Hello ..
I''m having a strange problem regarding DNAT, and I''m pretty
lost on that one.=20
I am currently trying to route ports 25, 110 and 143 from one of our public
Internet IP Addresses of the Firewall through to a Mail server in our LAN.
This is kind of a test setup to place our entire LAN, along with various servers
behind
a single firewall which masquerades our Internet Traffic, and routes multiple
IPs/Ports through to several servers within
the LAN. (A DMZ is planned, but will be realized a bit later when new hardware
arrives)
But whatever I do, the DNATed port remains closed. No packets get dropped,
though. Seems as if everything works fine, but
the packets just seem not to reach their destination.
The same problem occurs when I use raw iptables (on a floppyfw 2.03 setup) or
Shorewall from a
Bering Firewall disk. Both use iptables for firewalling and NAT, and both use a
2.4 Kernel, so the problem with both setups
is propably the same.=20
With the floppyfw setup with raw iptables, I already logged a bit, and got these
results:
1.) The packet arrives on the Firewall, and gets DNATed correctly in the
PREROUTING chain
2.) It enters the FORWARD chain, and gets accepted in it.
What happens then, seems to be the problem, and I couldn''t find out
what''s going on. I suspected a bug,
and so I searched a bit for alternatives, and the finally found and tried the
Bering distribution with Shorewall=20
(which i found to be much better, btw :)
But, the problem still remains the same.
Any clues what might be happening ?
The server is reachable from the Internet and my local Network, the
weblet-server is running, and=20
Masquerading works exactly as expected, so I think my network Setup should be
correct.
Also, the Mail-Server on the internal IP 192.168.0.97 is definitely running and
working.
Another thing: I also tried the Online Portscan at http://www.auditmypc.com/ to
port-scan my Firewall from
the outside. It did not find any open ports.=20
The Firewall itself has the public IP 62.157.143.252 and the internal IP
192.168.0.122
I included my complete firewall rules listing at the bottom. (Copied from the
HTML Weblet output)=20
It is pretty much standard, the only rule I have is to DNAT ports 25,110 and 143
to an internal Server on IP 192.168.0.97.
Otherwise, 2 Zones (net and loc) with loc being the 192.168.0.* subnet.
the interesting chains are net2loc and the Masquerading part at the bottom. But
they seem to be
correct, at least to me.
Thanks in advance, and with best regards,
Kai Londenberg
----
Shorewall-1.3.9b Chain at firewall - Tue Nov 5 13:36:17 UTC 2002
Counters reset Tue Nov 5 13:28:43 UTC 2002
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
=20
0 0 ACCEPT ah -- lo * 0.0.0.0/0 0.0.0.0/0
=20
=20
0 0 eth0_in ah -- eth0 * 0.0.0.0/0 0.0.0.0/0
=20
=20
0 0 eth1_in ah -- eth1 * 0.0.0.0/0 0.0.0.0/0
=20
=20
0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
=20
0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
limit: avg 10/min burst 10 LOG flags 0 level 6 prefix
`Shorewall:INPUT:REJECT:''
0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
=20
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
=20
0 0 eth0_fwd ah -- eth0 * 0.0.0.0/0 0.0.0.0/0
=20
=20
0 0 eth1_fwd ah -- eth1 * 0.0.0.0/0 0.0.0.0/0
=20
=20
0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
=20
0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
limit: avg 10/min burst 10 LOG flags 0 level 6 prefix
`Shorewall:FORWARD:REJECT:''
0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
=20
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
=20
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
=20
state INVALID
0 0 ACCEPT ah -- * lo 0.0.0.0/0 0.0.0.0/0
=20
=20
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
=20
state NEW,RELATED,ESTABLISHED
0 0 fw2net ah -- * eth0 0.0.0.0/0 0.0.0.0/0
=20
=20
0 0 all2all ah -- * eth1 0.0.0.0/0 0.0.0.0/0
=20
=20
0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
=20
0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
limit: avg 10/min burst 10 LOG flags 0 level 6 prefix
`Shorewall:OUTPUT:REJECT:''
0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
=20
Chain all2all (3 references)
pkts bytes target prot opt in out source destination
=20
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
=20
state NEW tcp flags:!0x16/0x02
0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
=20
0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
limit: avg 10/min burst 10 LOG flags 0 level 6 prefix
`Shorewall:all2all:REJECT:''
0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
=20
Chain common (5 references)
pkts bytes target prot opt in out source destination
=20
0 0 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0
=20
=20
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
=20
state INVALID
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
=20
udp dpts:137:139 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
=20
udp dpt:445 reject-with icmp-port-unreachable
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
=20
tcp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
=20
udp dpt:1900
0 0 DROP ah -- * * 0.0.0.0/0 255.255.255.
255 =20
0 0 DROP ah -- * * 0.0.0.0/0 224.0.0.0/4
=20
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
=20
tcp dpt:113
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
=20
udp spt:53 state NEW
0 0 DROP ah -- * * 0.0.0.0/0 62.157.143.2
52 =20
0 0 DROP ah -- * * 0.0.0.0/0 192.168.0.25
5 =20
Chain dynamic (4 references)
pkts bytes target prot opt in out source destination
=20
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source destination
=20
0 0 dynamic ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
=20
0 0 rfc1918 ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
=20
0 0 net2all ah -- * eth0 0.0.0.0/0 0.0.0.0/0
=20
=20
0 0 net2loc ah -- * eth1 0.0.0.0/0 0.0.0.0/0
=20
=20
Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
=20
0 0 dynamic ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
=20
0 0 rfc1918 ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
=20
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
=20
icmp type 8
0 0 net2all ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
=20
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source destination
=20
0 0 dynamic ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
=20
0 0 loc2net ah -- * eth0 0.0.0.0/0 0.0.0.0/0
=20
=20
Chain eth1_in (1 references)
pkts bytes target prot opt in out source destination
=20
0 0 dynamic ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
=20
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
=20
icmp type 8
0 0 loc2fw ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
=20
Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
=20
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
=20
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
=20
state NEW tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
=20
state NEW udp dpt:53
0 0 all2all ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
=20
Chain icmpdef (1 references)
pkts bytes target prot opt in out source destination
=20
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
=20
icmp type 8
Chain loc2fw (1 references)
pkts bytes target prot opt in out source destination
=20
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
=20
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
=20
state NEW tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
=20
state NEW udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
=20
state NEW tcp dpt:80
0 0 all2all ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
=20
Chain loc2net (1 references)
pkts bytes target prot opt in out source destination
=20
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
=20
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
=20
Chain logdrop (27 references)
pkts bytes target prot opt in out source destination
=20
0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
LOG flags 0 level 6 prefix `Shorewall:rfc1918:DROP:''
0 0 DROP ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
=20
Chain net2all (3 references)
pkts bytes target prot opt in out source destination
=20
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
=20
state NEW tcp flags:!0x16/0x02
0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
=20
0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
limit: avg 10/min burst 10 LOG flags 0 level 6 prefix
`Shorewall:net2all:DROP:''
0 0 DROP ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
=20
Chain net2loc (1 references)
pkts bytes target prot opt in out source destination
=20
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
=20
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.97
state NEW tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.97
state NEW tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.97
state NEW tcp dpt:143
0 0 net2all ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
=20
Chain newnotsyn (6 references)
pkts bytes target prot opt in out source destination
=20
0 0 DROP ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
=20
Chain reject (6 references)
pkts bytes target prot opt in out source destination
=20
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
=20
reject-with tcp-reset
0 0 REJECT ah -- * * 0.0.0.0/0 0.0.0.0/0
=20
reject-with icmp-port-unreachable
Chain rfc1918 (2 references)
pkts bytes target prot opt in out source destination
=20
0 0 RETURN ah -- * * 255.255.255.255 0.0.0.0/0
=20
=20
0 0 DROP ah -- * * 169.254.0.0/16 0.0.0.0/0
=20
=20
0 0 logdrop ah -- * * 172.16.0.0/12 0.0.0.0/0
=20
=20
0 0 logdrop ah -- * * 192.0.2.0/24 0.0.0.0/0
=20
=20
0 0 logdrop ah -- * * 192.168.0.0/16 0.0.0.0/0
=20
=20
0 0 logdrop ah -- * * 0.0.0.0/7 0.0.0.0/0
=20
=20
0 0 logdrop ah -- * * 2.0.0.0/8 0.0.0.0/0
=20
=20
0 0 logdrop ah -- * * 5.0.0.0/8 0.0.0.0/0
=20
=20
0 0 logdrop ah -- * * 7.0.0.0/8 0.0.0.0/0
=20
=20
0 0 logdrop ah -- * * 10.0.0.0/8 0.0.0.0/0
=20
=20
0 0 logdrop ah -- * * 23.0.0.0/8 0.0.0.0/0
=20
=20
0 0 logdrop ah -- * * 27.0.0.0/8 0.0.0.0/0
=20
=20
0 0 logdrop ah -- * * 31.0.0.0/8 0.0.0.0/0
=20
=20
0 0 logdrop ah -- * * 36.0.0.0/7 0.0.0.0/0
=20
=20
0 0 logdrop ah -- * * 39.0.0.0/8 0.0.0.0/0
=20
=20
0 0 logdrop ah -- * * 41.0.0.0/8 0.0.0.0/0
=20
=20
0 0 logdrop ah -- * * 42.0.0.0/8 0.0.0.0/0
=20
=20
0 0 logdrop ah -- * * 58.0.0.0/7 0.0.0.0/0
=20
=20
0 0 logdrop ah -- * * 60.0.0.0/8 0.0.0.0/0
=20
=20
0 0 logdrop ah -- * * 70.0.0.0/7 0.0.0.0/0
=20
=20
0 0 logdrop ah -- * * 72.0.0.0/5 0.0.0.0/0
=20
=20
0 0 logdrop ah -- * * 82.0.0.0/7 0.0.0.0/0
=20
=20
0 0 logdrop ah -- * * 84.0.0.0/6 0.0.0.0/0
=20
=20
0 0 logdrop ah -- * * 88.0.0.0/5 0.0.0.0/0
=20
=20
0 0 logdrop ah -- * * 96.0.0.0/3 0.0.0.0/0
=20
=20
0 0 logdrop ah -- * * 127.0.0.0/8 0.0.0.0/0
=20
=20
0 0 logdrop ah -- * * 197.0.0.0/8 0.0.0.0/0
=20
=20
0 0 logdrop ah -- * * 222.0.0.0/7 0.0.0.0/0
=20
=20
0 0 logdrop ah -- * * 240.0.0.0/4 0.0.0.0/0
=20
=20
::Masquerading::
Shorewall-1.3.9b NAT at firewall - Tue Nov 5 13:36:17 UTC 2002
Chain PREROUTING (policy ACCEPT 666 packets, 86162 bytes)
pkts bytes target prot opt in out source destination
=20
0 0 net_dnat ah -- eth0 * 0.0.0.0/0 0.0.0.0/0
=20
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
=20
0 0 eth0_masq ah -- * eth0 0.0.0.0/0 0.0.0.0/0
=20
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
=20
Chain eth0_masq (1 references)
pkts bytes target prot opt in out source destination
=20
0 0 MASQUERADE ah -- * * 192.168.0.0/24 0.0.0.0/0
=20
Chain net_dnat (1 references)
pkts bytes target prot opt in out source destination
=20
0 0 DNAT tcp -- * * 0.0.0.0/0
62.157.143.252 tcp dpt:25 to:192.168.0.97
0 0 DNAT tcp -- * * 0.0.0.0/0
62.157.143.252 tcp dpt:110 to:192.168.0.97
0 0 DNAT tcp -- * * 0.0.0.0/0
62.157.143.252 tcp dpt:143 to:192.168.0.97