Shorewall users - Sep 2005 - DNAT+SNAT loc2loc

Hello list,

I''ve got a funny situation here. 

In short: I''m using DNAT + SNAT on the local interface but I
don''t have any
loc_dnat log. Packets go through but their source doesn''t seem to be
changed
as expected (so it doesn''t work).

The longer version comes in 3 points: Situation, Setup and More info.
The More info section lists a bit of host info and shorewall configuration.
See attachment for complete config and output of shorewall status.


1. Situation

I''ve got a firewall with to interfaces eth0 (192.168.0.51 in zone net)
and
eth1 (192.168.1.254 in zone loc).

In my loc zone, I have a machine (not a computer) that can talk to one and
only one IP address.  It talks from and to UDP port 1024.  "Toaster"
sits on
IP 192.168.1.56.

As I want to receive packets from Toaster on one machine and send
Toaster''s
packets to another one, I decided to DNAT and SNAT from the firewall, so
Toaster is configured to talk to my firewall at 192.168.1.254.

The firewall checks and starts correctly but the log doesn''t mark any
dnat.
Instead I have:

Sep 22 03:46:57 iDeck-1 kernel: Shorewall:loc2loc:ACCEPT:IN=eth1 OUT=eth1
SRC=192.168.1.53 DST=192.168.1.56 LEN=80 TOS=0x00 PREC=0x00 TTL=63 ID=7004
DF PROTO=UDP SPT=32862 DPT=1024 LEN=60 

Sep 22 03:50:18 iDeck-1 kernel: Shorewall:loc2fw:ACCEPT:IN=eth1
OUTMAC=00:50:22:8f:aa:cd:00:12:34:56:78:90:08:00 SRC=192.168.1.56
DST=192.168.1.254 LEN=696 TOS=0x00 PREC=0x00 TTL=128 ID=0 PROTO=UDP SPT=1024
DPT=1024 LEN=676 


2. Setup 

[FW]__(eth1:.1.254)__[switch]__[toaster99] (.1.56)
                           \\__[iDeck3]    (.1.53)
                            \__[lygeti]    (.1.11)

- toaster only knows FW and UDP port 1024 (SRC and DST)
- iDeck3 must send packets to toaster (via FW)
- lygeti must receive packets from toaster (via FW)

As all 3 machines sit on the same 192.168.1.0/24 network and on a switch,
iDeck3 must send to the FW, otherwise the ARP table comes in and Toaster
will ignore packets not from FW (192.168.1.254). Then the FW must SNAT and
DNAT to Toaster.

Note: net_dnat works perfectly (see configuration in attachment)

Files in /etc/shorewall (abridged, see attachment)

./interfaces:

 net     eth0            192.168.0.255   routefilter,blacklist
 loc     eth1            192.168.1.255   routefilter,blacklist,routeback

./params:

 LOC_IP="192.168.1.254"
 LOC_NET="192.168.1.0/24"

 iDeck3="192.168.1.53"
 lygeti="192.168.1.11"
 toaster99="192.168.1.56"

./masq:

 eth1	$LOC_NET	$LOC_IP		udp		1024

./rules:

 DNAT:info  loc:$iDeck3     loc:$toaster99  udp     1024    -       $LOC_IP
 DNAT:info  loc:$toaster99  loc:$lygeti     udp     1024    1024    $LOC_IP

3. More info

Running Debian Sarge.

# shorewall version
2.2.3

# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:e0:4c:d6:a0:c6 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.51/24 brd 192.168.0.255 scope global eth0
    inet6 fe80::2e0:4cff:fed6:a0c6/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:50:22:8f:aa:cd brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1
    inet6 fe80::250:22ff:fe8f:aacd/64 scope link 
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
    link/ieee1394 00:00:00:00:00:05:4c:67 brd ff:ff:ff:ff:ff:ff:ff:ff
5: sit0: <NOARP> mtu 1480 qdisc noop 
    link/sit 0.0.0.0 brd 0.0.0.0

# ip route show
192.168.1.254 dev eth1  scope link 
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.254 
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.51 
default via 192.168.0.254 dev eth0 

Thanks for your help,

=hk

Oh, I just re-read the mail... I guess the problem comes from a missing
route. 

On Thu 2005-09-22@22:29:31 +0200, hellekin wrote:
> Hello list,
> 
> I''ve got a funny situation here. 
>
> [...]
>
> # ip route show
> 192.168.1.254 dev eth1  scope link 
> 192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.254 
> 192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.51 
> default via 192.168.0.254 dev eth0 
>
*** I guess I need to add a route through dev eth1.

Still, help and suggestions are welcome =8)

=hk 


-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

> 
> 1. Situation
> 
> I''ve got a firewall with to interfaces eth0 (192.168.0.51 in zone
net) and
> eth1 (192.168.1.254 in zone loc).
> 
> In my loc zone, I have a machine (not a computer) that can talk to one and
> only one IP address.  It talks from and to UDP port 1024. 
"Toaster" sits on
> IP 192.168.1.56.
> 
> As I want to receive packets from Toaster on one machine and send
Toaster''s
> packets to another one, I decided to DNAT and SNAT from the firewall, so
> Toaster is configured to talk to my firewall at 192.168.1.254.
> 
> The firewall checks and starts correctly but the log doesn''t mark
any dnat.
> Instead I have:
> 
> Sep 22 03:46:57 iDeck-1 kernel: Shorewall:loc2loc:ACCEPT:IN=eth1 OUT=eth1
> SRC=192.168.1.53 DST=192.168.1.56 LEN=80 TOS=0x00 PREC=0x00 TTL=63 ID=7004
> DF PROTO=UDP SPT=32862 DPT=1024 LEN=60 
> 
> Sep 22 03:50:18 iDeck-1 kernel: Shorewall:loc2fw:ACCEPT:IN=eth1 OUT>
MAC=00:50:22:8f:aa:cd:00:12:34:56:78:90:08:00 SRC=192.168.1.56
> DST=192.168.1.254 LEN=696 TOS=0x00 PREC=0x00 TTL=128 ID=0 PROTO=UDP
SPT=1024
> DPT=1024 LEN=676 
> 
> 
> 2. Setup 
> 
> [FW]__(eth1:.1.254)__[switch]__[toaster99] (.1.56)
>                            \\__[iDeck3]    (.1.53)
>                             \__[lygeti]    (.1.11)
> 
> ./masq:
> 
>  eth1 $LOC_NET $LOC_IP udp 1024
Should $LOC_NET be a bit detailed? all you machines are on $LOC_NET.
You just want the reply from .56 to appear to be from .254 (de-masq), 
or all udp 1024 traffic will be affected. 

Try:
eth1 !$toaster99/32 $LOC_IP udp 1024
> 
> ./rules:
> 
>  DNAT:info  loc:$iDeck3     loc:$toaster99  udp     1024    -       $LOC_IP
>  DNAT:info  loc:$toaster99  loc:$lygeti     udp     1024    1024    $LOC_IP
> 
Does toaster act as a client for any other network service? Lets see if I
understand this,
toaster will only talk to .254(fw), and has some service that runs on udp 1024.
If your
"hiding" toaster behind firewall, your sending the replies from toster
to just $lygeti, and just
requests from iDeck3 will get forwarded to toaster. 

try:
DNAT:info  loc     loc:$toaster99  udp     1024    -       $LOC_IP

Now requests from any machine will honored, and the reply won''t be just
to one machine.
Remember that any requests to "toaster" need to be made to .254
instead, which will be
masq''d to .254, for toaster''s benefit.

Jerry

 



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

Hello Jerry and list,

after some helpful discussion with Jerry on IRC,
I upgraded shorewall to version 2.4.4 and implemented his suggestions.

You''ll find a new (shorewall) status2.txt attached. And another one
(status3.txt) after doing: 

echo "0" > /proc/sys/net/ipv4/conf/eth1/send_redirects

Also see http://pastebin.com/371496

Here is the masq file: (notice the 2.4.2 syntax)

###############################################################################
#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S)
IPSEC
eth0                    eth1
eth1                    !$toaster99/32  $LOC_IP  
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

and the relevant rules (including changes):

### Toaster stuff
DNAT:info       loc     loc:$toaster99  udp     1024    -       $LOC_IP
#ACCEPT:info    loc:$iDeck3     loc:$toaster99  udp     1024
#ACCEPT:info    loc:$toaster99  loc:$iDeck3     udp     1024    1024
#ACCEPT:info    loc:$lygeti     loc:$toaster99  udp     1024
#ACCEPT:info    loc:$toaster99  loc:$lygeti     udp     1024    1024
### Allow Packet Fountain to send DMX orders to toaster
#DNAT:info      loc:$iDeck3     loc:$toaster99  udp     1024    -
$LOC_IP
### Allow Bbtiment Vivant to receive orders from toaster
#DNAT:info      loc:$toaster99  loc:$lygeti     udp     1024    1024
$LOC_IP

Thanks, 

=hk 

On Thu 2005-09-22@16:15:29 -0500, Jerry Vonau wrote:
> 
> > 
> > ./masq:
> > 
> >  eth1 $LOC_NET $LOC_IP udp 1024
> 
> Should $LOC_NET be a bit detailed? all you machines are on $LOC_NET.
> You just want the reply from .56 to appear to be from .254 (de-masq), 
> or all udp 1024 traffic will be affected. 
> 
> Try:
> eth1 !$toaster99/32 $LOC_IP udp 1024
> 
> > 
> > ./rules:
> > 
> >  DNAT:info  loc:$iDeck3     loc:$toaster99  udp     1024    -      
$LOC_IP
> >  DNAT:info  loc:$toaster99  loc:$lygeti     udp     1024    1024   
$LOC_IP
> > 
> Does toaster act as a client for any other network service? Lets see if I
understand this,
> toaster will only talk to .254(fw), and has some service that runs on udp
1024. If your
> "hiding" toaster behind firewall, your sending the replies from
toster to just $lygeti, and just
> requests from iDeck3 will get forwarded to toaster. 
> 
> try:
> DNAT:info  loc     loc:$toaster99  udp     1024    -       $LOC_IP
> 
> Now requests from any machine will honored, and the reply won''t be
just to one machine.
> Remember that any requests to "toaster" need to be made to .254
instead, which will be
> masq''d to .254, for toaster''s benefit.
> 
> Jerry
>

Hi there,

as we lack time, we decided to change the network configuration to avoid
this problem. The SNAT+DNAT loc2loc investigations are stopped for now but
no working solution was found yet.

If you ever happen to investigate and find any solutions, please post them
on the list. Thanks (and sorry) to Jerry and all who helped.

=hk

On Fri 2005-09-23@00:40:34 +0200, hellekin wrote:
> Hello Jerry and list,
> 
> after some helpful discussion with Jerry on IRC,
> I upgraded shorewall to version 2.4.4 and implemented his suggestions.
> 
> You''ll find a new (shorewall) status2.txt attached. And another
one
> (status3.txt) after doing: 
> 
> echo "0" > /proc/sys/net/ipv4/conf/eth1/send_redirects
> 
> Also see http://pastebin.com/371496
> 
> Here is the masq file: (notice the 2.4.2 syntax)
> 
>
###############################################################################
> #INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S)
> IPSEC
> eth0                    eth1
> eth1                    !$toaster99/32  $LOC_IP  
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> 
> and the relevant rules (including changes):
> 
> ### Toaster stuff
> DNAT:info       loc     loc:$toaster99  udp     1024    -       $LOC_IP
> #ACCEPT:info    loc:$iDeck3     loc:$toaster99  udp     1024
> #ACCEPT:info    loc:$toaster99  loc:$iDeck3     udp     1024    1024
> #ACCEPT:info    loc:$lygeti     loc:$toaster99  udp     1024
> #ACCEPT:info    loc:$toaster99  loc:$lygeti     udp     1024    1024
> ### Allow Packet Fountain to send DMX orders to toaster
> #DNAT:info      loc:$iDeck3     loc:$toaster99  udp     1024    -
> $LOC_IP
> ### Allow Bbtiment Vivant to receive orders from toaster
> #DNAT:info      loc:$toaster99  loc:$lygeti     udp     1024    1024
> $LOC_IP
> 
> Thanks, 
> 
> => hk 
> 
> On Thu 2005-09-22@16:15:29 -0500, Jerry Vonau wrote:
> > 
> > > 
> > > ./masq:
> > > 
> > >  eth1 $LOC_NET $LOC_IP udp 1024
> > 
> > Should $LOC_NET be a bit detailed? all you machines are on $LOC_NET.
> > You just want the reply from .56 to appear to be from .254 (de-masq), 
> > or all udp 1024 traffic will be affected. 
> > 
> > Try:
> > eth1 !$toaster99/32 $LOC_IP udp 1024
> > 
> > > 
> > > ./rules:
> > > 
> > >  DNAT:info  loc:$iDeck3     loc:$toaster99  udp     1024    -    
$LOC_IP
> > >  DNAT:info  loc:$toaster99  loc:$lygeti     udp     1024    1024 
$LOC_IP
> > > 
> > Does toaster act as a client for any other network service? Lets see
if I understand this,
> > toaster will only talk to .254(fw), and has some service that runs on
udp 1024. If your
> > "hiding" toaster behind firewall, your sending the replies
from toster to just $lygeti, and just
> > requests from iDeck3 will get forwarded to toaster. 
> > 
> > try:
> > DNAT:info  loc     loc:$toaster99  udp     1024    -       $LOC_IP
> > 
> > Now requests from any machine will honored, and the reply
won''t be just to one machine.
> > Remember that any requests to "toaster" need to be made to
.254 instead, which will be
> > masq''d to .254, for toaster''s benefit.
> > 
> > Jerry
> > 



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php