NAT reflection

[Cele]

Hi!

Does the e-box firewall has a NAT reflection feature? And if it does how can I enable it?

[sixstone]

Hi Cele,

We don't have such a feature in our current ebox-firewall. Could you explain us a little about this feature?

Cheers,

[hordur]

I've also been wanting to do this using ebox.
I believe this is sometimes called NAT loopback. It enables you to access port-forwarded services in your local network from within the network itself using the routers public IP address. Fx. if you're forwarding port 80 to 192.168.0.1 and your router had the public ip 123.123.123.123, you could access the webserver through http://123.123.123.123 both from outside and inside your lan instead of having to use http://192.168.0.1 on the inside.

[sixstone]

Thanks for the explanation and I have added it up to our wishlist [1]

Cheers,

[1] http://trac.ebox-platform.com/wiki/Document/Development/Wishlist/Module/Firewall

[hordur]

I've managed to do this on my ebox by editing /usr/share/perl5/EBox/Firewall/IptablesRedirectRule.pm

Below is my modified version of the sub. I wasn't sure where I could get the public IP from, so I hardcoded it in. Basically, I added the POSTROUTING rule and I also removed the interface flag from the other lines as that was limiting everything to the external interface. Hopefully this can be useful for someone that can implement this properly.

sub strings
{
    my ($self) = @_;

    my @rules;
    my $state = $self->state();
    my $modulesConf = $self->modulesConf();
    my $iface = $self->interface();
    # Iptables needs to use the real interface
    $iface =~ s/:.*$//;

    foreach my $src (@{$self->{'source'}}) {
        foreach my $origDst (@{$self->{'destination'}}) {
        my ($dst, $toDst, $addr) = @{$self->{'destinationNAT'}};
        foreach my $service (@{$self->{'service'}}) {
            my ($natSvc, $filterSvc) = @{$service};

            my $natRule = "-t nat -A PREROUTING $modulesConf " .
                " $src $natSvc $origDst -j DNAT $toDst";

            my $filterRule = "-A fredirects $state $modulesConf " .
                " $src $filterSvc $dst -j ACCEPT";

            my $postRule = "-t nat -A POSTROUTING " .
                " -s 192.168.0.0/16 $filterSvc $dst -j MASQUERADE";

            push (@rules, $natRule, $filterRule, $postRule);
        }
        }
    }

    return \@rules;
}

[mattd]

Thanks for this hordur.  I've used your solution on my 1.4 install for the last 6 months, but it doesn't seem to be working for me on 1.5.  Any suggestions?  Will we see this feature in 2.0?