCP=0            # Set to 0 to disable
>
>
> # --- PUBLIC ---
>
> # The definition of our PUBLIC interface.
> PUBLIC_MYIP="x.x.x.x"            # Leave empty for dynamic IP
> PUBLIC_MYIF="eth0"        # The public interface
> PUBLIC_SERVICES="ssh http https"
>
> # Is the PPP interface a DIAL-ON-DEMAND?
> DIAL_ON_DEMAND=0        # Set to 0 to disable
>
>
> # --- TRUSTED ---
>
> # Hosts in the internet I trust for accessing private services
> # Empty these to disable.
> TRUSTED_IPS=""
> TRUSTED_SERVICES=""
>
>
>
> # --- BLACKLIST ---
>
> # A space-separated list of IPs to be blocked.
> blacklist=""
>
>
> # 
> ----------------------------------------------------------------------------
> # HELPERS
> # 
> ----------------------------------------------------------------------------
>
> # Block all traffic from/to certain IPs
> if [ ! -z "${blacklist}" ]
> then
>     blacklist full "${blacklist}"
> fi
>
>
>
> # 
> ----------------------------------------------------------------------------
> # NETWORK ADDRESS TRANSLATION
> # 
> ----------------------------------------------------------------------------
> # Change the source/destination of packets...
>
> # Should we do SNAT or MASQUERADE?
> # If there is a PUBLIC_MYIP defined, we should do SNAT, otherwise MASQ.
> #
> if [ ! -z "${PUBLIC_MYIP}" ]
> then
>
>     snat to "${PUBLIC_MYIP}"                 \
>         outface "${PUBLIC_MYIF}"             \
>         src "${HOME_LAN}" dst not "${UNROUTABLE_IPS}"
>
>     snat to "${HOME_MYIP}"                 \
>         outface "${HOME_MYIF}"            \
>         src "${HOME_LAN}" dst "${PUBLIC_MYIP}"
>
> else
>     masquerade "${PUBLIC_MYIF}"
> fi
>
>
> # To have some public service hit an internal machine, do this:
>
> dnat to 192.168.0.11:80                        \
>     inface "${PUBLIC_MYIF}"                    \
>     src not "${HOME_LAN} ${UNROUTABLE_IPS}"            \
>     proto tcp dport 80
>     
>
>
> # 
> ----------------------------------------------------------------------------
> # PROTECT SELF
> # 
> ----------------------------------------------------------------------------
> # Protect the firewall host...
>
> # --- HOME ---
>
> # Protect us from the HOME LAN
> interface "${HOME_MYIF}" home src "${HOME_LAN}" dst "${HOME_MYIP} 
> ${HOME_BCAST}"
>     policy reject
>    
>     server "${HOME_SERVICES}" accept
>    
>     client all accept
>
>    
> # DHCP needs 0.0.0.0/255.255.255.255 access.
> if [ ${HOME_DHCP} -eq 1 ]
> then
>     interface "${HOME_MYIF}" dhcp
>         server dhcp accept
> fi
>
>
> # --- PUBLIC ---
>
> # Protect us from the PUBLIC
> interface "${PUBLIC_MYIF}" internet                \
>     src not "${UNROUTABLE_IPS}"                \
>     `test ! -z "${PUBLIC_MYIP}" && echo "dst '${PUBLIC_MYIP}'"`
>    
>     protection strong
>     policy drop
>    
>     # Are there any trusted PCs/services?
>     if [ ! -z "${TRUSTED_PCS}" -a ! -z "${TRUSTED_SERVICES}" ]
>     then
>         server "${TRUSTED_SERVICES}" accept src "${TRUSTED_PCS}"
>     fi
>    
>     server "${PUBLIC_SERVICES}" accept
>    
>     client all accept
>
> # DIAL-ON-DEMAND needs this in case there is a PUBLIC_MYIP defined.
> if [ ${DIAL_ON_DEMAND} -eq 1 ]
> then
>     interface "${PUBLIC_MYIF}" dialup
>         client all accept
> fi
>
>
> # 
> ----------------------------------------------------------------------------
> # PROTECT ROUTING
> # 
> ----------------------------------------------------------------------------
> # Protect the LAN...
>
> # Route traffic for the clients on the LAN
> router internet2lan inface "${PUBLIC_MYIF}" outface "${HOME_MYIF}"    \
>     src not "${UNROUTABLE_IPS}" dst "${HOME_LAN}"
>    
>     # route all client traffic
>     client all accept
>    
>     # For the dnat example above, this is needed:
>     server http accept dst 192.168.0.11
>
>  
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> ------------------------------------------------------------------------
>
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support
>

More information about the Firehol-support mailing list