Hello,
I''ve ran in to a problem with DNAT and I just can''t seem to
see where the
issue is. I''m at a loss, any thoughts?
I''ve got another machine running shorewall-4.4.20-1.noarch without any
problems. I could uninstall 20-3 and try 20-1, but I thought I''d as if
anyone sees an issue with my setup so far.
I''ve setup a second network for testing using the following
information:
OS: Scientific Linux release 6.0 (Carbon) - (red hat clone)
shorewall-4.4.20-3.noarch
shorewall-init-4.4.20-3.noarch
Firewall (ext: 10.10.1.10, int 10.2.1.1)
Server1 (10.2.1.130)
Laptop (dhcp - 10.2.1.240)
Shorewall masq:
eth0 10.2.1.0/24
The masquerade is working, the laptop and server1 can access the internet
with no problems.
But when I try to connect to the ftp (to the 10.10.1.10 ip) it doesn''t
forward to server 1 (10.2.1.131). Tcpdump records nothing on the 131 server.
No errors or denys from Shorewall on the fw.
Shorewall policy:
loc $FW ACCEPT
$FW net ACCEPT
net $FW DROP info
all all REJECT info 10/sec:40
Shorewall zones:
fw firewall
loc ipv4
net ipv4
Shorewall Interface:
loc eth0 detect dhcp,routeback
net eth1 detect
tcpflags,logmartians,nosmurfs,blacklist
Shorewall rules:
I''ve trimed it down, allows ssh, ftp, dns, ntp, web, ping
Here are the ftp lines as that is where my problem is currently.
# forward ftp to ftp server
#
FTP/DNAT net loc:10.2.1.131
###### --------------------------------------------------------------------
# FTP
###### --------------------------------------------------------------------
FTP/ACCEPT loc net
FTP/ACCEPT $FW net
FTP/ACCEPT net $FW
# shorewall show nat
Shorewall 4.4.20.3 NAT Table at slfw.foo.lan - Fri Jul 8 20:02:00 EDT 2011
Counters reset Fri Jul 8 20:01:45 EDT 2011
Chain PREROUTING (policy ACCEPT 29 packets, 1939 bytes)
pkts bytes target prot opt in out source
destination
29 1939 dnat all -- * * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 19 packets, 1503 bytes)
pkts bytes target prot opt in out source
destination
21 1607 eth0_masq all -- * eth0 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 19 packets, 1503 bytes)
pkts bytes target prot opt in out source
destination
Chain dnat (1 references)
pkts bytes target prot opt in out source
destination
28 1861 net_dnat all -- eth1 * 0.0.0.0/0
0.0.0.0/0
Chain eth0_masq (1 references)
pkts bytes target prot opt in out source
destination
2 104 MASQUERADE all -- * * 10.2.1.0/24
0.0.0.0/0
0 0 MASQUERADE all -- * * 169.254.0.0/16
0.0.0.0/0
0 0 MASQUERADE all -- * * 172.16.0.0/12
0.0.0.0/0
0 0 MASQUERADE all -- * * 192.168.0.0/16
0.0.0.0/0
Chain net_dnat (1 references)
pkts bytes target prot opt in out source
destination
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 /* FTP */ to:10.2.1.131
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
10.2.1.0 * 255.255.255.0 U 0 0 0 eth1
10.10.1.0 * 255.255.255.0 U 0 0 0 eth0
link-local * 255.255.0.0 U 1002 0 0 eth1
link-local * 255.255.0.0 U 1003 0 0 eth0
default firewall.xxx 0.0.0.0 UG 0 0 0 eth0
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2