Using DNAT to publish services from a Private LAN

Lets say you have an internal private network (192.168.1.0) protected by a Linux Firewall which runs firehol and has a single connection to the internet.

Now lets say your internal Mail Server on 192.168.1.1 has a webmail application running under httpd and users wish to be able to externally access it.

We can use DNAT on the firewall to provide this service, routed to the internal server.  

First, whatever port based service you will be using for the DNAT must not be running on the firewall. I.e. if you are runnning httpd on port 80 on the internal server, and wish to DNAT port 80 from the firewall it means you cannot setup Apache on the firewall to use port 80 as its already in use.

Now DNAT actually gets done "outside" the interface. Thereafter, you refer to the actual target system.

In other words, setup your DNAT rule first, then add your router rule, but reference internal IP addresses in the router rule.

in your /etc/firehol/firehol.conf 

add a DNAT entry beofre any interface or router commands. Its useful to use variables.
# vi /etc/firehol/firehol.conf  MAILSERVER=192.168.0.1 ADSL=222.222.222.222 dnat to $MAILSERVER inface  ppp+ dst $ADSL proto tcp dport 443
Then further down after your interface rules add the router rule.
# Remote Access to Webmail router webmail inface ppp+ outface eth0 dst $MAILSERVER       server https accept
Save and quit the file. 
# service firehol save
What have we just done.....

Used DNAT on the firewall to provide external access to an internal webserver, running on port 443 from a private address.

---

other Firewall Tips...

• Firehol - NAT
  
• Firehol needs bash upgrade in RHEL3
  
• Optimising MTU settings in IPSEC or PPTP Tunnels
  
• Transparently Proxy all outbound SMTP Traffic
  
• Transparent Proxy SMTP rule for SnapGear