[Firehol-support] Problem with two interface firewall with web servers behind NAT
Phil Whineray
phil at firehol.org
Tue Mar 22 06:56:48 GMT 2016
Hi Kenny
On Tue, Mar 22, 2016 at 07:40:44AM +0100, Kenny Colliander Nordin wrote:
> Setup:
>
> eth0 = Internet
> eth1 = LAN with 192.168.127.0/24 network
> 192.168.127.20 = Web server
>
> I want all incoming eth0 traffic on port 80 and 443 to be forwarded to the
> web server at 192.168.127.20 with the correlating port numbers.
Seems reasonable
> version 5
>
> dnat to 192.168.127.20 inface eth0 proto tcp dport 80
> dnat to 192.168.127.20 inface eth0 proto tcp dport 443
>
> interface eth1 lan src "192.168.127.0/24"
> policy accept
>
> interface eth0 internet
> server http accept
> server https accept
> client all accept
>
> router internet2web inface eth0
> server http accept dst 192.168.127.20
> server https accept dst 192.168.127.20
> client all accept
> route all accept
>
> router lan2internet inface eth1 outface eth0
> masquerade
> client all accept
> route all accept
OK, so you shouldn't need the server statements on the interface
since you are using dnat to ensure such traffic will be routed
instead - go ahead and remove those.
Likewise the "client all accept" and "route all accept" should
not be needed in internet2web to achieve what you are talking about.
The "client all accept" in lan2internet will also try to permit
all traffic from outside onto the LAN. I suggest removing all of
these now - I guess you added them to try to get things to work.
The remaining commands look OK, frankly. You need to initiate a
connection with the firewall started and capture the logs [1].
If you are struggling to see what is wrong, show them here and
we can help.
Cheers
Phil
[1] http://firehol.org/guides/firehol-troubleshooting/
More information about the Firehol-support
mailing list