[Firehol-support] Problem with two interface firewall with web servers behind NAT

Rick Marshall rjm at zenucom.com
Tue Mar 22 08:13:01 CET 2016


I have always done this with Redirect options in apache. https in 
particular is difficult to route.

On 22/03/16 17:56, Phil Whineray wrote:
> Hi Kenny
>
> On Tue, Mar 22, 2016 at 07:40:44AM +0100, Kenny Colliander Nordin wrote:
>> Setup:
>>
>> eth0 = Internet
>> eth1 = LAN with 192.168.127.0/24 network
>> 192.168.127.20 = Web server
>>
>> I want all incoming eth0 traffic on port 80 and 443 to be forwarded to the
>> web server at 192.168.127.20 with the correlating port numbers.
> Seems reasonable
>
>> version 5
>>
>> dnat to 192.168.127.20 inface eth0 proto tcp dport 80
>> dnat to 192.168.127.20 inface eth0 proto tcp dport 443
>>
>> interface eth1 lan src "192.168.127.0/24"
>>      policy accept
>>
>> interface eth0 internet
>>      server http accept
>>      server https accept
>>      client all accept
>>
>> router internet2web inface eth0
>>     server http accept dst 192.168.127.20
>>     server https accept dst 192.168.127.20
>>     client all accept
>>     route all accept
>>
>> router lan2internet inface eth1 outface eth0
>>      masquerade
>>      client all accept
>>      route all accept
> OK, so you shouldn't need the server statements on the interface
> since you are using dnat to ensure such traffic will be routed
> instead - go ahead and remove those.
>
> Likewise the "client all accept" and  "route all accept" should
> not be needed in internet2web to achieve what you are talking about.
> The "client all accept" in lan2internet will also try to permit
> all traffic from outside onto the LAN. I suggest removing all of
> these now - I guess you added them to try to get things to work.
>
> The remaining commands look OK, frankly. You need to initiate a
> connection with the firewall started and capture the logs [1].
> If you are struggling to see what is wrong, show them here and
> we can help.
>
> Cheers
> Phil
>
> [1] http://firehol.org/guides/firehol-troubleshooting/
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support

-- 
*Rick Marshall*
Director
Zenucom Pty Ltd
+61 411 287530
www.zenucom.com <http://www.zenucom.com>


More information about the Firehol-support mailing list