Firewall functions: IPTABLES
U
SER
G
UIDE
191
set loopback 0 ipaddr 10.11.4.39
set loopback on
set eth0 ipaddr 10.11.4.113 netmask 255.255.255.0 broadcast 10.11.4.255
set eth0 on
set eth1 ipaddr 10.1.1.2 netmask 255.255.255.0 broadcast 10.1.1.255
set eth1 on
set vrrp 11 vmac
set vrrp 11 interface eth1
set vrrp 11 priority 100
set vrrp 11 delay 1
set vrrp 11 vipaddr 10.1.1.254
set trigger vrrp 11 up logger vrrp 11 up
set trigger vrrp 11 up set stfl-nat primary
set trigger vrrp 11 down logger vrrp 11 down
set trigger vrrp 11 down set stfl-nat backup
set vrrp 11 on
set iptables -A POSTROUTING -t nat -o eth0 -j SNAT --to-source 10.11.4.39
set stfl-nat mode multicast
set stfl-nat multicast Default group 3781 mcast-address 225.0.0.50 interface
eth1 source 10.1.1.2
set stfl-nat on
The command
show stfl-nat status
shows the connection state, both the local router and the peer
root@IMOLA> show stfl-nat status
Internal conntrack cache
tcp 6 ESTABLISHED src=10.19.1.42 dst=10.19.1.1 sport=59879 dport=179 src=10.19.1.1 dst=10.19.1.42 sport=179 dport=59879 [ASSURED] [active since 1874s]
tcp 6 ESTABLISHED src=192.168.1.4 dst=10.19.10.1 sport=47461 dport=1234 src=10.19.10.1 dst=8.19.1.254 sport=1234 dport=47461 [ASSURED] [active since 618s]
Peer conntrack cache
tcp 6 ESTABLISHED src=10.19.10.1 dst=10.19.1.2 sport=3712 dport=23 [ASSURED] [active since 804s]
tcp 6 ESTABLISHED src=10.19.1.1 dst=10.19.1.2 sport=51619 dport=179 [ASSURED] [active since 2331s]
tcp 6 ESTABLISHED src=10.19.1.1 dst=10.19.1.2 sport=53952 dport=23 [ASSURED] [active since 760s]
A
FIREWALL EXAMPLE
Considering the following scenario:
