Topic: Firewall Dilema

[p-jones]

Hi,

I have a situation to address regarding Port Forwarding and restricted access that I cannot find (or recognise) a solution to.

I have spent the last few evenings searching the forum and reading the howto's etc, and whilst I have found a number of posts, most relate to email and none relate to my specific scenario, that I can find. (or understand)

I have an SME in Server-Gateway mode which acts as a gateway FROM the outside world. Also have a Microsoft Server sitting inside the network.

I need to forward some specific ports for just 1 or maybe 2 specific IP's on the outside to the M$ server inside the network. Port 8080 would be one of the ports.

As far as I can worrk out, adding the IP's as local networks will only get me as far as the SME Box. There is no option to attach specific IP's to a portforward rule and any portforwarding rule would be global. Seems I will need to create a custom iptables rule to achieve the goal.

I am very unclear / confused as to where to add this rule so it survives a reboot. I am even less clear at this time as to what this rule(s) will be.

Any pointers, the more concise the better, would be greatly appreciated.

Peter

[Stefano]

in such a case, I usually put a real firewall (pfsense, m0n0wal, endian, whatever) in front of my lan and then use its portforward..

SME is not aimed to be a "real" firewall and has some limitations IMVHO

[p-jones]

Stefano

Thank you for your quick response. It is an option I am very seriously considering.

I am not a fan of "hacking" strategically engineered compilations such as SME. Experience has taught me that whilst it may be clever or smart at the time, invariably it will came back to haunt someone - usually me !!

P

[mmccarn]

From your original post, I can't tell which of the following scenarios you are trying to achieve:

1. Multiple internal targets for the same port number depending on the originating IP address
- Port 1080 traffic from IPs a, b, c goes to internal host 1
- Port 1080 traffic from IPs d, e, f goes to internal host 2
- etc.

2. A single internal target for incoming traffic that only works from a restricted set of remote IPs
- Port 1080 traffic is forwarded to internal host 1
- Traffic on port 1080 that is not from IPs a, b, or c is blocked

Scenario 2:
This is easily achievable on your SME server using the db setting 'AllowHosts', as described here:
http://wiki.contribs.org/DB_Variables_Configuration#Additional_information_on_customizing_iptables

Scenario 1:
I think this will work too - you would need to create multiple custom services that use the same port but have different (non-overlapping) "AllowHosts" settings (if you define overlapping AllowHosts ranges, the first one encountered in /etc/init.d/masq will trigger, and override any other settings).

If the port in question is serving http content, you should be able to create a solution using ProxyPass with a 'ValidFrom' setting.

[p-jones]

Thanks mccarn. If I can achieve scenario 2 I will be a very happy chappy. If I can achieve scenario 2 for 2 external ip's I will be even more happy.

I believe I saw a post on how to do that.

The link is definitely the jump start I was looking for. I had been through much of that document but clearly, not far enough and I did not recognise the significance of those settings in the persuit of my goal. My bad ! Thanks

P

[janet]

p-jones

.... I did not recognise the significance of those settings in the persuit of my goal.

Perhaps this will help ie the FAQ
http://wiki.contribs.org/SME_Server:Documentation:FAQ#Firewall

[p-jones]

Well, I guess we all live and learn !!  To cut a longer story short, it seems an option was introduced into the V7.5.1 release to do EXACTLY what I wanted directly from the Server - Manager, port forwarding panel. Multiple hosts may be specified, each seperated by the comma (,)

It is certainly not covered in the on line manual, searching produces a number of command line hacks which are all rather confusing to one who is not an iptables guru. A few more obscure searches produces a one line reference to its inclusion in release 7.5.1.

Anyway, a good outcome and thanks to those who offered assistance. 
P

[janet]

p-jones

....an option was introduced into the V7.5.1 release to do EXACTLY what I wanted directly from the Server - Manager, port forwarding panel. Multiple hosts may be specified, each seperated by the comma (,)  .....  A few more obscure searches produces a one line reference to its inclusion in release 7.5.1

For reference purposes, are you referring to this
http://forums.contribs.org/index.php/topic,46218.0.html
- Add option to limit port forwarding by source ip address.