wiki.ipfire.org

The community-maintained documentation platform of IPFire

User Tools

Site Tools


configuration:firewall:rules:source-nat

Using Source NAT

Source NAT is a technique that is used to masquerade (or hide) the IP address of the host a data packet is coming from. There are plenty of reasons to do that. The most common one is to provide a service from a certain IP address.

What is it for?

Mail Server in the DMZ

For your own mail server, it is a good idea to use a dedicated IP address. Often, IP addresses get on blacklists, because they have been abused by someone and when this happens with the address of a mail server, it is unlikely that it will be able to deliver any mail.

If you have multiple IP addresses on RED, you may want to use Source NAT so that your mail server only uses a second one.

Masquerading services from the DMZ

If you want to provide a service from the DMZ to the users in the local networks, you may want to hide from which server it is coming from. You can use Source NAT so that it appears that the firewall itself is providing the service.

Other reasons

Some protocols are broken in NAT scenarios (like SIP) and you can possibly fix this by using Source NAT.

How to set it up?

Go to the firewall rules site on the IPFire web user interface and click on “New rule”.

Step 1: Source

Pick the IP address or host the connection is initiated from. Usually, this is nothing more than one host, but it may well be a group of hosts or an entire subnet.

Step 2: NAT

Check the NAT checkbox and select “Source NAT”. Pick the new source IP address from the dropdown menu.

Step 3: Destination

In the next step, the destination hosts for which this rule is applied can be configured. In the case of your mail server connecting to the whole Internet, you will just select all networks here.

Step 4: Protocol

In the protocol section, you may limit this rule to apply only to certain protocols or services.

If you want your mail server to deliver email to other servers (SMTP over TCP/25), you may want to specify this here. In that way, the outgoing IP address will be only changed for mail, but all other traffic will be routed via the default path.

Step 5: Done

Don't forget to check “ACCEPT” as rule action.

Congratulations, you set up your first Source NAT rule!

configuration/firewall/rules/source-nat.txt · Last modified: 2018/09/01 23:15 by Jon