[Firehol-support] firehol and snat

Rick Marshall rjm at zenucom.com
Sat Oct 6 00:28:29 BST 2007


Hi Rich

I put considerable work into the snat option before realising that it 
was going to be too difficult. iptables seems t get confused when you 
are trying to do too much with the same subnet. I don't know why, but it 
just didn't work.

More importantly, we host a number of sites on different back end 
servers and then have to provide site statistics to all of them.

This is where the reverse proxy really came into its own. (Using apache 
of course ;)  - IIS can't do it :( ) The proxy knows the URL that has 
been requested and so the a combination of named virtual hosts and 
reverse proxy can redirect almost anything reliably to the internal 
servers. Including internal traffic. However this does mean that all 
internal traffic also goes through the firewall - on sites with high 
internal volumes you really don't want this - hence servers with dual 
interfaces. The internal servers think the traffic comes from the 
firewall so you need to set up site statistics against logs on the 
firewall, not the actual servers.

Google etc for apache reverse proxy - plenty of online help and discussion.

Here is a snippet from one of our apache setups:

<VirtualHost *:80>
        ServerName www.rmkshoes.com.au
        ServerAlias rmkshoes.com.au www.rmkshoes.com rmkshoes.com
        ServerAdmin root at cadetshoes.com.au
        ErrorLog logs/rmkshoes.com.au-error_log
        CustomLog logs/rmkshoes.com.au-access_log combined
        ProxyPreserveHost       On
        <Location / >
                ProxyPass               http://192.168.1.153/
                ProxyPassReverse        http://192.168.1.153/
                </Location>
        </VirtualHost>

Also please note that this does not solve the problem for mail servers 
on the same internal subnet.

Option b) as I said is to overload the ip address on an interface card.

To do this set the ip address on the web/mail server to a different 
subnet eg 192.168.1.0/24. Then in firehol on the firewall add the ip 
commands to add addresses to an interface (in addition to the default 
address present when the firewall starts):

eg

ip addr add 192.168.1.1 dev eth0
ip route add 192.168.1.0/24 dev eth0

You can have 2 interface definitions for the same interface ! and then 
redirect traffic accordingly. This is an effective strategy. Here is the 
firehol.conf from one of my smaller sites:
In this case I have made sure that the intranet comes up correctly and 
then overlay the internet onto the (single) ethernet adapter. Physically 
there is a satellite link connected to my switch along with the 
server/firewall and a wireless switch.

We're now using this in small shop setups too so that we can use 
standard IBM POS units with multiple subregisters.

Anyway I hope this helps you and others.

Regards
Rick

#
# $Id: office.conf,v 1.4 2002/12/31 15:44:34 ktsaou Exp $
#
# CASE:
# Firewall for a host with only one Ethernet interface connected to
# a LAN where the traffic coming in is:
#
#       source 10.0.0.0/16      intranet traffic
#       any other source        internet traffic
#
# The host can reach the internet via a gateway that SNATs the fake
# address this host has to its Ethernet interface to a real one.
# We assume that this NAT is bi-directional, meaning that the
# gateway will DNAT requests sent from the internet to the real IP
# of our host in order to enter the intranet and reach our server.
#
# If this NAT is not bi-directional (only SNAT but no DNAT), then
# the 'internet' and 'trusted' services bellow will simply not
# work (FireHOL will not complain).
#
# SOLUTION:
# The following FireHOL configuration script assumes there are a few
# network zones with different roles:
#
#       intranet        our company's intranet
#       department      our department within the intranet
#       personal        our PCs within the company
#       internet        the whole internet
#       trusted         computers on the internet we need to provide
#                       services to
#
# For each of the above, there are two definitions:
#       1. The IP addresses or address space
#       2. The services they can access on this host.
#
# If you want to disable something, simply comment out or empty the
# variables defined for this.
#
# Other notes:
#       - idents are rejected
#       - our host is also a workstation that can run any client
#       - our host does not route any traffic

version 5

# ----------------------------------------------------------------------
# Definitions
# ----------------------------------------------------------------------

# The network the company's intranet is using
ip addr add 61.88.230.142 dev eth0
ip route add 61.88.230.140/30 dev eth0
ip route add default via 61.88.230.141
intranet="192.168.12.0/24"
intranet_servers="icmp http smtp dns dhcp cups ssh samba"

# The rest of the traffic is internet.
# Define here the servers for the internet traffic, if any
internet="61.88.230.142"
internet_if="eth0"
internet_servers="icmp smtp ssh dns"

# How many requests per second should we allow?
intranet_requests="50/sec"
internet_requests="10/sec"

# New servers

server_drop_ports="tcp/135 udp/1025:65535 tcp/1025:65535"
client_drop_ports="default"

# NAT

snat to "${internet}" outface "${internet_if}" src "${intranet}" dst not 
"${UNROUTABLE_IPS}"

# TCPMSS

tcpmss 256

# TRANSPARENT PROXY

#proxy_port=""

# Setup a transparent proxy on this host.
#if [ ! -z "${proxy_port}" ]
#then
#        iptables -t nat -A PREROUTING -s ${intranet} -p tcp --dport 80 
-j REDIRECT --to-port ${proxy_port}
#fi

# ----------------------------------------------------------------------
# Normally, you don't have to do anything bellow this point.
# ----------------------------------------------------------------------

# The intranet
interface eth0 intranet src "${intranet}"
        policy reject # be friendly to the intranet to prevent timeouts
       
        protection strong ${intranet_requests}

        # Servers for the company's intranet
        if [ ! -z "${intranet_servers}" ]
        then
                server "${intranet_servers}" accept
        fi

        # Prevent ident from timing out
        server ident    reject with tcp-reset

        # This is an Intranet workstation
        client all      accept  # To have good accounting, this should 
be last.
       
# The internet
interface eth0 internet src not "${intranet} ${UNROUTABLE_IPS}"
        policy drop # this is also the default

        protection strong ${internet_requests}

        # Public internet servers
        if [ ! -z "${internet_servers}" ]
        then
                server "${internet_servers}" accept
        fi

        # Servers for our trusted PCs
        if [ ! -z "${trusted}" -a ! -z "${trusted_servers}" ]
        then
                server "${trusted_servers}" accept src "${trusted}"
        fi

        # Prevent ident from timing out
        server ident    reject with tcp-reset

        # Get rid of other crap
        server "drop" drop
        server "samba" drop

        # This is an Internet workstation too
        client all      accept  # To have good accounting, this should 
be last.

# 
----------------------------------------------------------------------------
# PROTECT ROUTING
# 
----------------------------------------------------------------------------
# Protect the LAN...

# Route traffic for the clients on the LAN
router internet2lan inface "${internet_if}" outface "eth0" src not 
"${UNROUTABLE_IPS}" dst "${intranet}"

        # route all client traffic
        client all accept

router lan2internet inface "eth0" outface "${internet_if}"
        route all accept





rich at thevillas.eclipse.co.uk wrote:
>
>
>
> Thanks Rick, great help. I think the reverse proxy sounds like a great 
> idea and looks simple to implement. I need the webserver to be on the 
> same subnet as the lan.
>
> Did you attempt the snat option or did you just go straight for one of 
> the 3 below? I'm puzzled as to why it won't work for me.
>
> cheers
>
> Rich
>
> *On Wed Oct 3 21:10 , Rick Marshall sent:
>
> *
>
>     Hi Rich
>
>     Minor note - your LAN is 192.168.0.0/24 - but this doesn't affect the
>     rest of your problem.
>
>     I have this scenario working well, but I have done it using one of
>     three
>     tricks.
>
>     1. Extra address. Put the web server on a different subnet - say
>     192.168.1.... You can overload the IP addresses on the firewall to
>     access the web server through the same interface card.
>
>     2. Run a copy of apache on the firewall and use ReverseProxy to
>     access
>     the internal web server. If you do this you need to run your web site
>     stats program on the firewall.
>
>     3. More complex setup for a busy office puts the web server in a DMZ
>     with 2 interface cards, run a second name server to give internal
>     addresses to internal machines which are on the internal lan and
>     run a
>     third interface card on the firewall to keep the traffic separated.
>
>     Regards
>     Rick
>
>     rich at thevillas.eclipse.co.uk
>     <javascript:top.opencompose('rich at thevillas.eclipse.co.uk','','','')>
>     wrote:
>     >
>     > Hi,
>     > I have a LAN that accesses the internet through a single firewall
>     > machine which has 2 network cards.
>     > I use SNAT to give all of my LAN machines the static external IP of
>     > this firewall machine when they venture out.
>     > For internet traffic coming in to the firewall i use DNAT to
>     forward
>     > it to my webserver on the LAN.
>     >
>     > So, assuming that:
>     >
>     > 1) my LAN has private addresses:
>     > 192.168.0.0/16
>     > 2) my firewall has the external internet-visible address:
>     > x.x.x.x
>     > 3) my firewall has the internal LAN-visible address:
>     > 192.168.0.18
>     > 4) my webserver has my LAN private address:
>     > 192.168.0.11
>     >
>     > I have an iptables DNAT (destination nat) rule to redirect
>     traffic thus:
>     > tcp x.x.x.x:80 -> 192.168.0.11:80
>     >
>     > However whilst this is lovely for external clients, it doesn't
>     work for
>     > my LAN because:
>     > a) LAN client 192.168.0.Y contacts x.x.x.x via the default
>     > route (the firewall).
>     > b) firewall DNATs the connection to LAN webserver destination
>     > 192.168.1.110 but leaves the source address unchanged as 192.168.0.Y
>     > c) LAN webserver 192.168.0.11 replies direct to LAN client
>     > 192.168.0.Y because it is on the same network, but LAN client wasn't
>     > talking to 192.168.0.11 when it started the connection and therefore
>     > ignores these packets.
>     >
>     > I think I should be able to simply rewrite the source address in
>     (b)
>     > to the internal
>     > address of my firewall so that all replies from the webserver come
>     > back via the firewall and can be correctly de-mangled. In other
>     words
>     > all communiction between LAN clients and my webserver will be
>     > dog-legged via the firewall.
>     >
>     > BUT, this doesn't work with my current firehol config.
>     > Please please could someone point out where my config is wrong?
>     > I have spent hours and hours one this but can't figure it out
>     >
>     > Thanks in advance
>     > #####################CONFIG BELOW######################
>     >
>     >
>     > # The definition of our HOME LAN.
>     > HOME_MYIP="192.168.0.18" # The IP on our HOME LAN
>     > HOME_MYIF="eth1" # The HOME LAN interface
>     > HOME_BCAST="192.168.1.255" # The HOME LAN broadcast
>     > HOME_LAN="192.168.1.0/255.255.255.0" # The HOME LAN
>     > HOME_SERVICES="all"
>     >
>     > HOME_DHCP=0 # Set to 0 to disable
>     >
>     >
>     > # --- PUBLIC ---
>     >
>     > # The definition of our PUBLIC interface.
>     > PUBLIC_MYIP="x.x.x.x" # Leave empty for dynamic IP
>     > PUBLIC_MYIF="eth0" # The public interface
>     > PUBLIC_SERVICES="ssh http https"
>     >
>     > # Is the PPP interface a DIAL-ON-DEMAND?
>     > DIAL_ON_DEMAND=0 # Set to 0 to disable
>     >
>     >
>     > # --- TRUSTED ---
>     >
>     > # Hosts in the internet I trust for accessing private services
>     > # Empty these to disable.
>     > TRUSTED_IPS=""
>     > TRUSTED_SERVICES=""
>     >
>     >
>     >
>     > # --- BLACKLIST ---
>     >
>     > # A space-separated list of IPs to be blocked.
>     > blacklist=""
>     >
>     >
>     > #
>     >
>     ----------------------------------------------------------------------------
>     > # HELPERS
>     > #
>     >
>     ----------------------------------------------------------------------------
>     >
>     > # Block all traffic from/to certain IPs
>     > if [ ! -z "${blacklist}" ]
>     > then
>     > blacklist full "${blacklist}"
>     > fi
>     >
>     >
>     >
>     > #
>     >
>     ----------------------------------------------------------------------------
>     > # NETWORK ADDRESS TRANSLATION
>     > #
>     >
>     ----------------------------------------------------------------------------
>     > # Change the source/destination of packets...
>     >
>     > # Should we do SNAT or MASQUERADE?
>     > # If there is a PUBLIC_MYIP defined, we should do SNAT,
>     otherwise MASQ.
>     > #
>     > if [ ! -z "${PUBLIC_MYIP}" ]
>     > then
>     >
>     > snat to "${PUBLIC_MYIP}" \
>     > outface "${PUBLIC_MYIF}" \
>     > src "${HOME_LAN}" dst not "${UNROUTABLE_IPS}"
>     >
>     > snat to "${HOME_MYIP}" \
>     > outface "${HOME_MYIF}" \
>     > src "${HOME_LAN}" dst "${PUBLIC_MYIP}"
>     >
>     > else
>     > masquerade "${PUBLIC_MYIF}"
>     > fi
>     >
>     >
>     > # To have some public service hit an internal machine, do this:
>     >
>     > dnat to 192.168.0.11:80 \
>     > inface "${PUBLIC_MYIF}" \
>     > src not "${HOME_LAN} ${UNROUTABLE_IPS}" \
>     > proto tcp dport 80
>     >
>     >
>     >
>     > #
>     >
>     ----------------------------------------------------------------------------
>     > # PROTECT SELF
>     > #
>     >
>     ----------------------------------------------------------------------------
>     > # Protect the firewall host...
>     >
>     > # --- HOME ---
>     >
>     > # Protect us from the HOME LAN
>     > interface "${HOME_MYIF}" home src "${HOME_LAN}" dst "${HOME_MYIP}
>     > ${HOME_BCAST}"
>     > policy reject
>     >
>     > server "${HOME_SERVICES}" accept
>     >
>     > client all accept
>     >
>     >
>     > # DHCP needs 0.0.0.0/255.255.255.255 access.
>     > if [ ${HOME_DHCP} -eq 1 ]
>     > then
>     > interface "${HOME_MYIF}" dhcp
>     > server dhcp accept
>     > fi
>     >
>     >
>     > # --- PUBLIC ---
>     >
>     > # Protect us from the PUBLIC
>     > interface "${PUBLIC_MYIF}" internet \
>     > src not "${UNROUTABLE_IPS}" \
>     > `test ! -z "${PUBLIC_MYIP}" && echo "dst '${PUBLIC_MYIP}'"`
>     >
>     > protection strong
>     > policy drop
>     >
>     > # Are there any trusted PCs/services?
>     > if [ ! -z "${TRUSTED_PCS}" -a ! -z "${TRUSTED_SERVICES}" ]
>     > then
>     > server "${TRUSTED_SERVICES}" accept src "${TRUSTED_PCS}"
>     > fi
>     >
>     > server "${PUBLIC_SERVICES}" accept
>     >
>     > client all accept
>     >
>     > # DIAL-ON-DEMAND needs this in case there is a PUBLIC_MYIP defined.
>     > if [ ${DIAL_ON_DEMAND} -eq 1 ]
>     > then
>     > interface "${PUBLIC_MYIF}" dialup
>     > client all accept
>     > fi
>     >
>     >
>     > #
>     >
>     ----------------------------------------------------------------------------
>     > # PROTECT ROUTING
>     > #
>     >
>     ----------------------------------------------------------------------------
>     > # Protect the LAN...
>     >
>     > # Route traffic for the clients on the LAN
>     > router internet2lan inface "${PUBLIC_MYIF}" outface "${HOME_MYIF}" \
>     > src not "${UNROUTABLE_IPS}" dst "${HOME_LAN}"
>     >
>     > # route all client traffic
>     > client all accept
>     >
>     > # For the dnat example above, this is needed:
>     > server http accept dst 192.168.0.11
>     >
>     >
>     >
>     ------------------------------------------------------------------------
>     >
>     >
>     -------------------------------------------------------------------------
>     > This SF.net email is sponsored by: Splunk Inc.
>     > Still grepping through log files to find problems? Stop.
>     > Now Search log events and configuration files using AJAX and a
>     browser.
>     > Download your FREE copy of Splunk now >> http://get.splunk.com/
>     <parse.pl?redirect=http%3A%2F%2Fget.splunk.com%2F>
>     >
>     ------------------------------------------------------------------------
>     >
>     > _______________________________________________
>     > Firehol-support mailing list
>     > Firehol-support at lists.sourceforge.net
>     <javascript:top.opencompose('Firehol-support at lists.sourceforge.net','','','')>
>     > https://lists.sourceforge.net/lists/listinfo/firehol-support
>     <parse.pl?redirect=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Ffirehol-support>
>     >
>
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> ------------------------------------------------------------------------
>
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support
>   




More information about the Firehol-support mailing list