Koozali.org: home of the SME Server

Bridging Firewall on SME

Offline frederikbay

  • ***
  • 41
  • +0/-0
Bridging Firewall on SME
« on: May 10, 2004, 02:35:30 PM »
Hi

I have 2 public ip adresses and would like to have 2 servers attached, one windows and one SME server.

Is it possible to use the SME server as a "bridging" firewall, so that the SME server has 2 ip's on the external NIC and forwards one to the windows server?

Thanks

Frederik

Offline briank

  • ****
  • 146
  • +0/-0
Bridging Firewall on SME
« Reply #1 on: May 11, 2004, 07:59:37 AM »
This is old but you may glean something useful here
http://www.tech-geeks.org/article.php?story=20020206234827402
Regards
Brian K

Offline frederikbay

  • ***
  • 41
  • +0/-0
Bridging Firewall on SME
« Reply #2 on: May 11, 2004, 01:55:36 PM »
Thanks, had a look at it and looks like it uses IPChains and not IPTables.

Anybody else have any suggestions?

was thinking of trying ProxyPass.

Offline briank

  • ****
  • 146
  • +0/-0
Bridging Firewall on SME
« Reply #3 on: May 12, 2004, 01:10:25 PM »
I think proxypass passes a url and won't discriminate between your ext ips. I know Abe's solution uses ipchains but I thought it might be quite simple to modify.
Regards
Brian

Offline frederikbay

  • ***
  • 41
  • +0/-0
Bridging Firewall on SME
« Reply #4 on: May 13, 2004, 11:26:11 AM »
After looking through the link you supplied, I found Abe's Readme and it states:

<snip>

Program Name: 1 To 1 NAT

Developer: Abe Loveless (abe_AT_lovelesscentral.org)
Major Contributer: Chris Watkins

Current Version:    1_to_1-0.1.tar.gz
SME Server Version:   Versions 5.5 and DOWN, ONLY

For version 5.6 and UP, see http://tech-geeks.org/contrib/mdrone/1-to-1/

<snip>

Should be the answer to my problem, I hope  :-D , will be posting any findings.

Thanks for the help Brian.

Offline frederikbay

  • ***
  • 41
  • +0/-0
Bridging Firewall on SME
« Reply #5 on: July 22, 2004, 02:03:04 PM »
Have now gotten it to work, there was a line missing.

Here is a small how-to:

A. Use this link

http://tech-geeks.org/contrib/mdrone/1-to-1/


B. Login to Server using Putty

C. in root dir use command

mkdir nat

cd nat

D. download contrib

wget http://tech-geeks.org/contrib/mdrone/1-to-1/1-to-1-iptables.tar.gz

follow the readme in the contrib until you get to 3c.

3d. pico /opt/1_to_1/makefrag.pl

after line 43 - print BEGIN ("    /sbin/iptables -t nat --append CustomNATout -s $data[1] -j SNAT --to $data[0] \n");

insert this line

print BEGIN ("\n    /sbin/iptables -A FORWARD  -j ACCEPT\n");

then CTRL-X and save on exit

continue following the readme and you are all set.

Offline Franco

  • *
  • 1,171
  • +0/-0
    • http://contribs.org
Bridging Firewall on SME
« Reply #6 on: March 05, 2005, 05:46:28 PM »
frederikbay,
works perfectly for me, thank you very much.
How about restricting access to an specified port, such as mysql only to certain outside IP's?
I would need more than one outside IP accessing certain ports on an specific machine within my LAN, and mixing the 1-to-1 and this rule would be perfect!
Thanks,

Offline frederikbay

  • ***
  • 41
  • +0/-0
Bridging Firewall on SME
« Reply #7 on: March 14, 2005, 07:13:14 PM »
Hi stuntshell

use pico (or any editor you like) to edit /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/34CustomNAT

find the entry for Mysql

    /sbin/iptables -t nat --append CustomNATin -s xxx.xxx.xxx.xxx -d yyy.yyy.yyy.yyy -p tcp --dport 3306 -j DNAT --to iii.iii.iii.iii:3306

change the xxx's for the IP you want to have the ability to connect to your internal server

the yyy are the external ip that you want your server to respond to

the iii is the local ip of the server.

the entry should be there beforehand the only thing you have to do is insert: -s xxx.xxx.xxx.xxx

then copy the whole line at paste it under the previous and edit the -s xxx.xxx.xxx.xxx

do this for each IP that you want to be able to connect to the Server.

remember to restart the masq service

/etc/rc.d/init.d/masq restart

or simply reboot

Don't know if it'll work, but hope :roll: it does.

Let me know what you find.

Frederik

dann

Will this work with Private Server Gateway
« Reply #8 on: March 15, 2005, 04:38:59 AM »
I've been reading this thread and it may solve a problem I've been trying to figure out. A post to the forums did not turn up anything.

I want to be able to access a piece of equipment via TCP/IP connected to the internal private network from the public network in a secure manner. By secure I mean that the internal network is secured from the public network but the piece of equipment is available to the public, one user at a time.

It looks like I could get a second static IP address assigned to my server and route that address to the static internal address of the equipment. I'm not quite sure how to do this but I'd like advice as to whether or not it can be done or if there is a better way to accomplish this task. My SME server is running Private Server Gateway.

Thanks,

Offline frederikbay

  • ***
  • 41
  • +0/-0
Bridging Firewall on SME
« Reply #9 on: March 15, 2005, 12:16:10 PM »
dann,

If you follow the description above you should be able to solve your problem.

what you need is 2 puiblic IP adresses where you route one to "piece of equipment" on your private network.

You can route all ports to the "piece of equipment" or just the ones you are going to use (more secure).

Frederik

Offline briank

  • ****
  • 146
  • +0/-0
Bridging Firewall on SME
« Reply #10 on: April 03, 2005, 05:20:16 AM »
Hi - can I use Abe's 1to1NAT to send a specific external IP (I have multiple ext ips) to a specific internal server by port?
eg say 203.xxx.xxx.001 port 80 to 192.168.0.10:80
and    203.xxx.xxx.002 port 80 to 192.168.0.20:80
So the same port gets routed to partic internal sever depending on its external IP
Cheers
Brian

Offline Franco

  • *
  • 1,171
  • +0/-0
    • http://contribs.org
Bridging Firewall on SME
« Reply #11 on: April 03, 2005, 01:24:53 PM »
It's precisely what Frederik has explained above! If all you want to do is serve webpages, you could also use the proxypass contrib.

Cheers  :pint:  to Frederik!!!
(BTW, the specific port works as a charm)

mbachmann

Bridging Firewall on SME
« Reply #12 on: April 04, 2005, 10:51:09 AM »
Good work on that, folks. So, would you save your findings for the generation after you and make a nice howto at this page, i have prepared for you:

http://no.longer.valid/phpwiki/index.php/How%20to%20have%202%20public%20ip%27s%20on%20external%20NIC%20and%20route%20it%20to%20a%20piece%20of%20hardware%20on%20your%20local%20network

Use the small edit button in the lower right corner.

You howto will then be visible in the RSS feed for a while.

Offline frederikbay

  • ***
  • 41
  • +0/-0
Bridging Firewall on SME
« Reply #13 on: April 04, 2005, 01:49:00 PM »
Will do.

Frederik

He he my first how to  :-D