[Firehol-support] ip masquerading problem

Tamer Higazi th982a at googlemail.com
Fri Mar 19 10:47:33 GMT 2010


Hi people!
I don't know how to program firehol that far, to realize
IP-Masquerading, that clients in my network easily enter the internet
throgh the server.

Hardware:
1 CPU (Server) with 2 NIC:

eth0      Protokoll:Ethernet  Hardware Adresse 00:18:f3:c1:db:b5 
          inet Adresse:192.168.1.2  Bcast:192.168.1.255  Maske:255.255.255.0
          inet6 Adresse: fe80::218:f3ff:fec1:dbb5/64
Gültigkeitsbereich:Verbindung
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:204804 errors:0 dropped:0 overruns:0 frame:0
          TX packets:117558 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:1000
          RX bytes:289213484 (275.8 MiB)  TX bytes:12145846 (11.5 MiB)
          Interrupt:27 Basisadresse:0xe000

eth3      Protokoll:Ethernet  Hardware Adresse 00:e0:4c:48:d6:f3 
          inet6 Adresse: fe80::2e0:4cff:fe48:d6f3/64
Gültigkeitsbereich:Verbindung
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:30 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:1000
          RX bytes:1800 (1.7 KiB)  TX bytes:4066 (3.9 KiB)
          Interrupt:21 Basisadresse:0xec00

lo        Protokoll:Lokale Schleife 
          inet Adresse:127.0.0.1  Maske:255.0.0.0
          inet6 Adresse: ::1/128 Gültigkeitsbereich:Maschine
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:34303 errors:0 dropped:0 overruns:0 frame:0
          TX packets:34303 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0
          RX bytes:6206766 (5.9 MiB)  TX bytes:6206766 (5.9 MiB)

ppp0      Protokoll:Punkt-zu-Punkt Verbindung 
          inet Adresse:85.xxx.xxx.xxx  P-z-P:213.191.64.102 
Maske:255.255.255.255
          UP PUNKTZUPUNKT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:203406 errors:0 dropped:0 overruns:0 frame:0
          TX packets:115898 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:3
          RX bytes:284349569 (271.1 MiB)  TX bytes:9126141 (8.7 MiB)


eth3 is the other NIC in the server on which the other cpu is connected to.

The other CPU's config is:

IP: 192.168.1.10
Gateway: 192.168.1.2
DNS: 192.168.1.2


For any support of your side I would thank you.

Here my firehol.conf:



server_skypeserv_ports="tcp/9082 udp/9082 tcp/23399 udp/23399"
client_skypeserv_ports="default 23399"

server_torrent_ports="tcp/6881 udp/6881 tcp/6882 udp/6882"
client_torrent_ports="default 4662"


interface eth0 interface1 src "192.168.1.0/24" dst 192.168.1.2

    # The default policy is DROP. You can be more polite with REJECT.
    # Prefer to be polite on your own clients to prevent timeouts.
    policy drop

    # If you don't trust the clients behind eth0 (net "192.168.1.0/24"),
    # add something like this.
    # > protection strong

    # Here are the services listening on eth0.
    # TODO: Normally, you will have to remove those not needed.
    server all accept
    client all accept

# INFO: Processing interface 'eth3'

interface ppp0 interface2 src not "${UNROUTABLE_IPS} " dst 85.xxx.xxx.xxx

    # The default policy is DROP. You can be more polite with REJECT.
    # Prefer to be polite on your own clients to prevent timeouts.
    policy drop

    # If you don't trust the clients behind ppp0 (net not
"${UNROUTABLE_IPS} "),
    # add something like this.
    # > protection strong

    # Here are the services listening on ppp0.
    # TODO: Normally, you will have to remove those not needed.
    server jabberd accept
    server skypeserv accept
    server torrent accept
    server http accept
    server iax2 accept
    server ICMP accept
    server sip accept
   
    client all accept



router router1 inface eth0 outface ppp0 src "192.168.1.0/24" dst not
"${UNROUTABLE_IPS} " > masquerade
    route all accept

router router2 inface ppp0 outface eth0 src not "${UNROUTABLE_IPS} " dst
"192.168.1.0/24" > masquerade
    route all accept





More information about the Firehol-support mailing list