[Firehol-support] Looking for tutorials or help with NAT.
wyldfury at gmail.com
Thu Aug 21 15:36:32 BST 2008
That was a big help thanks. The server I'm using as a firewall is also
a mail gateway, here's the firehol.conf I've come up with after
looking at the examples you gave.
dnat to 10.0.8.190:8000 proto tcp dport 8000 inface eth1
dnat to 10.0.8.190:80 proto tcp dport 80 inface eth1
interface eth0 LAN
interface eth1 WAN
server ssh accept src "$office $remote $monitor"
server ping accept
server smtp accept
server amavis accept
server policyd accept
server zabbixagent accept src "$monitor"
server ident drop
client all accept
router internet2lan inface eth1 outface eth0
server bhttp1 accept dst 10.0.8.190
server http accept dst 10.0.8.190
client all accept
The machine with firehol on is actually a mail gateway and I'm just
using it to get web access to one proprietary box on the LAN.
I was hoping you or whoever could give the conf a quick look before I
ask our hosting company to point the proprietary box to use the
firehol server as gateway as they charge us for any work done on it.
In my case eth0 is the LAN interface and eth1 is the public interface.
If I want port 8000 and port 80 to go back out from the box on the
LAN, do I just use snat and another router going from lan2internet?
2008/8/14 Costa Tsaousis <costa at tsaousis.gr>:
> O/H Guy ??????:
>> I've got a couple of servers using firehol that was set up by a
>> previous admin so I've been able to look at basic configs, but I'm
>> wanting to do some NAT on a new box and tutorials seem to be few and
>> far between. Are there any good tutorials on NAT?
>> I've got a machine on the LAN that needs to be able to act as if it's
>> on the internet for a few ports (ssh, http and one custom port). Could
>> NAT on the firehol box plus setting the gateway on the LAN box to the
>> IP of the firehol box give me that effect? And if so, either a
>> tutorial or just some help with what the config should look like would
>> be great.
>> Thanks for any help anyone can give.
> Check the linux 2.4 NAT howto
> (http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html). It is old,
> but you will get the basic idea.
> I also suggest reading the Linux Advanced Routing & Traffic Control Howto
> (lartc.org). It is again somewhat old but still useful.
> In firehol things are much simpler.
> 1. Make sure your linux router, running firehol, is also the default gateway
> for the machines in your LAN.
> 2. dnat whatever traffic you want to your private machines, using firehol.
> You can find examples at firehol site.
> 3. setup a router in firehol to allow the dnat'd traffic to flow.
> Pay a little attention not to allow routed traffic (in step 3) with source
> IPs the ones you have in you LAN.
> internet interface is eth0 with a dynamic public ip
> lan is eth1 with subnet 10.0.0.0/255.255.255.0
> You want to forward all incoming smtp traffic to your mail server at
> # this will allow all lan machines to reach the internet with the public ip
> of eth0
> # you can achieve the same with snat, if you have a static public ip.
> masquerade eth0
> # send to 10.0.0.10 all smtp traffic comming in from eth0 and going to your
> public ip
> # the ports need not to match (for example, you can dnat tcp/2500 to
> dnat to 10.0.0.10:25 proto tcp dport 25 inface eth0
> router internet2lan inface eth0 outface eth1 src not 10.0.0.0/255.255.255.0
> dst 10.0.0.0/255.255.255.0
> server smtp accept dst 10.0.0.10
> client all accept
> I hope that helps...
Don't just do something...sit there!
More information about the Firehol-support