Double NAT Firewall

Firewall-Regeln für die Double-NAT Firewall aus dem Network Namespaces Post.

# ferm.conf for double nat firewall
# dj0Nz nov 2022

@def $EXT_IF = ( ens224 );
@def $INT_IF = ( veth0 );
@def $EXT_NAT = 192.168.16.101;
@def $PEER_IP = 10.0.0.3;
@def $PORTS = ( 22 80 443 );
@def $PROXY = 192.168.203.23;

domain (ip ip6) {
    table filter {
        chain INPUT {
            policy DROP;

            # connection tracking
            mod state state INVALID DROP;
            mod state state (ESTABLISHED RELATED) ACCEPT;

            # allow local packet
            interface lo ACCEPT;

            # respond to ping
            proto icmp ACCEPT;

            # allow SSH connections
            proto tcp dport ssh ACCEPT;
        }
        chain OUTPUT {
            policy ACCEPT;

            # connection tracking
            #mod state state INVALID DROP;
            mod state state (ESTABLISHED RELATED) ACCEPT;
        }
        chain FORWARD {
            policy DROP;

            # connection tracking
            mod state state INVALID DROP;
            mod state state (ESTABLISHED RELATED) ACCEPT;

            proto icmp ACCEPT;
            interface ( $EXT_IF $INT_IF ) daddr ( $EXT_NAT $PEER_IP ) proto tcp dport $PORTS ACCEPT;
            interface $INT_IF saddr $PEER_IP daddr $PROXY proto tcp dport 8080 ACCEPT;
        }
    }
    table nat {
            chain PREROUTING {
                daddr $EXT_NAT DNAT to $PEER_IP;
            }
            chain POSTROUTING {
                saddr $PEER_IP outerface $EXT_IF SNAT to $EXT_NAT;
                daddr $PEER_IP outerface $INT_IF SNAT to $EXT_NAT;
            }
    }
}

@include ferm.d/;

Regelwerk neu laden mit systemctl reload ferm. Wenn was nicht passt, gibt’s an der Stelle ne Meldung. Regelwerk kontrollieren:

iptables -L -n -v
iptables -L -n -v -t nat