Chapter 13 - Configuring The Firewall
Port Forwarding
Port forwarding (also known as redirection) allows traffic coming from the Internet to
be sent to a host behind the NAT gateway.
Previous examples have described the NAT process when connections are made from
the intranet to the Internet. In those examples, addresses and ports were unambiguous.
When connections are attempted from the Internet to the intranet, the NAT gateway
will have multiple hosts on the intranet that could accept the connection. It needs
additional information to identify the specific host to accept the connection.
Suppose that two hosts, 192.168.1.10 and 192.168.1.20 are located behind a NAT
gateway having a public interface of 213.18.101.62. When a connection request for
http port 80 arrives at 213.18.101.62, the NAT gateway could forward the request to
either of the hosts (or could accept it itself). Port forwarding configuration could be
used to redirect the requests to port 80 to the first host.
Port forwarding can also remap port numbers. The second host may also need to
answer http requests. As connections to port 80 are directed to the first host, another
port number (such as 8080) can be dedicated to the second host. As requests arrive at
the gateway for port 8080, the gateway remaps the port number to 80 and forwards the
request to the second host.
Finally, port forwarding can take the source address into account. Another way to
solve the above problem could be to dedicate two hosts 200.0.0.1 and 200.0.0.2 and
have the NAT gateway forward requests on port 80 from 200.0.0.1 to 192.168.1.10
and from 200.0.0.2 to 192.168.1.20.
Shorewall Quick Setup
For users familiar with Shorewall the following will serves as a reminder of how to
build the firewall. New users may wish to read the ShoreWall Terminology And
Concepts section before continuing.
1) Logically partition your network into zones. Will you establish a DMZ? Will all
Ethernet interfaces need to forward traffic to the public network? Which interfaces
are to be treated in a similar fashion?
2) Assign your interfaces to the zones. If using T1/E1, have you created your T1/E1
interfaces prior to building the firewall?
3) Set the default policies for traffic from zone to zone to be as restrictive as possible.
Has the local zone been been blocked from connecting to the DMZ or firewall?
Does the DMZ or firewall need to accept connections? Which connections should
be dropped and which reset? What logs are kept?
4) How is the network interface IP assigned, i.e. dynamically or statically? Do hosts
at the central site need to know the local address?
5) If your network interface IP is dynamically assigned, configure masquerading.
6) If your network interface IP is statically assigned, configure Source Network
address Translation (SNAT). If a sufficient number of IP addresses are provided
by the ISP, static NAT can be employed instead.
RuggedCom 111