Re: [Fwknop-discuss] fwknop for DNAT to servers
Brought to you by:
mbr
From: Richard T. <ric...@gm...> - 2012-04-21 23:47:02
|
Michael, Thanks for the info, much appreciated. Is there a way for me to knock once and open up all 8 servers in the one go? With accessing the servers using HTTPS, should I just adjust the rule timeout to x minutes, if I understand it the only real downside is people that are behind the same NAT IP as my client will also get access, each of the servers requires authentication so i'm not too worried about that. Wouldn't I need the SNAT for consistency: User accesses server on public IP x.x.x.x Server replies with the same public IP x.x.x.x Otherwise wouldn't the server reply with the hide NAT address of the external firewall interface, no doubt that would work but the DNAT would be nicer, no? Cheers Richard On 22 April 2012 04:12, Michael Rash <mb...@ci...> wrote: > On Apr 21, 2012, Richard Thornton wrote: > >> Hi, >> >> I am not sure if this is possible and would be grateful for the advice. I >> want to avoid using VPNs as the resources are not super sensitive. >> >> I have an Ubuntu box with multiple interfaces including pppoe adsl2 and I >> am going to use it as a firewall. >> >> I have 8 servers with private IPs that I need access to and I have 9 public >> IPs (one IP is firewall external interface). >> >> I would like fwknop to give me access to the servers (and also to control >> ssh access to the firewall). >> >> The servers will mostly have ssh and https but there is also rdp and esxi >> mgmt ports on some. I am happy with the security implications of extending >> the rule duration to make http work better. >> >> So can fwknop handle creating the 8 DNATs and corresponding 8 SNATs so each >> server can be accessed 1:1 with the public IPs? > > Yes, I believe that the either the regular DNAT mode or the FORCE_NAT mode > will support this. A corresponding SNAT rule can be created too, but is > usually only necessary if the internal systems don't have a route back out. > > On the client side, here is an example invocation for SSH access: > > $ fwknop -A tcp/22 -a <clientIP> -D <serverExternalIP> -N <internalIP>:22 > > If you use the FORCE_NAT mode on the server, you don't in the "-N ..." stuff > on the client side - the incoming connection to the requested service will > be NAT'd transparently by the server and the client will never know it. > > On the server side, make sure to set: > > ENABLE_IPT_FORWARDING Y; > > If you need SNAT support at the same time (not likely in most situations) > then set: > > ENABLE_IPT_SNAT Y; > > Now, if you are using the FORCE_NAT mode, then for each internal service > create a different stanza in the access.conf file and use the FORCE_NAT > directive. Here is an example where "192.168.1.123" is an IP of one of the > internal systems: > > SOURCE: ANY; > KEY: somefwknopkey; > FW_ACCESS_TIMEOUT: 30; > FORCE_NAT: 192.168.1.123 22; > > Thanks, > > --Mike > > > >> Any tips, tricks or advice would be much appreciated. >> >> Thanks for looking. >> >> Cheers >> Richard > >> ------------------------------------------------------------------------------ >> For Developers, A Lot Can Happen In A Second. >> Boundary is the first to Know...and Tell You. >> Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! >> http://p.sf.net/sfu/Boundary-d2dvs2 > >> _______________________________________________ >> Fwknop-discuss mailing list >> Fwk...@li... >> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > > ------------------------------------------------------------------------------ > For Developers, A Lot Can Happen In A Second. > Boundary is the first to Know...and Tell You. > Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! > http://p.sf.net/sfu/Boundary-d2dvs2 > _______________________________________________ > Fwknop-discuss mailing list > Fwk...@li... > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss |