<arrayparam>:
snat_ip<n> <ip/mask>
# translates src addr from the ip network on ifout
# (ifout - the interface used for default route)
rule<n> <rulespec> # allows firewall rule
ssh_ip<n> <ip/mask>
# allowed IP/netmask
redir<n> [<laddr>:]<lport>-<raddr>[:<rport>] # starts tcp redirector from
# local <laddr>:<lport> to remote <raddr>:<rport>
<rulespec> =
<action>:[<chain>]:[<proto>]:[<src_ip>]:[<src_ports>]:[<dst_ip>]:[<dst_ports
>]:[<iif>]:[<oif>]
<action>
# allow|deny
<chain>
# in|out (traffic to/from this host)
# fwd (forwarded traffic), all (same as empty)
<iif>,<oif>
# input/output interface name
<proto>
# IP protocol (tcp,udp,icmp)
<src_ip>,<dst_ip> # src/dst ip address/mask
<src_ports>,<dst_ports> # src/dst ports. e.g.: 25,80,6000-6100,7000-7100
# missing values mean 'any'
- reload frw is needed to make the changes effective
- reload redir is needed to make the redir changes effective
Example: Traffic Manager is connected to the internet via eth0 and local network is
connected on eth1 (10.10.11.10/24) and eth2 (10.10.12.10/24).
manager$ set firewall snat_ip1 10.10.11.0/24
snat_ip1: 10.10.11.0/24
manager$ set firewall snat_ip2 10.10.12.0/24
snat_ip2: 10.10.11.0/24
set firewall snat_ip means, that all the packets originating from the given range will be
translated (their source address and port). The translation will be done on the ifout
interface – the one, that is used for the default route. Following commands allow
manipulating snat_ip parameters:
add
frw snat_ip <ip/mask># add next free snat_ip<n>
del
frw snat_ip<n>
set
frw snat_ip<n> <ip>/<mask>
show
frw snat_ip
# show all snat_ip settings
Setting up blocking/unblocking rules:
add
frw rule <rulespec> # add firewall rule<n>
del
frw rule<n>
set
frw rule<n> <rulespec>
show
frw rule
# show all rules
<rulespec> =
<action>:[<chain>]:[<proto>]:[<src_ip>]:[<src_ports>]:[<dst_ip>]:[<dst_ports
>]:[<iif>]:[<oif>]
<action>
# allow|deny
<chain>
# in|out (traffic to/from this host)
17
TRAFFIC MANAGER E-4000
