[Firehol-support] Looking for tutorials or help with NAT.

Guy wyldfury at gmail.com
Thu Aug 21 15:36:32 BST 2008 

Hi Costa,

That was a big help thanks. The server I'm using as a firewall is also
a mail gateway, here's the firehol.conf I've come up with after
looking at the examples you gave.

[code]
version 5

server_zabbixagent_ports="tcp/10050"
client_zabbixagent_ports="default"
server_amavis_ports="tcp/10024"
client_amavis_ports="default"
server_policyd_ports="tcp/10031"
client_policyd_ports="default"
server_bhttp1_ports="tcp/8000"
client_bhttp1_ports="default"

office="x0.domain.org"
remote="x1.domain.org"
monitor="x2.domain.org"

masquerade eth1

dnat to 10.0.8.190:8000 proto tcp dport 8000 inface eth1
dnat to 10.0.8.190:80 proto tcp dport 80 inface eth1

interface eth0 LAN
        policy accept

interface eth1 WAN
        server ssh              accept  src     "$office $remote $monitor"
        server ping             accept
        server smtp             accept
        server amavis           accept
        server policyd          accept
        server zabbixagent      accept  src     "$monitor"
        server ident            drop
        client all              accept

router internet2lan inface eth1 outface eth0
        server bhttp1   accept  dst 10.0.8.190
        server http     accept  dst 10.0.8.190
        client all accept
[/code]

The machine with firehol on is actually a mail gateway and I'm just
using it to get web access to one proprietary box on the LAN.
I was hoping you or whoever could give the conf a quick look before I
ask our hosting company to point the proprietary box to use the
firehol server as gateway as they charge us for any work done on it.

In my case eth0 is the LAN interface and eth1 is the public interface.

If I want port 8000 and port 80 to go back out from the box on the
LAN, do I just use snat and another router going from lan2internet?

Thanks
Guy

2008/8/14 Costa Tsaousis <costa at tsaousis.gr>:
> O/H Guy ??????:
>>
>> Hi,
>>
>> I've got a couple of servers using firehol that was set up by a
>> previous admin so I've been able to look at basic configs, but I'm
>> wanting to do some NAT on a new box and tutorials seem to be few and
>> far between. Are there any good tutorials on NAT?
>>
>> I've got a machine on the LAN that needs to be able to act as if it's
>> on the internet for a few ports (ssh, http and one custom port). Could
>> NAT on the firehol box plus setting the gateway on the LAN box to the
>> IP of the firehol box give me that effect? And if so, either a
>> tutorial or just some help with what the config should look like would
>> be great.
>>
>> Thanks for any help anyone can give.
>> Guy
>>
>
> Hi,
>
> Check the linux 2.4 NAT howto
> (http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html). It is old,
> but you will get the basic idea.
> I also suggest reading the Linux Advanced Routing & Traffic Control Howto
> (lartc.org). It is again somewhat old but still useful.
>
> In firehol things are much simpler.
>
> 1. Make sure your linux router, running firehol, is also the default gateway
> for the machines in your LAN.
> 2. dnat whatever traffic you want to your private machines, using firehol.
> You can find examples at firehol site.
> 3. setup a router in firehol to allow the dnat'd traffic to flow.
>
> Pay a little attention not to allow routed traffic (in step 3) with source
> IPs the ones you have in you LAN.
>
> Example:
> internet interface is eth0 with a dynamic public ip
> lan is eth1 with subnet 10.0.0.0/255.255.255.0
> You want to forward all incoming smtp traffic to your mail server at
> 10.0.0.10
>
> ---
>
> # this will allow all lan machines to reach the internet with the public ip
> of eth0
> # you can achieve the same with snat, if you have a static public ip.
> masquerade eth0
>
> # send to 10.0.0.10 all smtp traffic comming in from eth0 and going to your
> public ip
> # the ports need not to match (for example, you can dnat tcp/2500 to
> 10.0.0.10:25)
> dnat to 10.0.0.10:25 proto tcp dport 25 inface eth0
>
> ...
>
> router internet2lan inface eth0 outface eth1 src not 10.0.0.0/255.255.255.0
> dst 10.0.0.0/255.255.255.0
> server smtp accept dst 10.0.0.10
> client all accept
>
> ---
>
> I hope that helps...
>
> Costa
>
>



-- 
Don't just do something...sit there!

More information about the Firehol-support mailing list