This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Country blocking exception rule with DNAT

I can't figure out how to get a country blocking exception rule to work with a DNAT that redirects internet traffic (from a particular IP) to an internal host while also redirecting from port 123 to port 22.

I want to allow SSH access for a single public IP address which is blocked by Country Blocking. I want the end user to use port 123 instead of port 22. For this example, let's say their public IP is 1.1.1.1. My static, public IP that I have assigned to an external interface is 2.2.2.2. The IP address of my internal host is 192.168.0.2.

So the external end user will use 2.2.2.2:123 to gain SSH access to my internal host.

My Country Blocking Exception:
Skip blocking of these regions: Empty
For all request->coming from these: 1.1.1.1
Using these services: 123

My DNAT:
For traffic from: 1.1.1.1
Using service: 123
Going to: External Interface 2.2.2.2
Change the destination to: 192.168.0.2
And the service to: 22

My Firewall Rule:
Sources: 1.1.1.1
Services: 22
Destinations: 192.168.0.2
Action: Allow

Below is an entry in the firewall log:
2019:04:17-18:13:21 gateway ulogd[3642]: id="2021" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped (GEOIP)" action="drop" fwrule="60019" initf="eth1" outitf="eth0" srcmac="xx:xx:xx:xx:xx:xx" dstmac="xx:xx:xx:xx:xx:xx" srcip="1.1.1.1" dstip="192.168.0.2" proto="6" length="60" tos="0x00" prec="0x20" ttl="47" srcport="45986" dstport="22" tcpflags="SYN"

As you can see from the log entry, the local IP on port 22 is being blocked by Country Blocking.

So what is the proper way to set this up? If I add port 22 to my country blocking exception, it seems to work but that opens port 22 to the end user and defeats the purpose of the DNAT, doesn't it?

This thread was automatically locked due to age.

Parents

0 DouglasFoster over 5 years ago
I am pretty sure that your firewall rule needs to be based on the original packet (destination 2.2.2.2/123) instead of the substituted destination (192.168.0.2/22). Please try it and report back.

Your country blocking exception is definitely the correct syntax:

when the remote address is specified, the country list must be empty. The country assignment is superfluous if the source address is already confirmed, and specifying countries will make it stop working.

When the local address is specified, the country list must not be empty, since a rule is needed for accepting or rejecting remote addresses.
Cancel
Vote Up 0 Vote Down

Cancel
0 Jeff x over 5 years ago in reply to DouglasFoster

Thanks for the suggestion.

If I change only the firewall rule to the following...

My Firewall Rule:
Sources: 1.1.1.1
Services: 123
Destinations: External 2.2.2.2
Action: Allow

I get the same result. The firewall log shows Country Blocking is still dropping packets to the local IP (i.e., 1.1.1.1->192.168.0.2:22).

If I keep the new firewall rule and add service/port 22 to the Country Blocking Exception, the packets are still dropped but no longer by Country Blocking.

Below is an entry in the firewall log:
2019:04:20-00:03:19 gateway ulogd[11303]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth0" srcmac="xx:xx:xx:xx:xx:xx" dstmac="xx:xx:xx:xx:xx:xx" srcip="1.1.1.1" dstip="192.168.0.2" proto="6" length="60" tos="0x00" prec="0x20" ttl="47" srcport="44925" dstport="22" tcpflags="SYN"

If I disable my firewall rule and tick the 'Automatic firewall rule' check box in the DNAT, it creates a firewall rule based on the substituted destination and no packets are dropped so long as I have both services/ports in the Country Blocking Exception. So it would seem the firewall rule must be based on the substituted destination.

I'm still confused as to why the traffic has to go through Country Blocking twice.

--------------------------------------------------------------------
Sophos UTM 9.719-3 - Home User
Virtual machine on Dell Optiplex 3070
i3-9100 @ 3.60 GHz, 16 GB RAM
--------------------------------------------------------------------
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Jeff x over 5 years ago in reply to DouglasFoster

Thanks for the suggestion.

If I change only the firewall rule to the following...

My Firewall Rule:
Sources: 1.1.1.1
Services: 123
Destinations: External 2.2.2.2
Action: Allow

I get the same result. The firewall log shows Country Blocking is still dropping packets to the local IP (i.e., 1.1.1.1->192.168.0.2:22).

If I keep the new firewall rule and add service/port 22 to the Country Blocking Exception, the packets are still dropped but no longer by Country Blocking.

Below is an entry in the firewall log:
2019:04:20-00:03:19 gateway ulogd[11303]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth0" srcmac="xx:xx:xx:xx:xx:xx" dstmac="xx:xx:xx:xx:xx:xx" srcip="1.1.1.1" dstip="192.168.0.2" proto="6" length="60" tos="0x00" prec="0x20" ttl="47" srcport="44925" dstport="22" tcpflags="SYN"

If I disable my firewall rule and tick the 'Automatic firewall rule' check box in the DNAT, it creates a firewall rule based on the substituted destination and no packets are dropped so long as I have both services/ports in the Country Blocking Exception. So it would seem the firewall rule must be based on the substituted destination.

I'm still confused as to why the traffic has to go through Country Blocking twice.

--------------------------------------------------------------------
Sophos UTM 9.719-3 - Home User
Virtual machine on Dell Optiplex 3070
i3-9100 @ 3.60 GHz, 16 GB RAM
--------------------------------------------------------------------
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data