NAT Based on Service with only one legal IP

[BarryStiefel]

NAT Based on Service with only one legal IP



Contributed by BenSmith
Published in geeklog Wednesday, June 25 2003 @ 06:11 PM EST
Published in oldfaq 2002-Nov-13 00:30 dwelchATphoneboyDOTcom

Question



I currently only have one legal IP address available to me. I have my internal NIC on a private address attached to a hub which is then connected to multiple PC's all on the same network segment. I have a web server and an FTP server on this segment that need to be accessible from the outside world. Is this possible?

Answer



In the NG release, it is possible to do this because NAT can occur before routing if configured correctly. Refer to How NAT works in FireWall-1 NG. Then you can create NAT rules similar to the following:

Original Translated No. Source Destination Service Source Destination Service 1 Any firewall HTTP Original http-server Original 2 Any firewall FTP Original ftp-server Original

If you are running FireWall-1 4.1 SP3 and above, there are pre-defined http-mapped, ftp-mapped, smtp-mapped services, not to mention creating your own. This can only be done with TCP services. You will create two rules as follows (sample with http-mapped):

No. Source Destination Service Action 1 Any firewall http-mapped Accept 2 Any internal-web-server http Accept

Essentially, you need to first reference the firewall and "mapped" service in one rule, then the real host and service in a later rule.

The -mapped services are services of type other with the following in the match field: SRV_REDIRECT(firewall-port,internal-host-ip,host-port). You will need to modify this service to fit your configuration. You can also easily create your own "mapped" services since any simple TCP service is supported. Note that redirected FTP connections will require you to explicitly allow ftp-data connections.

SRV_REDIRECT services also require at least one NAT rule be present in your rulebase. The rule does not have to apply to the connection at all, it can even be a totally bogus rule. However, at least one NAT rule must be present.

If running FireWall-1 4.1 SP2 or before, there are various ways to accomplish more or less the same way, though it cannot be done with FireWall-1. In Linux, you can use ipchains with the port forwarding to do this. On other Unix platforms, you can use a variety of different plug proxy applications. Murat Cakir came up with a way to do this with tcpwrappers and netcat:

1. Below is a sample diagram that illustrates a simple tri-homed fw network,

192.168.1.1
------------- internal lan, 192.168.1.0 (hide on 196.10.1.60)
outside world |
196.10.1.0 segment --------- fw1 196.10.1.60
|
-------------- DMZ, 80.10.0.0 (hide on 196.10.1.60)
80.10.1.1

2. Now we want to open a couple of ports to inside (if you want to), and forward the connections to those ports of fw1 to (possibly different) ports of internal machines.

For our configuration, we will do the following: connection to fw1 (196.10.1.60) at port 2500 will be forwarded to 80.10.1.100 port 23 (telnet port). (Similar forwardings are possible)

3. Grab W. Venema's tcpwrapper (tcp_wrappers_7.6.tar.gz) at ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz

4. Compile it and create "tcpd" binary

5. Next, get Hobbit's NetCat from one of the sites below:

coast.cs.purdue.edu:/pub/tools/unix/netcat/nc110.tgz
ftp.sterling.com:/mirrors/avian.org/src/hacks/nc110.tgz
zippy.telcom.arizona.edu:/pub/mirrors/avian.org/hacks/nc110.tgz
ftp.rge.com/pub/security/coast/mirrors/avian.org/netcat/nc110.tgz



or from l0pht (where NT port is available also)

http://www.l0pht.com/~weld/netcat/

6. Compile it and create "nc" binary

7. Now at Solaris box where fw1 resides, do the following

cp nc /etc
cp tcpd /etc
chmod 755 /etc/nc /etc/tcpd

add this line to /etc/services

p2000 2000/tcp # and some comment in here

add this line to /etc/inetd.conf

p2000 stream tcp nowait nobody /etc/tcpd /etc/nc -w 3 80.10.1.100 23
^^ def ^^ (or udp) ^^run as ^^wrapper ^^ NetCat waits 3 secs and
redirects connection to machine
80.10.1.100 at telnet port 23.

8. Do a
ps -ef | grep inetd
to get PID of inetd and
kill -HUP pid_you_got
So, inetd not can handle this newly added service.

Now fw1 configuration should let that service inside,

9. Create a service called "p2000." Manage->Services->New->Other Match part contains definition for port 2000
tcp, dport >= 2000, dport <= 2000

Do this for all ports you will use and collect those services under a group as forwarded services

10. Define the internal machine that will handle the connection (we will call it as telnethost). Do this for all machines you will use and collect those machines under a group as receivinghosts

11. Define a rule as: (to receive connection requests) negate dmz and internal net (so that only outsiders can do that):fw1:forwardedservices:accept:long

12. Define a rule for forwarded connections fw1: receivinghosts: accept : long

-- RayLodato - 12 Jan 2004

FAQForm FAQs.Class: NetworkAddressTranslationFAQs FAQs.OS: FAQs.Version: