Firehol - NAT

Sometimes Masquerade is just not enough especially if you are attempting VOIP using SIP or Microsoft Messenger.  By using a small public net that has been allocated to you, use these firehol rules to map internal IP's to external IP's. Below are lines copied from a /etc/firehol rule. The snat/dnat rules must be before any interface or router directives. You still need router rules, they are done relative to the REAL IP.

I have not tested this yet, but using a "masquerade" rule on outbound packets on say ppp0 may screw with your snat'd packets.  In this my first successful implementation, if a PC needs to access outside, I have configured another spare public IP and used SNAT ( Source Network Address Translation )

version 5 # quiet FIREHOL_LOG_LEVEL="info" EDIPC=10.4.4.195 VIDEO=10.4.4.163 GEORGEPC=10.4.4.155 OURNET=10.4.4.0/24 ####################################################### # Specific IP Address translations # We do not use masquerading but rather specific maps # Addresses 203.11.251.193-206 are available for allocation snat to 203.11.251.193 outface ppp1 src $VIDEO dnat to $VIDEO         inface  ppp1 dst 203.11.251.193 snat to 203.11.251.194 outface ppp1 src $EDIPC dnat to $EDIPC         inface  ppp1 dst 203.11.251.194 snat to 203.11.251.195 outface ppp1 src $GEORGEPC dnat to $GEORGEPC      inface  ppp1 dst 203.11.251.195 ######################################################## interface ppp+ extif src not $OURNET         protection strong         server smtp accept         server ssh  accept         server pptp accept         server ntp accept         #server http accept         #server ftp  accept         #server pop3 accept         #server imap accept         server ident reject with tcp-reset         client all accept interface eth0 intif src $OURNET dst $OURNET        policy accept ######################### # Routing rules router vpns src $OURNET dst $OURNET        route all accept ######################### # Routing rules for SNAT'ed IP's router video-out src $VIDEO         server all accept         client vnc accept router edipc src $EDIPC         server all accept router georgepc src $GEORGEPC         server pptp accept         server ssh accept         server vnc accept         server echo accept

---

other Firewall Tips...

• Using DNAT to publish services from a Private LAN
  
• Firehol needs bash upgrade in RHEL3
  
• Optimising MTU settings in IPSEC or PPTP Tunnels
  
• Transparently Proxy all outbound SMTP Traffic
  
• Transparent Proxy SMTP rule for SnapGear