[Firehol-support] ip masquerading problem
Tamer Higazi
th982a at googlemail.com
Fri Mar 19 11:47:33 CET 2010
Hi people!
I don't know how to program firehol that far, to realize
IP-Masquerading, that clients in my network easily enter the internet
throgh the server.
Hardware:
1 CPU (Server) with 2 NIC:
eth0 Protokoll:Ethernet Hardware Adresse 00:18:f3:c1:db:b5
inet Adresse:192.168.1.2 Bcast:192.168.1.255 Maske:255.255.255.0
inet6 Adresse: fe80::218:f3ff:fec1:dbb5/64
Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:204804 errors:0 dropped:0 overruns:0 frame:0
TX packets:117558 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:1000
RX bytes:289213484 (275.8 MiB) TX bytes:12145846 (11.5 MiB)
Interrupt:27 Basisadresse:0xe000
eth3 Protokoll:Ethernet Hardware Adresse 00:e0:4c:48:d6:f3
inet6 Adresse: fe80::2e0:4cff:fe48:d6f3/64
Gültigkeitsbereich:Verbindung
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:30 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:1000
RX bytes:1800 (1.7 KiB) TX bytes:4066 (3.9 KiB)
Interrupt:21 Basisadresse:0xec00
lo Protokoll:Lokale Schleife
inet Adresse:127.0.0.1 Maske:255.0.0.0
inet6 Adresse: ::1/128 Gültigkeitsbereich:Maschine
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:34303 errors:0 dropped:0 overruns:0 frame:0
TX packets:34303 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:6206766 (5.9 MiB) TX bytes:6206766 (5.9 MiB)
ppp0 Protokoll:Punkt-zu-Punkt Verbindung
inet Adresse:85.xxx.xxx.xxx P-z-P:213.191.64.102
Maske:255.255.255.255
UP PUNKTZUPUNKT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:203406 errors:0 dropped:0 overruns:0 frame:0
TX packets:115898 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:3
RX bytes:284349569 (271.1 MiB) TX bytes:9126141 (8.7 MiB)
eth3 is the other NIC in the server on which the other cpu is connected to.
The other CPU's config is:
IP: 192.168.1.10
Gateway: 192.168.1.2
DNS: 192.168.1.2
For any support of your side I would thank you.
Here my firehol.conf:
server_skypeserv_ports="tcp/9082 udp/9082 tcp/23399 udp/23399"
client_skypeserv_ports="default 23399"
server_torrent_ports="tcp/6881 udp/6881 tcp/6882 udp/6882"
client_torrent_ports="default 4662"
interface eth0 interface1 src "192.168.1.0/24" dst 192.168.1.2
# The default policy is DROP. You can be more polite with REJECT.
# Prefer to be polite on your own clients to prevent timeouts.
policy drop
# If you don't trust the clients behind eth0 (net "192.168.1.0/24"),
# add something like this.
# > protection strong
# Here are the services listening on eth0.
# TODO: Normally, you will have to remove those not needed.
server all accept
client all accept
# INFO: Processing interface 'eth3'
interface ppp0 interface2 src not "${UNROUTABLE_IPS} " dst 85.xxx.xxx.xxx
# The default policy is DROP. You can be more polite with REJECT.
# Prefer to be polite on your own clients to prevent timeouts.
policy drop
# If you don't trust the clients behind ppp0 (net not
"${UNROUTABLE_IPS} "),
# add something like this.
# > protection strong
# Here are the services listening on ppp0.
# TODO: Normally, you will have to remove those not needed.
server jabberd accept
server skypeserv accept
server torrent accept
server http accept
server iax2 accept
server ICMP accept
server sip accept
client all accept
router router1 inface eth0 outface ppp0 src "192.168.1.0/24" dst not
"${UNROUTABLE_IPS} " > masquerade
route all accept
router router2 inface ppp0 outface eth0 src not "${UNROUTABLE_IPS} " dst
"192.168.1.0/24" > masquerade
route all accept
More information about the Firehol-support
mailing list