Hello,
I''ve ran in to a problem with DNAT and I just can''t seem to
see where the
issue is. I''m at a loss, any thoughts?
I''ve got another machine running shorewall-4.4.20-1.noarch without any
problems. I could uninstall 20-3 and try 20-1, but I thought I''d as if
anyone sees an issue with my setup so far.
I''ve setup a second network for testing using the following
information:
OS: Scientific Linux release 6.0 (Carbon) - (red hat clone)
shorewall-4.4.20-3.noarch
shorewall-init-4.4.20-3.noarch
Firewall (ext: 10.10.1.10, int 10.2.1.1)
Server1 (10.2.1.130)
Laptop (dhcp - 10.2.1.240)
Shorewall masq:
eth0 10.2.1.0/24
The masquerade is working, the laptop and server1 can access the internet
with no problems.
But when I try to connect to the ftp (to the 10.10.1.10 ip) it doesn''t
forward to server 1 (10.2.1.131). Tcpdump records nothing on the 131 server.
No errors or denys from Shorewall on the fw.
Shorewall policy:
loc $FW ACCEPT
$FW net ACCEPT
net $FW DROP info
all all REJECT info 10/sec:40
Shorewall zones:
fw firewall
loc ipv4
net ipv4
Shorewall Interface:
loc eth0 detect dhcp,routeback
net eth1 detect
tcpflags,logmartians,nosmurfs,blacklist
Shorewall rules:
I''ve trimed it down, allows ssh, ftp, dns, ntp, web, ping
Here are the ftp lines as that is where my problem is currently.
# forward ftp to ftp server
#
FTP/DNAT net loc:10.2.1.131
###### --------------------------------------------------------------------
# FTP
###### --------------------------------------------------------------------
FTP/ACCEPT loc net
FTP/ACCEPT $FW net
FTP/ACCEPT net $FW
# shorewall show nat
Shorewall 4.4.20.3 NAT Table at slfw.foo.lan - Fri Jul 8 20:02:00 EDT 2011
Counters reset Fri Jul 8 20:01:45 EDT 2011
Chain PREROUTING (policy ACCEPT 29 packets, 1939 bytes)
pkts bytes target prot opt in out source
destination
29 1939 dnat all -- * * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 19 packets, 1503 bytes)
pkts bytes target prot opt in out source
destination
21 1607 eth0_masq all -- * eth0 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 19 packets, 1503 bytes)
pkts bytes target prot opt in out source
destination
Chain dnat (1 references)
pkts bytes target prot opt in out source
destination
28 1861 net_dnat all -- eth1 * 0.0.0.0/0
0.0.0.0/0
Chain eth0_masq (1 references)
pkts bytes target prot opt in out source
destination
2 104 MASQUERADE all -- * * 10.2.1.0/24
0.0.0.0/0
0 0 MASQUERADE all -- * * 169.254.0.0/16
0.0.0.0/0
0 0 MASQUERADE all -- * * 172.16.0.0/12
0.0.0.0/0
0 0 MASQUERADE all -- * * 192.168.0.0/16
0.0.0.0/0
Chain net_dnat (1 references)
pkts bytes target prot opt in out source
destination
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 /* FTP */ to:10.2.1.131
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
10.2.1.0 * 255.255.255.0 U 0 0 0 eth1
10.10.1.0 * 255.255.255.0 U 0 0 0 eth0
link-local * 255.255.0.0 U 1002 0 0 eth1
link-local * 255.255.0.0 U 1003 0 0 eth0
default firewall.xxx 0.0.0.0 UG 0 0 0 eth0
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
On Jul 8, 2011, at 5:27 PM, Terre Porter wrote:> > The masquerade is working, the laptop and server1 can access the internet with no problems. > > But when I try to connect to the ftp (to the 10.10.1.10 ip) it doesn’t forward to server 1 (10.2.1.131). Tcpdump records nothing on the 131 server. No errors or denys from Shorewall on the fw. > > # forward ftp to ftp server > # > FTP/DNAT net loc:10.2.1.131 > > # shorewall show nat > Shorewall 4.4.20.3 NAT Table at slfw.foo.lan - Fri Jul 8 20:02:00 EDT 2011 > > Counters reset Fri Jul 8 20:01:45 EDT 2011 > > Chain dnat (1 references) > pkts bytes target prot opt in out source destination > 28 1861 net_dnat all -- eth1 * 0.0.0.0/0 0.0.0.0/0 > > Chain net_dnat (1 references) > pkts bytes target prot opt in out source destination > 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 /* FTP */ to:10.2.1.131Have you followed the DNAT troubleshooting instructions in Shorewall FAQs 1a and 1b? If you had, you would know that no connection requests on TCP port 21 have entered your firewall through eth1. So I suggest that your review those two FAQs. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
> Have you followed the DNAT troubleshooting instructions in Shorewall FAQs1a and 1b?> If you had, you would know that no connection requests on TCP port 21 haveentered your firewall through eth1.> > So I suggest that your review those two FAQs. > > -TomAnd a good suggestion it was,.. I had read the FAQ''s you mentioned and that no counter on the DNAT was confusing me, as I was seeing a connection in Tcpdump. I went back and reviewed the FAQ again (step by step) that and the few hours away from it and of course the problem jumped right out at me. I had the interfaces reversed in /shorewall/interfaces - confuses me a bit as the masq worked but they were reversed (bonks self) Thanks for the pointer. Terre ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2