NAT Based on Service Port

[BarryStiefel]

NAT Based on Service Port



Contributed by: BenSmith
Published in geeklog Tuesday, June 24 2003 @ 02:12 PM EST
Published in oldfaq 2002-Nov-13 00:27 dwelchATphoneboyDOTcom

Question

I am looking for a way to help a customer of mine out of a jam. They are very interested in purchasing FW-1 to replace their current firewall system. What they need is a way to redirect tcp traffic based on destination tcp port, for example:



www.foo.com:80 and www.foo.com:90 are actually different machines inside the network. They're currently using a proxy system that relays these connections to the proper hosts. To help in the transition to the new firewall, I need to be able to provide this functionality. Does anyone know what software (or how FW-1) can achieve this?

Answer

FireWall-1 does permit translating once destination port ("service") to another, or even redirecting to a different IP address based on service. There are some caveats to this:

• Prior to FireWall-1 4.1 SP2, you can not redirect services to different IP addresses for any IPs that are associated with the firewall, i.e. they must be unique, static addresses. You can not, for instance, transparently redirect HTTP requests to the firewall's external IP address to an internal host. See below for ways to use other software to accomplish this because FireWall-1 can not do this. In FireWall-1 4.1 SP2 and later, see THIS faq.
• All hosts for which the IP/service based translation will occur must be off the same LAN segment. This is due to how FireWall-1 performs NAT. This caveat does not apply if you have enabled client-side NAT in FireWall-1 NG or are using the SRV_REDIRECT service.
• If multiple services for the same external IP address get routed to multiple internal servers based on service, you can have issues as the OS will attempt to send packets to the incorrect host at the MAC level. This does not apply if you have enabled client-side NAT in FireWall-1 NG.

IP/service translation works best when each service is given it's own externally accessable IP address. If you do not have the IP addresses to do it like this, then you still may be able to get it to work. In your example above, you could create a NAT rules that look like:

Original Translated No. Source Destination Service Source Destination Service 1 Any www.foo.com tcp90 Orig www-int.foo.com http

Where tcp90 a TCP service you create (port 90) and www-int.foo.com is your internal machine.

Your routing may need to be modified to handle this correctly (aside from the normal modifications needed for destination static translations). Let's assume you are using the static IP 206.86.0.5 as your public address. Ports 25, 80, and 21 each go to different servers (192.168.0.25, 192.168.0.80, and 192.168.0.21 respectively). If you simply had one route statement in your route table:

route add 206.86.0.5 192.168.0.25 1

Then if 192.168.0.25 goes down, it will effectively take down external access to the other servers. A workaround for this would be to add additional routes:

route add 206.86.0.5 192.168.0.25 1 route add 206.86.0.5 192.168.0.80 2 route add 206.86.0.5 192.168.0.21 3

Note that we are simply adding the other "translated" hosts as backup routes (with metric 2 and 3 respectively). The ideal would be to allocate a specific IP address for each service instead of using the same IP for more than one host.

In some cases, you can establish the static route to the internal IP of the firewall. This does not work on all platforms.

See also the following doc from Check Point's Support Site: http://support.checkpoint.com/kb/docs/public/firewall1/3_0b/pdf/gsp.pdf

Port Forwarding Firewall Ports: FireWall-1 4.1 SP3 and above can translate ports for TCP packets coming to the firewall's IP addresses. See NAT Based on Service with only one legal IP for more details.

-- RayLodato - 12 Jan 2004

FAQForm FAQs.Class: NetworkAddressTranslationFAQs FAQs.OS: FAQs.Version: