labunix's blog

labunixのラボUnix

Fortigate-80Cでポート転送(NAT)を設定してみる。 

■Fortigate-80Cでポート転送(NAT)を設定してみる。

 wan1をスタティックで設定するよう修正した。
 https://raw.githubusercontent.com/labunix/fortigate-80c-settings/master/fortigate-80c_basic.sh

■自宅評価用のセグメントなので、サブネットマスクが/24で無い点に注意。

# show system interface wan1
config system interface
    edit "wan1"
        set vdom "root"
        set ip 192.168.1.252 255.255.255.248
        set allowaccess ping
        set type physical
        set snmp-index 2
    next
end

# show system interface internal 
config system interface
    edit "internal"
        set vdom "root"
        set ip 172.31.31.252 255.255.255.0
        set allowaccess ping https ssh http telnet
        set type physical
        set snmp-index 1
    next
end

■AV、スパムチェックの有効なライセンス契約があることを前提に。

# get system fortiguard | grep license
antispam-license    : Contract
avquery-license     : Contract
webfilter-license   : Contract

■Webサービスの場合
 wan1(80/tcp) -> internal(80/tcp)

# show system interface wan1 | grep ip
        set ip 192.168.1.252 255.255.255.248

# show system interface internal | grep ip
        set ip 172.31.31.252 255.255.255.0

■まずはfirewallオブジェクトにバーチャルIP(IPv4)を設定

# show firewall vip
config firewall vip
    edit "Web-NAT"
        set extip 192.168.1.252
        set extintf "wan1"
        set portforward enable
        set mappedip 172.31.31.254
        set extport 80
        set mappedport 80
    next

■上記のwan1(80/tcp) -> internal(80/tcp)のアクセスの時に、
 仮想IPにNAT有効で許可するポリシーを作成。
 IPS、AVを有効にする。

# show firewall policy 2
config firewall policy
    edit 2
        set srcintf "wan1"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "Web-NAT"
        set action accept
        set schedule "always"
        set service "HTTP"
        set utm-status enable
        set av-profile "AV-flow"
        set ips-sensor "default"
        set profile-protocol-options "default"
        set nat enable
        set fixedport enable
    next
end

■受け側のdebianは172.31.31.254で待ち受け。

$ netstat -an | grep 172.31.*80
tcp        0      0 172.31.31.254:80        0.0.0.0:*               LISTEN     

■アクセスチェック

$ telnet 192.168.1.252 80
Trying 192.168.1.252...
Connected to 192.168.1.252.
Escape character is '^]'.
GET / HTPP/1.0

HTTP/1.1 200 OK
Date: Sun, 22 Feb 2015 13:05:08 GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Sun, 30 Dec 2012 02:34:54 GMT
ETag: "2a60e7-b1-4d208bde02f80"
Accept-Ranges: bytes
Content-Length: 177
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<html><body><h1>It works!</h1>
<p>This is the default web page for this server.</p>
<p>The web server software is running but no content has been added, yet.</p>
</body></html>
Connection closed by foreign host.

■自前の非公開Webサーバなので、eicar.txtを置いてFortigate経由でブロックされていることを確認。

$ w3m -no-proxy -dump http://localhost/eicar.txt
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

$ w3m -no-proxy -dump http://192.168.1.252/eicar.txt


■MailのNATもついでに。
 こちらはメールなので、AV、IPSの他にSpamチェックも行う。

# show firewall vip Mail-NAT
config firewall vip
    edit "Mail-NAT"
        set extip 192.168.1.252
        set extintf "wan1"
        set portforward enable
        set mappedip 172.31.31.254
        set extport 25
        set mappedport 25
    next
end

# show firewall policy 3
config firewall policy
    edit 3
        set srcintf "wan1"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "Mail-NAT"
        set action accept
        set schedule "always"
        set service "SMTP"
        set utm-status enable
        set av-profile "AV-flow"
        set spamfilter-profile "default"
        set ips-sensor "default"
        set profile-protocol-options "default"
        set nat enable
        set fixedport enable
    next
end

■スパムフィルタは判定基準が分からないので、
 破棄では無く、[Spam]とつけることにする。
 ※デフォルトでのタグはSpamでsmtpのアクションは破棄。

# show spamfilter profile 
config spamfilter profile
    edit "default"
        set comment "malware and phishing URL filtering"
        set spam-filtering enable
        set options spamfsip spamhelodns spamraddrdns
            config imap
                set tag-msg "[Spam]"
            end
            config pop3
                set tag-msg "[Spam]"
            end
            config smtp
                set action tag
                set tag-msg "[Spam]"
            end
    next
end

■確認

$ telnet 192.168.1.252 25
Trying 192.168.1.252...
Connected to 192.168.1.252.
Escape character is '^]'.
220 myhome.local ESMTP Postfix (Debian/GNU)
ehlo localhost
250-myhome.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:labunix
250 2.1.0 Ok
rcpt to:labunix
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Subject: Test Mail

sample
.
250 2.0.0 Ok: queued as 3B4F32924B7
quit
221 2.0.0 Bye
Connection closed by foreign host.

■ClamAVとSpamAssassinのヘッダしか無い。。。

Message 5:
From labunix@myhome.local  Sun Feb 22 22:23:48 2015
X-Original-To: labunix@myhome.local
X-Quarantine-ID: <ajIGjUyzRCxG>
X-Virus-Scanned: Debian amavisd-new at myhome.local
X-Amavis-Alert: BAD HEADER SECTION, Missing required header field: "Date"
X-Spam-Flag: NO
X-Spam-Score: 4.56
X-Spam-Level: ****
X-Spam-Status: No, score=4.56 tagged_above=2 required=6.31
        tests=[ALL_TRUSTED=-1, DNS_FROM_AHBL_RHSBL=2.438, MISSING_DATE=1.396,
        MISSING_HEADERS=1.207, MISSING_MID=0.14, NO_DNS_FOR_FROM=0.379]
        autolearn=no
Subject: Test Mail

sample

■次の設定をすればpostmaster宛に下記件名のメールが来るので動作はしているものとする。
 「Subject: Considered UNSOLICITED BULK EMAIL, apparently from you」

# show spamfilter bwl 
config spamfilter bwl
    edit 1
        set name "labunix@myhome.local"
    next
end

# show spamfilter profile default | grep bwl
        set options spambwl spamfsip spamfssubmit spamfschksum spamfsurl spamhelodns spamraddrdns spamfsphish
        set spam-bwl-table 1