I''m experiencing an issue, which I hope, is a configuration oversight
on my part. Hopefully some kind soul out there will be kind enough to point out
my folly. Here goes...
I''m running Shorewall under Bering (http://leaf.sourceforge.net),
having updated the to 1.3.1 just the other day (and that''s what my
version file says). Config files are pretty much stock except that I
don''t have a DMZ (I know, I know... the hardware''s on order)
and I''m doing port-forwarding to 192.168.1.5 on my local network for
ssh, smtp and https:
ZONES:
net Net Internet
loc Local Local networks
INTERFACES:
net eth0 detect dhcp,routefilter,norfc1918
loc eth1 detect routestopped
POLICY:
loc net ACCEPT
net all DROP info
all all REJECT info
RULES:
REJECT net fw tcp 113
#
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
#
ACCEPT fw loc icmp 8
ACCEPT loc fw icmp 8
ACCEPT fw net icmp 8
#
ACCEPT loc fw udp 53
ACCEPT loc fw tcp 80
ACCEPT fw net tcp 80
#
DNAT net loc:192.168.1.5 tcp ssh
DNAT net loc:192.168.1.5 tcp 25,443
MASQ:
eth0 eth1
#####
My the problem occurs when another host on the intranet (192.168.1.7, for
example) attempts to access an internet host via ssh or https. The client simply
gets a connection denied. Looking into the logs, I can see (sorry, I''m
not at home right now, so I can''t actually send the entries) that the
return packets from the client request are being redirected to 192.168.1.5 - not
to the client.
I.E. - I''m seeing entries that say a port 22/443 connection from the
internet is being routed to 192.168.1.5 at the same time that I get a
''connection denied'' on my client... all other network traffic
silent, and the fw (ipf on Solaris) on my web server rejecting a bogus https
connection request.
I do have:
NAT_BEFORE_RULES=YES
in my shorewall.conf file, but according to the docs that pertains only to
static nats, which I do not use (as eth0''s ip is dynamic).
If I set my dnat rules thusly:
DNAT net loc:192.168.1.5 tcp ssh - my.cur.ip.addy
DNAT net loc:192.168.1.5 tcp 25,443 - my.cur.ip.addy
the user experience problem goes away as expected. However, this is an
impractical solution (again with the dynamic IP problem).
I know I''ve got to be missing something here, but for the likes of me,
I can''t figure out what it is.
Cheers,
-CJN
This message is for the named person''s use only. It may contain
sensitive and private proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission. If you
are not the intended recipient, please immediately delete it and all copies of
it from your system, destroy any hard copies of it and notify the sender. You
must not, directly or indirectly, use, disclose, distribute, print, or copy any
part of this message if you are not the intended recipient. CREDIT SUISSE GROUP
and each legal entity in the CREDIT SUISSE FIRST BOSTON or CREDIT SUISSE ASSET
MANAGEMENT business units of CREDIT SUISSE FIRST BOSTON reserve the right to
monitor all e-mail communications through its networks. Any views expressed in
this message are those of the individual sender, except where the message states
otherwise and the sender is authorized to state them to be the views of any such
entity.
Unless otherwise stated, any pricing information given in this message is
indicative only, is subject to change and does not constitute an offer to deal
at any price quoted. Any reference to the terms of executed transactions should
be treated as preliminary only and subject to our formal written confirmation.