[Firehol-support] 4 NIC 2 NAT with firehol

Redeeman redeeman at metanurb.dk
Sun Jan 27 01:20:01 CET 2008


First of all, thanks alot for your answers, i apreciate it!

this is my test config:
world1_nat_address="192.168.0.4" # my internet connection 1 ip(this is a
test ip, on my lan, thats why its local)
world2_net_address="192.168.3.1" # conn 2, same deal
world1_iface="eth0" # conn 1 iface
world2_iface="eth3" # conn 2 iface
lan2_address="192.168.1.0/24" #network of lan2
lan1_address="192.168.2.0/24" #network of lan1

snat to "${world1_nat_address}" outface "${world1_iface}" src
"${lan1_address}"
snat to "${world2_nat_address}" outface "${world2_iface}" src
"${lan2_address}"

interface eth0 internetone
        policy drop
        protection strong
        server ident reject with tcp-reset
        server "ssh" accept
        client all accept


interface eth1 lanone
        policy accept
        server all accept
        client all accept

interface eth2 lantwo
        policy accept
        server all accept
        client all accept


interface eth3 internettwo
        policy drop
        protection strong
        server ident reject with tcp-reset
        server "ssh" accept
        client all accept

router internetone2lanone inface eth2 outface eth0
        #masquerade reverse
        route all accept
        client all accept

router internettwo2lantwo inface eth1 outface eth3
        #masquerade reverse
        route all accept
        client all accept
-----
this is what i get:
ERROR   : # 1.
WHAT    : A runtime command failed to execute (returned error 2).
SOURCE  : line INIT of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t nat -A nat.2 -j SNAT
OUTPUT  :

iptables v1.3.6: You must specify --to-source
Try `iptables -h' or 'iptables --help' for more information.

Stopped: Couldn't activate new firewall.
----
it is debian stable 4.0, with firehol included, so i guess thats why...
it works fine with masquarading when testing only ONE nat set (i havent
done the route tihng yet). any reason why i shouldnt use masq for now?
(and fix snat when routing is working?)

about the routing..
i choose option 2 i think, it seems nicest, i found this:
http://lartc.org/howto/lartc.rpdb.multiple-links.html
im however not having the greatest success..
this is my script:
IF1=eth0
IF2=eth3
IF3=eth2
IF4=eth4
IP1=192.168.0.4
IP2=192.168.3.1
IP3=192.168.2.1
IP4=192.168.1.1
P1_NET=192.168.0.0/24
P2_NET=192.168.3.0/24
P1=192.168.0.1
P2=192.168.3.2
P3_NET=192.168.2.0/24
P4_NET=192.168.1.0/24

#gateway default route - like normal, but with tables
ip route add $P1_NET dev $IF1 src $IP1 table T1
ip route add default via $P1 table T1
ip route add $P2_NET dev $IF2 src $IP2 table T2
ip route add default via $P2 table T2


#route stuff to neighbor, through that interface
ip route add $P1_NET dev $IF1 src $IP1
ip route add $P2_NET dev $IF2 src $IP2

# my default route for this system(i hope!!)
ip route add default via $P1

# set ip's with route tables
ip rule add from $IP1 table T1
ip rule add from $IP2 table T2

ip route add $P3_NET dev $IF3 table T1
ip route add $P4_NET dev $IF4 table T2
------
i will mess abit more with it!

hehe




On Sat, 2008-01-26 at 15:54 +0000, Carlos Rodrigues wrote:
> On Jan 26, 2008 3:51 PM, Carlos Rodrigues <carlos.efr at mail.telepac.pt> wrote:
> > For the NAT part, you only have to specify that all traffic going out
> > from each one outside interface gets that interface's address:
> >
> > snat to "${world1_nat_address}" outface "${world1_iface}"
> > snat to "${world2_nat_address}" outface "${world2_iface}"
> >
> 
> BTW, this should have the same behaviour but is nicer looking (as it
> doesn't match the firewall itself -- most useful when you are doing
> NAT to an address meant just for that, and aren't using the firewall's
> address itself):
> 
> snat to "${world1_nat_address}" outface "${world1_iface}" src "${lan1_address}"
> snat to "${world2_nat_address}" outface "${world2_iface}" src "${lan2_address}"
> 





More information about the Firehol-support mailing list