| View previous topic :: View next topic |
| Author |
Message |
Redeeman
l33t
Joined: 25 Sep 2003
Posts: 958
Location: Portugal
|
 Posted: Fri Sep 09, 2005 9:09 pm Post subject: firehol firewall help |
 |
|
Hello.. this is how my setup is:
i have three interface:
ppp0: my internet, via pppoe (my ip: 80.196.156.209)
eth0: nic, with direct connection to my workstation(1gbit for speed) (192.168.0.0/24)
eth1: nic, connected with a switch, for the rest of the lan (192.168.0.1/24)
what i need:
i need internet on both eth0 and eth1, therefore i believe i need nat from ppp0 to both eth0 and eth1.
now about that NAT, i saw that masquerade is expensive, and in my current firewall i am using snat, so i guess i would like that here too.
i also need to be able to have traffic between eth0 and eth1, so that my workstation can connect to the other pc's on my lan, and for this part i
am not sure, since i think that by doing:
| Code: |
echo "1" > /proc/sys/net/ipv4/ip_forward
|
it will forward traffic between interfaces, and then it might work, but as i said, i am not sure.. i would like your advice on how to do that, for now, it should just accept all traffic between the two interfaces.
and now for the part i am most unsure about, port forwarding.. i need to forward ports from the ppp0 interface(internet) to both my workstation and pc's on the lan. i would like suggestions from you on how to do this. if there are several ways i would like to see them all.
this is what i have so far, its without port forwarding though, and without(unless nothing is needed) traffic between workstation and lan support:
| Code: |
interface ppp0 internet
protection strong
server "http https smtp ftp ssh dns" accept
client "ftp ssh http https irc" accept
interface eth0 redeeman
policy accept
interface eth1 lan
protection strong
server "http https ssh ftp smtp imaps pop3s samba" accept
router redeeman2internet inface eth0 outface ppp0
snat to 80.196.156.209 outface ppp0 src 192.168.0.0/24
route all accept
router lan2internet inface eth1 outface ppp0
snat to 80.196.156.209 outface ppp0 src 192.168.0.1/24
route all accept
|
now a note:
in the routers, in the snat statements, i saw i was supposed to give a dst too, but i dont know what, in my current firewall i do:
iptables -t nat -A POSTROUTING -s $INT_SUBNET -o $EXT_IFACE -j SNAT --to $EXT_IP
any help here would be apreciated
a few questions:
in the services, for example pop3, server ports are rcp/110, and client ports are default, does default in client ports mean the ports in server ports, just for outgoing traffic?
for services, i see ntp, it listens on the same portnr, on udp and tcp, for server ports.... on client ports it just allows outgoing traffic on port 123, and default. what does this mean?
if i have a router from lan to internet, where i router all, will pc's on the lan be limited by the client statements in my ppp0(internet) interface?
-----
thanks for all your help! i greatly apreciate it |
|
| Back to top |
|
 |
Redeeman
l33t
Joined: 25 Sep 2003
Posts: 958
Location: Portugal
|
| Posted: Sat Sep 10, 2005 8:16 pm Post subject: |
|
|
| comon, someone must know it.. |
|
| Back to top |
|
|
Redeeman
l33t
Joined: 25 Sep 2003
Posts: 958
Location: Portugal
|
| Posted: Sun Sep 11, 2005 11:33 pm Post subject: |
|
|
| hmmmm |
|
| Back to top |
|
|
Redeeman
l33t
Joined: 25 Sep 2003
Posts: 958
Location: Portugal
|
| Posted: Mon Sep 12, 2005 2:31 pm Post subject: |
|
|
| can it really be that no one uses firehol? |
|
| Back to top |
|
|
Steven Robertson
Tux's lil' helper
Joined: 26 Mar 2003
Posts: 140
Location: Tampa, FL
|
| Posted: Wed Sep 14, 2005 2:47 am Post subject: |
|
|
Here's my firehol.conf.
| Code: | version 5
# The variable NAT_FORWARD_IP tells firehol to forward a specific port to a specific
# host. The variable is stored in the format "host-port,port:range;[host...]".
NAT_FORWARD_IP="192.168.0.9-4600:4699,3632,3664,37500,5400-6000;192.168.0.7-4700:4799;"
for IP_PORT in $(echo $NAT_FORWARD_IP | tr ";" " ")
do
IP=$(echo $IP_PORT | grep -o "^[1234567890.]\{7,15\}-" | tr -d "-")
for PORT in $(echo $IP_PORT | grep -o "[-,][1234567890:]*" | tr -d -- "-,")
do
dnat to $IP proto tcp dport $PORT
dnat to $IP proto udp dport $PORT
done
done
interface eth0 local
server all accept
client all accept
interface eth1 inet
protection strong 10/sec 10
server "ssh telnet smtp http https pop3 pop3s ping ftp ident" accept
server custom "tcp/8575" accept
server custom "tcp/20" accept
for PORT in $(echo $NAT_FORWARD_IP | grep -o "[-,][1234567890:]*" | tr -d -- "-,")
do
server custom forward "tcp/$PORT udp/$PORT" default accept
done
server custom "tcp/25000:26000" accept
# server ident reject with tcp-reset
client all accept
router inet2local inface eth1 outface eth0
masquerade reverse
server ident reject with tcp-reset
for PORT in $(echo $NAT_FORWARD_IP | grep -o "[-,][1234567890:]*" | tr -d -- "-,")
do
route custom forward "tcp/$PORT udp/$PORT" default accept
done
client all accept
|
It should be more or less self-explanatory. Really, the for loops are all you need to copy.
WRT the eth0/eth1 deal: I'm not sure. Bridging might be the solution you intend, or there may be a firehol directive hiding somewhere for it. I haven't looked at my firewall in a while, so I'm still kind of hazy, but Verizon FiOS (15 mb/s down, 2 up) should be arriving soon, so I'm going to migrate my firewall and router from my 166MHz server (getting retired!) to my desktop. (I'm replacing the server with a nice Via Epia box; I'm off to college in a year, and I want a bittorrent proxy of sorts in case the campus's download policy is too restrictive.) If I run into anything resembling a solution, I'll let you know.
Steve |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
