FireBrick Portmapping: Difference between revisions

Back up to the FireBrick Category
From AAISP Support Site
mNo edit summary
mNo edit summary
Line 1: Line 1:
[[File:2700-small.png|link=:Category:FireBrick]]
<indicator name="FireBrick">[[File:Menu-FireBrick.svg|link=:Category:FireBrick|30px|Back up to the FireBrick Category]]</indicator>


==Port Mapping==
==Port Mapping==
(Remember, NAT is evil!)


Mapping is done using Firewall rules.
Mapping is done under a rule-set, for example, here we happen to have a FireBrick that has a Native IP block from AAISP, and a Tunnel from TunnelBroker.net. We want to map one of the Tunneled IPs to a machine on our LAN which has been assigned one of our native IPv6 addresses from AAISP.

<syntaxhighlight>
The principle is that you describe the original traffic (source/target interface, IP, protocol, port etc) and then define a Rule with what you want to happen to that traffic - eg, set a new target IP, port and enable NAT.
<rule-set name="Mapping Example">

<rule name="HE to Web server" target-ip="2001:470:1F09:B40::2" target-port="80" set-target-ip="2001:8B0:1635::D685:64FF:FEC9:E630" target-port="80" set-nat="true" log="true"/>
Typically, your FireBrick will be the original target of the traffic, it will have a public IP on one of its PPP interfaces perhaps. If we take an example for RDP, then we can crate the rule-set as follows:
</rule-set>

</syntaxhighlight>
<rule-set name="Port Mappings"
You can of course use IPv4 addresses, and map the public IP of your FireBrick to a natted RFC1918 IP on the LAN. See the manual for other elements of the <rule ...> tag.
source-interface="pppoe"
target-interface="self"
no-match-action="continue">
</rule-set>

And then add a rule for RDP to this rule-set:

<rule name="Map RDP to server1"
target-port="3389"
set-target-ip="192.168.1.101"
set-nat="true"
action="accept"/>

You can add more requirements as needed, such as changing the port if needed.

If you have more port mappings, then you can add more rule's as required, eg to add access to an internal web server you could map port 8080 to port 80 of the internal webserver:

<rule name="Map 8080 to web server2"
target-port="8080"
set-target-ip="192.168.1.102"
set-target-port="80"
set-nat="true"
action="accept"/>

You can then test this rule using the built in Firewall test diagnostic.

If you put in:
*source IP = anything you want
*Target IP = The FireBrick's IP
*Protocol = 17
*Target port = 3389

Then you should see matching your rule and changing the target IP etc:

Checking rule-set 5 [Mapping] - Rule 3 [RDP to server1] matched, action is ACCEPT, no further rule-sets considered
NAT set (true)
Target IP set to 192.168.1.101






Revision as of 08:17, 1 August 2019


Port Mapping

Mapping is done using Firewall rules.

The principle is that you describe the original traffic (source/target interface, IP, protocol, port etc) and then define a Rule with what you want to happen to that traffic - eg, set a new target IP, port and enable NAT.

Typically, your FireBrick will be the original target of the traffic, it will have a public IP on one of its PPP interfaces perhaps. If we take an example for RDP, then we can crate the rule-set as follows:

<rule-set name="Port Mappings"
          source-interface="pppoe"
          target-interface="self"
          no-match-action="continue">
</rule-set>

And then add a rule for RDP to this rule-set:

 <rule name="Map RDP to server1"
       target-port="3389"
       set-target-ip="192.168.1.101"
       set-nat="true"
       action="accept"/>

You can add more requirements as needed, such as changing the port if needed.

If you have more port mappings, then you can add more rule's as required, eg to add access to an internal web server you could map port 8080 to port 80 of the internal webserver:

 <rule name="Map 8080 to web server2"
       target-port="8080"
       set-target-ip="192.168.1.102"
       set-target-port="80"
       set-nat="true"
       action="accept"/>

You can then test this rule using the built in Firewall test diagnostic.

If you put in:

  • source IP = anything you want
  • Target IP = The FireBrick's IP
  • Protocol = 17
  • Target port = 3389

Then you should see matching your rule and changing the target IP etc:

Checking rule-set 5 [Mapping] - Rule 3 [RDP to server1] matched, action is ACCEPT, no further rule-sets considered
NAT set (true)
Target IP set to 192.168.1.101