[Firehol-support] access from WAN to LAN

Tsaousis, Costa costa at tsaousis.gr
Wed Aug 3 16:34:55 CEST 2016 

Your router is reversed. You should allow the request to go in and firehol
will take care of the reply.
Also use variables when possible, like this:

version 6

wan="ens160"
lan="ens192"

server_nas_ports="tcp/5000,5001"
client_nas_ports="any"

ipv4 masquerade "${wan}"
ipv4 dnat to 192.168.111.100 inface "${wan}"
proto "${server_nas_ports/\/*/}" dport "${server_nas_ports/*\//}" # log
"DNAT TO NAS"

ipv4 interface "${wan}" wan src not "${UNROUTABLE_IPS}"
        policy drop
        protection strong 10/sec 10
        server ident reject with tcp-reset
        ipv4 server "http ssh" accept src "$HOME"
        client all accept

ipv4 interface "${lan}" lan
        policy drop
        protection strong 10/sec 10
        ipv4 server ident reject with tcp-reset
        client all accept

ipv4 router wan2lan inface "${wan}" outface "${lan}" src not
 "${UNROUTABLE_IPS}"
        server nas accept # log "ALLOW NAS WAN2LAN"


To verify it works, uncomment the log parts (i.e. remove the '#', apply the
firewall and check the kernel logs)

Costa



On Wed, Aug 3, 2016 at 4:34 PM, Tony Peña <emperor.cu at gmail.com> wrote:

> Hi Costa,
>
> I still can't hit the NAS on the lan with the DNAT/SNAT . Maybe was wrong
> but i can see the logs "logical literally ok" but not works. maybe missing
> something
> the logs output
>
> Aug  3 15:28:22 server kernel: [23867.655752] PASS-unknown:IN=ens160
> OUT=ens192 MAC=00:0c:29:81:73:a9:00:30:4
> 8:42:58:a3:08:00 SRC=my.ip.public.home DST=192.168.111.100 LEN=60 TOS=0x00
> PREC=0x00 TTL=47 ID=59457 DF PROTO=TCP SP
> T=42356 DPT=5000 WINDOW=29200 RES=0x00 SYN URGP=0
>
> Aug  3 15:28:22 server kernel: [23867.655752] PASS-unknown:IN=ens160
> OUT=ens192 MAC=00:0c:29:81:73:a9:00:30:4
> 8:42:58:a3:08:00 SRC=my.ip.public.home DST=192.168.111.100 LEN=60 TOS=0x00
> PREC=0x00 TTL=47 ID=59457 DF PROTO=TCP SP
> T=42356 DPT=5001 WINDOW=29200 RES=0x00 SYN URGP=0
>
> this is my settings iface
>
> ens160  my.ip.public
>
> ens192    Link encap:Ethernet  HWaddr 00:0c:29:81:73:b3
>           inet addr:192.168.111.120  Bcast:192.168.111.255
> Mask:255.255.255.0
>           inet6 addr: fe80::20c:29ff:fe81:73b3/64 Scope:Link
>
>
> the nas is 192.168.111.100 open on 5000-5001 ports
> the gateway of NAS is 120 (the lan ip of the server) and from the nas i
> can update and upgrade the firmware so i can hit internet fine from the
> nas...
> by routing on the firehol config.
>
> and the firewall is
>
> version 6
> ipv4 dnat to 192.168.111.100 inface any proto tcp dport "5000 5001"
>
> interface ens160 wan src not "$UNROUTABLE_IPS"
>         policy drop
>         protection strong 10/sec 10
>         server ident reject with tcp-reset
>         ipv4 server "http ssh" accept src "$HOME"
>         client all accept
>
> interface ens192 lan
>         policy drop
>         protection strong 10/sec 10
>         ipv4 server ident reject with tcp-reset
>         client all accept
>
> router lan-to-wan inface ens192 outface ens160
>         masquerade
>         route all accept
>
> thanks
>
> 2016-07-28 21:00 GMT+02:00 Tsaousis, Costa <costa at tsaousis.gr>:
>
>> Hi Tony,
>>
>> You need to DNAT traffic coming from the internet to the NAS box.
>> The replies will work automatically.
>>
>> Keep in mind you also need to allow the traffic to flow in a router.
>>
>> Costa
>>
>>
>> On Thu, Jul 28, 2016 at 7:28 PM, Tony Peña <emperor.cu at gmail.com> wrote:
>>
>>> Hi,
>>>
>>> How can I get a NAS on the LAN from internet?
>>>
>>> SNAT rule?
>>>
>>> i test
>>>
>>> snat to the.ip.public inface eth0 src any outface eth1 dst
>>> 192.168.111.100
>>> proto tcp dport 5001
>>>
>>> but not works. :/
>>>
>>> any idea to fix the rule..
>>> i'm still using firehol 1.297-1
>>>
>>> is an old server ... i know must to be upgrade but need fix this first to
>>> migrate in another step after.
>>>
>>> thanxs
>>> --
>>> perl -le 's ffSfs.s fSf\x54\x6F\x6E\x79 \x50\x65\x6e\x61f.print'
>>>
>>> Secure email with PGP 0x8B021001 available at https://pgp.mit.edu
>>> <
>>> https://pgp.mit.edu/pks/lookup?search=0x8B021001&op=index&fingerprint=on&exact=on
>>> >
>>> Fingerprint: 74E6 2974 B090 366D CE71  7BB2 6476 FA09 8B02 1001
>>> _______________________________________________
>>> Firehol-support mailing list
>>> Firehol-support at lists.firehol.org
>>> http://lists.firehol.org/mailman/listinfo/firehol-support
>>
>>
>>
>
>
> --
> perl -le 's ffSfs.s fSf\x54\x6F\x6E\x79 \x50\x65\x6e\x61f.print'
>
> Secure email with PGP 0x8B021001 available at https://pgp.mit.edu
> <https://pgp.mit.edu/pks/lookup?search=0x8B021001&op=index&fingerprint=on&exact=on>
> Fingerprint: 74E6 2974 B090 366D CE71  7BB2 6476 FA09 8B02 1001
>

More information about the Firehol-support mailing list