D-Link DFL-2500 User Manual

Page 212

Advertising
background image

#

Action

Src Iface

Src Net

Dest Iface

Dest Net

Parameters

3

Allow

ext2

ext2net

core

wan_ip

http

4

NAT

lan

lannet

any

all-nets

All

This increases the number of rules for each interface allowed to communicate with the web server. However, the
rule ordering is unimportant, which may help avoid errors.

If option 2 was selected, the rule set must be adjusted thus:

#

Action

Src Iface

Src Net

Dest Iface

Dest Net

Parameters

1

SAT

any

all-nets

core

wan_ip

http SETDEST
10.10.10.5 80

2

NAT

lan

lannet

any

all-nets

All

3

Allow

any

all-nets

core

wan_ip

http

This means that the number of rules does not need to be increased. This is good as long as all interfaces can be
entrusted to communicate with the web server. However, if, at a later point, you add an interface that cannot be
entrusted to communicate with the web server, separate Drop rules would have to be placed before the rule
granting all machines access to the web server.

Determining the best course of action must be done on a case-by-case basis, taking all circumstances into
account.

Example 7.4. Enabling Traffic to a Web Server on an Internal Network

The example we have decided to use is that of a web server with a private address located on an internal
network. From a security standpoint, this approach is wrong, as web servers are very vulnerable to attack and
should therefore be located in a DMZ. However, due to its simplicity, we have chosen to use this model in our
example.

In order for external users to access the web server, they must be able to contact it using a public address. In this
example, we have chosen to translate port 80 on the D-Link Firewall's external address to port 80 on the web
server:

#

Action Src Iface

Src Net

Dest Iface

Dest Net

Parameters

1

SAT

any

all-nets

core

wan_ip

http SETDEST wwwsrv 80

2

Allow

any

all-nets

core

wan_ip

http

These two rules allow us to access the web server via the D-Link Firewall's external IP address. Rule 1 states that
address translation can take place if the connection has been permitted, and rule 2 permits the connection.

Of course, we also need a rule that allows internal machines to be dynamically address translated to the Internet.
In this example, we use a rule that permits everything from the internal network to access the Internet via NAT
hide:

#

Action Src Iface

Src Net

Dest Iface

Dest Net

Parameters

3

NAT

lan

lannet

any

all-nets

All

The problem with this rule set is that it will not work at all for traffic from the internal network.

In order to illustrate exactly what happens, we use the following IP addresses:

wan_ip (195.55.66.77): a public IP address

lan_ip (10.0.0.1): the D-Link Firewall's private internal IP address

wwwsrv (10.0.0.2): the web servers private IP address

PC1 (10.0.0.3): a machine with a private IP address

PC1 sends a packet to wan_ip to reach "www.ourcompany.com":
10.0.0.3:1038 => 195.55.66.77:80

7.3.1. Translation of a Single IP
Address (1:1)

Chapter 7. Address Translation

212

Advertising
Popular Brands
Popular manuals