On Thursday 12 September 2002 10:09 am, Scott Merrill
wrote:> I have several workstations that I want to deny internet access to, so
I''ve
> modified my /etc/shorewall/masq file as such:
> eth0 192.168.0.0/24!192.168.0.240/28
> (Hosts from 192.168.0.240 through .254 are not masqueraded, therefore they
> can''t use the internet.)
>
> One of these workstations now needs telnet access to a specific internet IP
> address. I added the following (sanitized) line to /etc/shorewall/rules:
> DNAT loc:192.168.0.240 net:208.xxx.xxx.xxx:23 tcp 23 -
> 192.168.0.100:216.xxx.xxx.xxx
> (208.xxx = destination IP address
> 216.xxx = shorewall external public IP address)
>
> I want to have the workstation telnet to 192.168.0.100 (my shorewall box),
> which will dnat it to the intended destination, using the shorewall
> external IP address as the source IP.
>
> From the workstation, telnet to 192.168.0.100 _does_ connect to the remote
> system correctly. But it _also_ connects if I telnet directly to the
> destination IP address.
>
> For this specific situation, that''s not a big deal. But is this
this
> intended operation for the original destination field of the rules file?
> Or have I misconfigured something, and am seeing the results of that
> misconfiguration?
That''s the way it works -- the rule as you have coded it turns into 3
NetFilter rules; one in the nat table PREROUTING path, one in the filter
table FORWARD path and one in the nat table POSTROUTING path. The nat table
PREROUTING rule simply changes connections from 192.168.0.240 to
192.168.0.100:23 to have destination 208.xxx.xxx.xxx:23. If the original
connection request already has destination 208.xxx.xxx.xxx:23 then that first
rule doesn''t apply but the other two rules still do.
DNAT is usually used in the other direction (from internet to local) where
direct connections to the local host are disallowed by the
''norfc1918''
interface option.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net