Allow Public IP through ebox

[redmondmj]

Hello:

I've just setup ebox and am very impressed with the easy installation/configuration. I have it installed on a Poweredge 2500 acting as a gateway. Ethe0 is my external, Eth1 is my internal (192.168.x.x), running DHCP, DNS, Squid. Everything seems to be working great.

I now need to be able to setup a machine on the internal network with a static public IP and allow it to access the internet.  In the past I would just add these to my arp list, but I'm not sure where to start with ebox.

I have tried adding a network object for the required IP/MAC, and adding Allow/Any rules to the packet filtering rules, and adding and "Allow ALL" for the object under HTTP Proxy.

Just hoping somebody can point me in the right direction!

Thanks,

[sixstone]

Hello,

Firstly, thanks for your feedback. It is what it adds value to what we've done so far.

Regarding to your question, in order to give full access to a single machine to Internet. You may create an object with this host (as you've done) and set allow rule to any connection whose source is the defined object in "Filtering rules for internal networks" section in Firewall -> Packet filter. With regard to HTTP proxy, have you set "transparent proxy" option on?. Finally, I should have supposed you had enabled the desired modules to work in "Module status".

Hope this helps.

[redmondmj]

Thanks for your reply,

All the required modules are enabled, the transparent proxy is working great, and for the most part everything is working exactly the way I want it. I really can't say enough about all the work you've done here!

I have tried your suggestions, I have a network object created with the host that I would like to allow to access the internet setup as a member. I have added a rule in the "Filtering rules for internal networks" section... Decision>ACCEPT, Source>MyObject, Destinantion>ANY, Service>Any. However, I am still not able to get out from this machine when the public IP is configured on it. It works fine when it has an internal (192.168.x.x) address. The Public IP that I need to use is from my ISP (25.222.x.x), using their mask and gateway (255.248, 25.222.26.1). This host needs to use the same Mask/Gateway that the external card on eBox is using, but it is actually on the internal network.

I hope this is possible... Thanks again for all your help.

[redmondmj]

When I setup the member of my network object I'm using the IP of the host that I want to allow through Ebox from the internal network with a 32 bit mask. i.e. 25.222.x.x/32 This should indicate the specific IP of the host correct? Can I use 25.222.x.x/24 to specify a range here?
Also does the name of the member have any significance? I assume it is just for me to identify the member, it's not the hostname or anything...

[sixstone]

I'm afraid this configuration is not possible to do using eBox interface.

The main problem is eBox is doing NAT with incoming connection. You may disallow NAT when destination/source is that public IP host. To do so, you must enter an iptables rule in "PREROUTING" and "POSTROUTING" chains in "nat" table. I don't know exactly which rule you must insert at head of both chains :-S.

Check the table by running "sudo iptables -vL -t nat".

Hope this helps you a little.

[redmondmj]

Thanks,

This definitely points me in the right direction.

Thanks for your help!

[redmondmj]

I'm still looking into the IPTABLES, bit a of a learning curve there ;-) I won't give up though.

However, would this setup be possible through ebox if I added another external interface? The first external interface could still be used for NAT. The new Interface could be like a DMZ maybe? If so, I'm open to suggestion as to how to configure it...

Thanks!!!

[redmondmj]

 

I finally managed to get this working. Learned a lot about iptables. Here is what I used:

Code: [Select]

iptables -N ARP-IP
iptables -I FORWARD -j ARP-IP
arp -Ds X.X.X.6 eth0 pub
route add x.X.X.6 eth1
iptables -A ARP-IP -s X.X.X.6 -j ACCEPT
iptables -A ARP-IP -d X.X.X.6 -j ACCEPT
iptables -t nat -I POSTROUTING -s X.X.X.6 -j ACCEPT
arp -Ds X.X.X.1 eth1 pub

eth1 is my internal interface
eth5 is my external interface
X.X.X.6 is the public IP i needed to pass through
X.X.X.1 is my Gateway

This seems to be working so far, I haven't encountered any issues. I would like to make these changes permanent though.

I also made a script that will run this and call the ip's from a file. Haven't tested that yet though. Suppose I can run this on startup if I can't find a better way to make these stick.

[jcanfield]

Great...I'll have to test this out.