[Firehol-support] Looking for tutorials or help with NAT.
Costa Tsaousis
costa at tsaousis.gr
Thu Aug 14 23:54:46 BST 2008
O/H Guy ??????:
> Hi,
>
> I've got a couple of servers using firehol that was set up by a
> previous admin so I've been able to look at basic configs, but I'm
> wanting to do some NAT on a new box and tutorials seem to be few and
> far between. Are there any good tutorials on NAT?
>
> I've got a machine on the LAN that needs to be able to act as if it's
> on the internet for a few ports (ssh, http and one custom port). Could
> NAT on the firehol box plus setting the gateway on the LAN box to the
> IP of the firehol box give me that effect? And if so, either a
> tutorial or just some help with what the config should look like would
> be great.
>
> Thanks for any help anyone can give.
> Guy
>
Hi,
Check the linux 2.4 NAT howto
(http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html). It is
old, but you will get the basic idea.
I also suggest reading the Linux Advanced Routing & Traffic Control
Howto (lartc.org). It is again somewhat old but still useful.
In firehol things are much simpler.
1. Make sure your linux router, running firehol, is also the default
gateway for the machines in your LAN.
2. dnat whatever traffic you want to your private machines, using
firehol. You can find examples at firehol site.
3. setup a router in firehol to allow the dnat'd traffic to flow.
Pay a little attention not to allow routed traffic (in step 3) with
source IPs the ones you have in you LAN.
Example:
internet interface is eth0 with a dynamic public ip
lan is eth1 with subnet 10.0.0.0/255.255.255.0
You want to forward all incoming smtp traffic to your mail server at
10.0.0.10
---
# this will allow all lan machines to reach the internet with the public
ip of eth0
# you can achieve the same with snat, if you have a static public ip.
masquerade eth0
# send to 10.0.0.10 all smtp traffic comming in from eth0 and going to
your public ip
# the ports need not to match (for example, you can dnat tcp/2500 to
10.0.0.10:25)
dnat to 10.0.0.10:25 proto tcp dport 25 inface eth0
...
router internet2lan inface eth0 outface eth1 src not
10.0.0.0/255.255.255.0 dst 10.0.0.0/255.255.255.0
server smtp accept dst 10.0.0.10
client all accept
---
I hope that helps...
Costa
More information about the Firehol-support
mailing list