----- Original Message -----
From: "Zachariah Mully" <zmully@smartbrief.com>
To: "Shorewall list" <shorewall-users@shorewall.net>
Sent: Monday, March 25, 2002 8:40 AM
Subject: [Shorewall-users] RFC1918 DST addresses
> Hello all-
> I''ve a question regarding log entries like this on my Shorewall
> firewall:
> Mar 25 11:17:46 natasha kernel: Shorewall:net2all:DROP:IN=eth0 OUT=eth1
> SRC=216.157.48.251 DST=192.168.3.22 LEN=60 TOS=0x00 PREC=0x00 TTL=52
> ID=42275 DF PROTO=TCP SPT=65142 DPT=113 WINDOW=8192 RES=0x00 SYN URGP=0
>
> The DST: field is the internal IP of one of my NAT''ed mail servers
and
> I was wondering if this log entry was written after the firewall had
> made the address translation... If not, then how the hell did that
> packet make it all the way to my firewall. Iptables documentation
isn''t
> too clear on this (or at least my addled brain is totally missing it). I
> apologize for being weak on my iptables chain flow charts.
>
Since the packet is being rejected in the "net2all" chain, it is
post-NAT.
Shorewall checks for RFC1918 DST addresses in the ''mangle''
table which
packets traverse before DNAT is applied (DNAT is applied in both the port
forwarding case and for entries in the /etc/shorewall/nat table).
Similarly, SNAT is applied to packets after they have been filtered.
As a consequence, rules in Shorewall should always use the internal
addresses of servers.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net