Administrateurs Xwaves.net
2003-Jun-30 06:01 UTC
[Shorewall-users] Big Problems with DNAT Redirection
HI ! I have a big probelm: I would like to redirect the http & ftp request from the internet to an internal server on my local network.. I have to interface on my firewall: eth0 connected to lan and eth1 connected to internet.. Then I have put the rules describted in the Documentation but it doesn''t work ! I cannot access to my web server on an external network ! My server is connected to an anoter firewall in a dmz zone but, if we are in the local area, we have full access and the firewall is transparency ! I have put the result of the command shorewall status when the conneciton fail ! Sorry for my bad english :) ! Thank you for your help Mathieu -------------- next part -------------- [H[JShorewall-1.4.5 Status at XfireM - lun jun 30 14:55:16 CEST 2003 Counters reset Mon Jun 30 14:55:10 CEST 2003 Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 9 500 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 2 120 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 ACCEPT udp -- * eth1 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 0 0 fw2all all -- * eth1 0.0.0.0/0 0.0.0.0/0 8 552 fw2all all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain all2all (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain common (4 references) pkts bytes target prot opt in out source destination 0 0 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:135 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 0 0 DROP all -- * * 0.0.0.0/0 255.255.255.255 0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 state NEW 0 0 DROP all -- * * 0.0.0.0/0 192.168.0.255 0 0 DROP all -- * * 0.0.0.0/0 255.255.255.255 Chain dynamic (4 references) pkts bytes target prot opt in out source destination Chain eth0_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 loc2all all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain eth0_in (1 references) pkts bytes target prot opt in out source destination 9 500 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 9 500 loc2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain eth1_fwd (1 references) pkts bytes target prot opt in out source destination 2 120 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 2 120 net2loc all -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain eth1_in (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2all (2 references) pkts bytes target prot opt in out source destination 8 552 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain icmpdef (1 references) pkts bytes target prot opt in out source destination Chain loc2all (2 references) pkts bytes target prot opt in out source destination 9 500 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2all (2 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2loc (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 2 120 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.1 state NEW tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.1 state NEW tcp dpt:443 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.1 state NEW tcp dpt:21 0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain newnotsyn (5 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain reject (10 references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain shorewall (0 references) pkts bytes target prot opt in out source destination Jun 30 14:19:49 all2all:REJECT:IN= OUT=eth1 SRC=80.218.36.107 DST=62.2.17.60 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=54626 DF PROTO=UDP SPT=1025 DPT=53 LEN=52 Jun 30 14:19:51 all2all:REJECT:IN= OUT=eth1 SRC=80.218.36.107 DST=62.2.17.61 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=55319 DF PROTO=UDP SPT=1025 DPT=53 LEN=52 Jun 30 14:19:51 all2all:REJECT:IN= OUT=eth1 SRC=80.218.36.107 DST=62.2.24.158 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=55320 DF PROTO=UDP SPT=1025 DPT=53 LEN=52 Jun 30 14:19:51 all2all:REJECT:IN= OUT=eth1 SRC=80.218.36.107 DST=62.2.17.60 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=55320 DF PROTO=UDP SPT=1025 DPT=53 LEN=52 Jun 30 14:19:51 all2all:REJECT:IN= OUT=eth1 SRC=80.218.36.107 DST=62.2.17.61 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=55320 DF PROTO=UDP SPT=1025 DPT=53 LEN=52 Jun 30 14:19:51 all2all:REJECT:IN= OUT=eth1 SRC=80.218.36.107 DST=62.2.24.158 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=55320 DF PROTO=UDP SPT=1025 DPT=53 LEN=52 Jun 30 14:19:51 all2all:REJECT:IN= OUT=eth1 SRC=80.218.36.107 DST=62.2.17.60 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=55321 DF PROTO=UDP SPT=1025 DPT=53 LEN=52 Jun 30 14:24:14 net2all:DROP:IN=eth1 OUT= SRC=80.218.36.166 DST=80.218.36.107 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=50291 SEQ=256 Jun 30 14:24:15 net2all:DROP:IN=eth1 OUT= SRC=80.218.36.166 DST=80.218.36.107 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=50291 SEQ=512 Jun 30 14:26:36 net2all:DROP:IN=eth1 OUT= SRC=80.218.36.166 DST=80.218.36.107 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=36015 DF PROTO=TCP SPT=1116 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Jun 30 14:26:39 net2all:DROP:IN=eth1 OUT= SRC=80.218.36.166 DST=80.218.36.107 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=36016 DF PROTO=TCP SPT=1116 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Jun 30 14:27:13 net2all:ACCEPT:IN=eth1 OUT= SRC=80.218.36.166 DST=80.218.36.107 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=64640 DF PROTO=TCP SPT=1117 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Jun 30 14:29:43 net2all:ACCEPT:IN=eth1 OUT= SRC=61.172.83.100 DST=80.218.36.107 LEN=78 TOS=0x00 PREC=0x00 TTL=104 ID=63787 PROTO=UDP SPT=1025 DPT=137 LEN=58 Jun 30 14:31:53 net2all:ACCEPT:IN=eth1 OUT= SRC=212.174.23.90 DST=80.218.36.107 LEN=78 TOS=0x00 PREC=0x00 TTL=112 ID=42005 PROTO=UDP SPT=1026 DPT=137 LEN=58 Jun 30 14:32:14 net2all:ACCEPT:IN=eth1 OUT= SRC=195.142.131.117 DST=80.218.36.107 LEN=78 TOS=0x00 PREC=0x00 TTL=110 ID=41516 PROTO=UDP SPT=1027 DPT=137 LEN=58 Jun 30 14:44:13 net2all:DROP:IN=eth1 OUT= SRC=80.218.36.166 DST=80.218.36.107 LEN=28 TOS=0x00 PREC=0x00 TTL=46 ID=38730 PROTO=ICMP TYPE=8 CODE=0 ID=16375 SEQ=0 Jun 30 14:44:19 net2all:DROP:IN=eth1 OUT= SRC=80.218.36.166 DST=80.218.36.107 LEN=28 TOS=0x00 PREC=0x00 TTL=46 ID=58852 PROTO=ICMP TYPE=8 CODE=0 ID=16375 SEQ=256 Jun 30 14:44:25 net2all:DROP:IN=eth1 OUT= SRC=80.218.36.166 DST=80.218.36.107 LEN=28 TOS=0x00 PREC=0x00 TTL=46 ID=57600 PROTO=ICMP TYPE=8 CODE=0 ID=16375 SEQ=512 Jun 30 14:44:31 net2all:DROP:IN=eth1 OUT= SRC=80.218.36.166 DST=80.218.36.107 LEN=28 TOS=0x00 PREC=0x00 TTL=46 ID=65292 PROTO=ICMP TYPE=8 CODE=0 ID=16375 SEQ=768 Jun 30 14:44:37 net2all:DROP:IN=eth1 OUT= SRC=80.218.36.166 DST=80.218.36.107 LEN=28 TOS=0x00 PREC=0x00 TTL=46 ID=58091 PROTO=ICMP TYPE=8 CODE=0 ID=16375 SEQ=1024 NAT Table Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1 60 net_dnat all -- eth1 * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 1 packets, 60 bytes) pkts bytes target prot opt in out source destination 0 0 eth1_masq all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain eth1_masq (1 references) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * * 192.168.0.0/24 0.0.0.0/0 Chain net_dnat (1 references) pkts bytes target prot opt in out source destination 1 60 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.0.1 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:192.168.0.1 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 to:192.168.0.1 Mangle Table Chain PREROUTING (policy ACCEPT 12 packets, 680 bytes) pkts bytes target prot opt in out source destination 12 680 pretos all -- * * 0.0.0.0/0 0.0.0.0/0 Chain INPUT (policy ACCEPT 9 packets, 500 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 3 packets, 180 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 8 packets, 552 bytes) pkts bytes target prot opt in out source destination 8 552 outtos all -- * * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 11 packets, 732 bytes) pkts bytes target prot opt in out source destination Chain outtos (1 references) pkts bytes target prot opt in out source destination 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10 8 552 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08 Chain pretos (1 references) pkts bytes target prot opt in out source destination 9 500 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08 tcp 6 431995 ESTABLISHED src=192.168.0.150 dst=192.168.0.253 sport=2774 dport=22 src=192.168.0.253 dst=192.168.0.150 sport=22 dport=2774 [ASSURED] use=1 tcp 6 85 SYN_SENT src=80.218.36.166 dst=80.218.36.107 sport=1126 dport=80 [UNREPLIED] src=192.168.0.1 dst=80.218.36.166 sport=80 dport=1126 use=1 tcp 6 431875 ESTABLISHED src=192.168.0.150 dst=192.168.0.253 sport=2787 dport=22 src=192.168.0.253 dst=192.168.0.150 sport=22 dport=2787 [ASSURED] use=1 udp 17 39 src=80.218.36.107 dst=62.2.17.61 sport=1029 dport=53 src=62.2.17.61 dst=80.218.36.107 sport=53 dport=1029 [ASSURED] use=1 tcp 6 119 SYN_SENT src=80.218.36.166 dst=80.218.36.107 sport=1127 dport=80 [UNREPLIED] src=192.168.0.1 dst=80.218.36.166 sport=80 dport=1127 use=1 tcp 6 12 SYN_SENT src=80.218.36.166 dst=80.218.36.107 sport=1124 dport=80 [UNREPLIED] src=192.168.0.1 dst=80.218.36.166 sport=80 dport=1124 use=1 udp 17 11 src=80.218.36.107 dst=62.2.28.73 sport=68 dport=67 src=62.2.28.73 dst=80.218.36.107 sport=67 dport=68 use=1 tcp 6 59 SYN_SENT src=80.218.36.166 dst=80.218.36.107 sport=1125 dport=80 [UNREPLIED] src=192.168.0.1 dst=80.218.36.166 sport=80 dport=1125 use=1 tcp 6 431531 ESTABLISHED src=192.168.0.150 dst=192.168.0.253 sport=2704 dport=22 src=192.168.0.253 dst=192.168.0.150 sport=22 dport=2704 [ASSURED] use=1
On Mon, 2003-06-30 at 06:00, Administrateurs Xwaves.net wrote:> HI ! > I have a big probelm: I would like to redirect the http & ftp request from the internet to an internal server on my local network.. I have to interface on my firewall: eth0 connected to lan and eth1 connected to internet.. Then I have put the rules describted in the Documentation but it doesn''t work ! I cannot access to my web server on an external network ! My server is connected to an anoter firewall in a dmz zone but, if we are in the local area, we have full access and the firewall is transparency ! > I have put the result of the command shorewall status when the conneciton fail ! > Sorry for my bad english :) !The default gateway for the servers MUST be set to the IP address of the internal interface on the Shorewall box in order for this to work. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net