Ok, after spending the requisite hours swearing and bashing about, I
give up.
All I am trying to do are some (presumably) simple DNAT rules. I have a
fairly typical two NIC setup.
I have an admin zone, a net zone, a local zone, and a firewall. I want
to do two things:
1. Port foward 443 and 80 (amongst other ports) to a local machine
behind the firewall.
2. Redirect and port forward external port 2222 to port 22 on a local
machine behind the firewall and leave port 22 accepted into the firewall
itself. The port 22 into the firewall is working fine.
The Shorewall site and mailing list is absolutely rife with
documentation on how to do this, yet I cannot see where I am erring.
The syslog shows Shorewall letting traffic in as desired. The problem is
that nothing ever comes back out. Let''s focus on my SSH rule at the
moment. It is:
DNAT:info net loc:10.0.50.50:22 tcp 2222
When I attempt to connect the client side times out and the firewall log
shows:
Mar 16 11:56:12 server root: Shorewall Restarted
Mar 16 11:56:17 server kernel: [18057936.908000]
Shorewall:net_dnat:DNAT:IN=eth0 OUT=
MAC=00:11:95:c5:0b:83:00:90:1a:40:90:4d:08:00 SRC=161.184.172.35
DST=137.186.135.69 LEN=60 TOS=0x00 PREC=0x00 TTL=60 ID=6429 DF PROTO=TCP
SPT=58075 DPT=2222 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 16 11:56:17 server kernel: [18057936.908000]
Shorewall:admin2loc:ACCEPT:IN=eth0 OUT=eth1 SRC=161.184.172.35
DST=10.0.50.50 LEN=60 TOS=0x00 PREC=0x00 TTL=59 ID=6429 DF PROTO=TCP
SPT=58075 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 16 11:56:20 server kernel: [18057939.908000]
Shorewall:admin2loc:ACCEPT:IN=eth0 OUT=eth1 SRC=161.184.172.35
DST=10.0.50.50 LEN=60 TOS=0x00 PREC=0x00 TTL=59 ID=6430 DF PROTO=TCP
SPT=58075 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 16 11:56:26 server kernel: [18057945.908000]
Shorewall:admin2loc:ACCEPT:IN=eth0 OUT=eth1 SRC=161.184.172.35
DST=10.0.50.50 LEN=60 TOS=0x00 PREC=0x00 TTL=59 ID=6431 DF PROTO=TCP
SPT=58075 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
C=0x00 TTL=59 ID=37621 DF PROTO=TCP SPT=49739 DPT=22 WINDOW=5840
RES=0x00 SYN URGP=0
Some info:
root@server:/etc/shorewall# shorewall version
3.0.4
-----
root@server:/etc/shorewall# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:13:d4:b1:6c:ff brd ff:ff:ff:ff:ff:ff
inet 10.0.50.10/24 brd 10.0.50.255 scope global eth1
inet6 fe80::213:d4ff:feb1:6cff/64 scope link
valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:11:95:c5:0b:83 brd ff:ff:ff:ff:ff:ff
inet 137.186.135.69/22 brd 137.186.135.255 scope global eth0
inet6 fe80::211:95ff:fec5:b83/64 scope link
valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
----
root@server:/etc/shorewall# ip route show
10.0.50.0/24 dev eth1 proto kernel scope link src 10.0.50.10
137.186.132.0/22 dev eth0 proto kernel scope link src 137.186.135.69
default via 137.186.132.1 dev eth0
Any and all help is appreciated.
Thanks!
Jon
--
Key fingerprint: BDE0 DE52 B8C0 0CDF 7653 E5A2 D861 7877 0D3B 813E
http://www.jonwatson.ca
+1.403.770.2837
"Trying to learn to hack on a DOS or Windows machine or under MacOS is
like trying to learn to dance while wearing a body cast" - ESR
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Jon wrote:> > Any and all help is appreciated. >Everything I know about analyzing DNAT failures, I''ve tried to capture in the answers to Shorewall FAQs 1a and 1b. The usual cause of this sort of problem is that the server (10.0.50.50) has a default gateway other than the firewall''s internal IP address (10.0.50.10). Another popular problem (that also has nothing to do with Shorewall) is that the server (10.0.50.50) can''t do a reverse DNS lookup on the client (161.184.172.35). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Friday 16 March 2007 10:01, Jon wrote:> Ok, after spending the requisite hours swearing and bashing about, I > give up. > > All I am trying to do are some (presumably) simple DNAT rules. I have a > fairly typical two NIC setup. > > I have an admin zone, a net zone, a local zone, and a firewall. I want > to do two things: > > 1. Port foward 443 and 80 (amongst other ports) to a local machine > behind the firewall. > 2. Redirect and port forward external port 2222 to port 22 on a local > machine behind the firewall and leave port 22 accepted into the firewall > itself. The port 22 into the firewall is working fine. > > The Shorewall site and mailing list is absolutely rife with > documentation on how to do this, yet I cannot see where I am erring. > > The syslog shows Shorewall letting traffic in as desired. The problem is > that nothing ever comes back out. Let''s focus on my SSH rule at the > moment. It is: > > DNAT:info net loc:10.0.50.50:22 tcp 2222I''ve run into this before as well, and had all kinds of grief until I figured it out. For some reason, the SSH protocol does not like its port changed. So, if you have 2222 open on the firewall, then have SSH listen on 2222 (as well as 22, if you want) on your machine, and DNAT to 2222. Hopefully, that will work....at least if it''s the same problem I had. j -- Joshua Kugler Lead System Admin -- Senior Programmer http://www.eeinternet.com PGP Key: http://pgp.mit.edu/ ID 0xDB26D7CE PO Box 80086 -- Fairbanks, AK 99708 -- Ph: 907-456-5581 Fax: 907-456-3111 ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
No big surprise, but the gateway on the local machine was exactly the problem. Thanks, Tom. J Tom Eastep wrote:> Jon wrote: > >> Any and all help is appreciated. >> > > Everything I know about analyzing DNAT failures, I''ve tried to capture in > the answers to Shorewall FAQs 1a and 1b. The usual cause of this sort of > problem is that the server (10.0.50.50) has a default gateway other than the > firewall''s internal IP address (10.0.50.10). Another popular problem (that > also has nothing to do with Shorewall) is that the server (10.0.50.50) can''t > do a reverse DNS lookup on the client (161.184.172.35). > > -Tom > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > > > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users-- Key fingerprint: BDE0 DE52 B8C0 0CDF 7653 E5A2 D861 7877 0D3B 813E http://www.jonwatson.ca +1.403.770.2837 "Trying to learn to hack on a DOS or Windows machine or under MacOS is like trying to learn to dance while wearing a body cast" - ESR ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Fri, Mar 16, 2007 at 12:11:26PM -0800, Joshua J. Kugler wrote:> On Friday 16 March 2007 10:01, Jon wrote: > > Ok, after spending the requisite hours swearing and bashing about, I > > give up. > > > > All I am trying to do are some (presumably) simple DNAT rules. I have a > > fairly typical two NIC setup. > > > > I have an admin zone, a net zone, a local zone, and a firewall. I want > > to do two things: > > > > 1. Port foward 443 and 80 (amongst other ports) to a local machine > > behind the firewall. > > 2. Redirect and port forward external port 2222 to port 22 on a local > > machine behind the firewall and leave port 22 accepted into the firewall > > itself. The port 22 into the firewall is working fine. > > > > The Shorewall site and mailing list is absolutely rife with > > documentation on how to do this, yet I cannot see where I am erring. > > > > The syslog shows Shorewall letting traffic in as desired. The problem is > > that nothing ever comes back out. Let''s focus on my SSH rule at the > > moment. It is: > > > > DNAT:info net loc:10.0.50.50:22 tcp 2222 > > I''ve run into this before as well, and had all kinds of grief until I figured > it out. For some reason, the SSH protocol does not like its port changed. > So, if you have 2222 open on the firewall, then have SSH listen on 2222 (as > well as 22, if you want) on your machine, and DNAT to 2222.Not true, at least on my versions of ssh on linux. I routinely dnat ssh from all kinds of ports through to port 22, and it works just fine. You must have been seeing some other problem (or it''s specific to a particular ssh or os or something?) Cheers, Gavin ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Sunday 18 March 2007 15:56, Gavin Carr wrote:> > > DNAT:info net loc:10.0.50.50:22 tcp 2222 > > > > I''ve run into this before as well, and had all kinds of grief until I > > figured it out. For some reason, the SSH protocol does not like its port > > changed. So, if you have 2222 open on the firewall, then have SSH listen > > on 2222 (as well as 22, if you want) on your machine, and DNAT to 2222. > > Not true, at least on my versions of ssh on linux. I routinely dnat ssh > from all kinds of ports through to port 22, and it works just fine. You > must have been seeing some other problem (or it''s specific to a particular > ssh or os or something?)Interesting. It might have been version specific, but somewhere back in the recesses of my mind, it seems I read something to that effect, and I know when I DNAT''ed to the same port (2022 -> 2022) all my sporadic connectivity problems went away. I guess I should have said YMMV. :) j -- Joshua Kugler Lead System Admin -- Senior Programmer http://www.eeinternet.com PGP Key: http://pgp.mit.edu/ ID 0xDB26D7CE PO Box 80086 -- Fairbanks, AK 99708 -- Ph: 907-456-5581 Fax: 907-456-3111 ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV