On Apr 21, 2012, Richard Thornton wrote: > Hi, > > I am not sure if this is possible and would be grateful for the advice. I > want to avoid using VPNs as the resources are not super sensitive. > > I have an Ubuntu box with multiple interfaces including pppoe adsl2 and I > am going to use it as a firewall. > > I have 8 servers with private IPs that I need access to and I have 9 public > IPs (one IP is firewall external interface). > > I would like fwknop to give me access to the servers (and also to control > ssh access to the firewall). > > The servers will mostly have ssh and https but there is also rdp and esxi > mgmt ports on some. I am happy with the security implications of extending > the rule duration to make http work better. > > So can fwknop handle creating the 8 DNATs and corresponding 8 SNATs so each > server can be accessed 1:1 with the public IPs?
Yes, I believe that the either the regular DNAT mode or the FORCE_NAT mode will support this. A corresponding SNAT rule can be created too, but is usually only necessary if the internal systems don't have a route back out. On the client side, here is an example invocation for SSH access: $ fwknop -A tcp/22 -a <clientIP> -D <serverExternalIP> -N <internalIP>:22 If you use the FORCE_NAT mode on the server, you don't in the "-N ..." stuff on the client side - the incoming connection to the requested service will be NAT'd transparently by the server and the client will never know it. On the server side, make sure to set: ENABLE_IPT_FORWARDING Y; If you need SNAT support at the same time (not likely in most situations) then set: ENABLE_IPT_SNAT Y; Now, if you are using the FORCE_NAT mode, then for each internal service create a different stanza in the access.conf file and use the FORCE_NAT directive. Here is an example where "192.168.1.123" is an IP of one of the internal systems: SOURCE: ANY; KEY: somefwknopkey; FW_ACCESS_TIMEOUT: 30; FORCE_NAT: 192.168.1.123 22; Thanks, --Mike > Any tips, tricks or advice would be much appreciated. > > Thanks for looking. > > Cheers > Richard > ------------------------------------------------------------------------------ > For Developers, A Lot Can Happen In A Second. > Boundary is the first to Know...and Tell You. > Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! > http://p.sf.net/sfu/Boundary-d2dvs2 > _______________________________________________ > Fwknop-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss ------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
