Shortcuts

From Our Users

As an IT outsourcing provider to small and mid sized companies Lemon Computing uses Firewall Builder to manage firewalls at customer sites and in our data centre.

Read More...

Martijn D.
Managing Director

Search Users Guide

14.3.2. Using the Address of "wrong" Interface for Source Address Translation
Prev Next

14.3.2. Using the Address of "wrong" Interface for Source Address Translation

Normally, a generated iptables SNAT rule includes a "-o <interface>" clause to make it more specific and only translate packets that really leave the network. Firewall Builder guesses which interface to put in the "-o" parameter by looking at the object in the Translated Source of the NAT rule. If this object is the firewall's interface or an address of one of its interfaces, then it uses that interface for the "-o" parameter. There is one configuration that requires the "-o" parameter to be different from the address used for SNAT translation. This configuration is useful when you have small block of publicly routable addresses and want to host a server in DMZ, but the block is so small that subnetting it does not make sense.

Figure 14.80. 


Firewall object fw-1-1 has 4 interfaces:

Table 14.1. 

Interface Network zone Address
eth0 external interface dynamic
eth1 internal interface 172.16.22.1/24
eth2 DMZ 192.0.2.1/29
lo loopback 127.0.0.1

Here the publicly routable address block is very small, it is just a /29 (6 usable addresses). It is assigned to the DMZ interface eth2, and the firewall's address is 192.0.2.1. The outside interface eth0 can be either dynamic or have private address. In fact, this is a rather typical configuration for when your firewall is behind a DSL router and segment between the firewall and the router uses private addresses such as 192.168.1.0. It is more useful to keep that segment private and allocate all routable addresses to the DMZ instead of trying to subnet the routable subnet. The problem now is that a source address translation rule should use address that belongs to the DMZ interface eth2 but "-o" parameter should use interface eth0 or should be omitted all together. The "-o eth2" would not work at all.

To do this in Firewall Builder, create an address object with an IP address equivalent to the one you want to use for source NAT. Since in this example we want to use address 192.0.2.1 which belongs to the firewall, we call this new address object "like fw-1-1:eth2:ip". This is just a regular IPv4 address object; there is nothing special about it:

Figure 14.81. 


Now we use it in the NAT rule:

Figure 14.82. 


Here is what Firewall Builder generates for iptables for this rule: 

# Rule 0 (NAT)
# 
$IPTABLES -t nat -A POSTROUTING -o eth+  -s 172.16.22.0/24 -j SNAT --to-source 192.0.2.1

Compiler added "-o eth+" parameter that matches any outbound interface and used address 192.0.2.1 in SNAT target as required.

Prev  Up  Next
14.3. Examples of NAT Rules  Home  14.3.3. "No NAT" Rules
 

Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.