D-Link DFL-800-AV-12 User Manual - Page 212
Example 7.4. Enabling Traffic to a Web Server on an Internal Network, Action, Src Iface, Src Net
View all D-Link DFL-800-AV-12 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 212 highlights
7.3.1. Translation of a Single IP Address (1:1) Chapter 7. Address Translation # Action Src Iface Src Net Dest Iface Dest Net Parameters 3 Allow ext2 ext2net core wan_ip http 4 NAT lan lannet any all-nets All This increases the number of rules for each interface allowed to communicate with the web server. However, the rule ordering is unimportant, which may help avoid errors. If option 2 was selected, the rule set must be adjusted thus: # Action Src Iface Src Net Dest Iface Dest Net Parameters 1 SAT any all-nets core wan_ip http SETDEST 10.10.10.5 80 2 NAT lan lannet any all-nets All 3 Allow any all-nets core wan_ip http This means that the number of rules does not need to be increased. This is good as long as all interfaces can be entrusted to communicate with the web server. However, if, at a later point, you add an interface that cannot be entrusted to communicate with the web server, separate Drop rules would have to be placed before the rule granting all machines access to the web server. Determining the best course of action must be done on a case-by-case basis, taking all circumstances into account. Example 7.4. Enabling Traffic to a Web Server on an Internal Network The example we have decided to use is that of a web server with a private address located on an internal network. From a security standpoint, this approach is wrong, as web servers are very vulnerable to attack and should therefore be located in a DMZ. However, due to its simplicity, we have chosen to use this model in our example. In order for external users to access the web server, they must be able to contact it using a public address. In this example, we have chosen to translate port 80 on the D-Link Firewall's external address to port 80 on the web server: # Action Src Iface 1 SAT any 2 Allow any Src Net all-nets all-nets Dest Iface core core Dest Net wan_ip wan_ip Parameters http SETDEST wwwsrv 80 http These two rules allow us to access the web server via the D-Link Firewall's external IP address. Rule 1 states that address translation can take place if the connection has been permitted, and rule 2 permits the connection. Of course, we also need a rule that allows internal machines to be dynamically address translated to the Internet. In this example, we use a rule that permits everything from the internal network to access the Internet via NAT hide: # Action Src Iface 3 NAT lan Src Net lannet Dest Iface Dest Net any all-nets Parameters All The problem with this rule set is that it will not work at all for traffic from the internal network. In order to illustrate exactly what happens, we use the following IP addresses: • wan_ip (195.55.66.77): a public IP address • lan_ip (10.0.0.1): the D-Link Firewall's private internal IP address • wwwsrv (10.0.0.2): the web servers private IP address • PC1 (10.0.0.3): a machine with a private IP address • PC1 sends a packet to wan_ip to reach "www.ourcompany.com": 10.0.0.3:1038 => 195.55.66.77:80 212