Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 630 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNAT + packet filter = to much access

si08
This is my network setup:

A computer hosting Astaro with 2 NICs, each connected to different networks.

Definitions:
INTERNAL_pc = the IP of a pc on the internal network
EXTERNAL_nw = the external network
EXTERNAL_nic = the IP of the NIC connected to the external network
theSERVICE = the port configuration that is used for NAT/packet filtering

DNAT setup:
Source: EXTERNAL_nw
Destination: EXTERNAL_nic
Service: theSERVICE
Change destination to: INTERNAL_pc

Packet filter:
Source: EXTERNAL_nw
Service: theSERVICE
Action: Allow
Destination: INTERNAL_pc

The good part:
This pretty much works as intended, at least for the NAT part, i.e. using the IP defined in EXTERNAL_nic and the ports in theSERVICE I get NATed correctly to INTERNAL_pc from a pc in the external network.

The bad part:
Without the packet filter nothing gets through, with it you open a line which makes it possible to connect directly from EXTERNAL_nw to INTERNAL_pc, which is NOT intended.

I've spent the last 2 days trying to figure this one out so any help would be most, most appreciated!!!


This thread was automatically locked due to age.
Parents
  • 0
    I don't understand what you mean here:
    makes it possible to connect directly from EXTERNAL_nw to INTERNAL_pc, which is NOT intended.


    Why don't you start by explaining what traffic you want to allow.

    Barry
  • 0 in reply to BarryG
    I don't understand what you mean here:


    makes it possible to connect directly from EXTERNAL_nw to INTERNAL_pc, which is NOT intended.  


    Why don't you start by explaining what traffic you want to allow.

    Barry


    Ok, I thought labeling was a good idea, but obviously not [:)] 
    Let's say INTERNAL_pc = 192.168.10.10, EXTERNAL_nic = 198.168.200.1 and theSERVICE is port 9999.
    Entering 192.168.200.1:9999 in an application on a host on the external network should get you connected to the INTERNAL_pc through the NAT, but using 192.168.10.10:9999 shouldn't.

    Hope this clear things up...
Reply
  • 0 in reply to BarryG
    I don't understand what you mean here:


    makes it possible to connect directly from EXTERNAL_nw to INTERNAL_pc, which is NOT intended.  


    Why don't you start by explaining what traffic you want to allow.

    Barry


    Ok, I thought labeling was a good idea, but obviously not [:)] 
    Let's say INTERNAL_pc = 192.168.10.10, EXTERNAL_nic = 198.168.200.1 and theSERVICE is port 9999.
    Entering 192.168.200.1:9999 in an application on a host on the external network should get you connected to the INTERNAL_pc through the NAT, but using 192.168.10.10:9999 shouldn't.

    Hope this clear things up...
Children