Filter
Top Products
The two above rules may both be carried out concurrently on the same connection. In this instance,
internal sender addresses will be translated to addresses in pubnet in a 1:1 relationship. In addition,
if anyone tries to connect to the public address of the web server, the destination address will be
changed to its private address.
# Action Src Iface Src Net Dest Iface Dest Net Parameters
1 SAT lan lannet wwwsrv_pub TCP 80-85 SETDEST intrasrv 1080
2 SAT any all-nets wwwsrv_pub TCP 80-85 SETDEST wwwsrv-priv 1080
In this instance, both rules are set to translate the destination address, meaning that only one of them
will be carried out. If an attempt is made internally to communicate with the web servers public
address, it will instead be redirected to an intranet server. If any other attempt is made to
communicate with the web servers public address, it will be redirected to the private address of the
publicly accessible web server.
Again, note that the above rules require a matching Allow rule at a later point in the rule set in order
to work.
7.4.7. SAT and FwdFast Rules
It is possible to employ static address translation in conjunction with FwdFast rules, although return
traffic must be explicitly granted and translated.
The following rules make up a working example of static address translation using FwdFast rules to
a web server located on an internal network:
# Action Src Iface Src Net Dest Iface Dest Net Parameters
1 SAT any all-nets core wan_ip http SETDEST wwwsrv 80
2 SAT lan wwwsrv any all-nets 80 -> All SETSRC wan_ip 80
3 FwdFast any all-nets core wan_ip http
4 FwdFast lan wwwsrv any all-nets 80 -> All
We now add a NAT rule to allow connections from the internal network to the Internet:
# Action Src Iface Src Net Dest Iface Dest Net Parameters
5 NAT lan lannet any all-nets All
What happens now is as follows:
• External traffic to wan_ip:80 will match rules 1 and 3, and will be sent to wwwsrv. Correct.
• Return traffic from wwwsrv:80 will match rules 2 and 4, and will appear to be sent from
wan_ip:80. Correct.
• Internal traffic to wan_ip:80 will match rules 1 and 3, and will be sent to wwwsrv. This is almost
correct; the packets will arrive at wwwsrv, but:
• Return traffic from wwwsrv:80 to internal machines will be sent directly to the machines
themselves. This will not work, as the packets will be interpreted as coming from the wrong
address.
We will now try moving the NAT rule between the SAT and FwdFast rules:
# Action Src Iface Src Net Dest Iface Dest Net Parameters
1 SAT any all-nets core wan_ip http SETDEST wwwsrv 80
2 SAT lan wwwsrv any all-nets 80 -> All SETSRC wan_ip 80
3 NAT lan lannet any all-nets All
4 FwdFast any all-nets core wan_ip http
5 FwdFast lan wwwsrv any all-nets 80 -> All
7.4.7. SAT and FwdFast Rules Chapter 7. Address Translation
352