ranger@www.scenespot.org
2002-Jun-13 00:06 UTC
[Shorewall-users] possible bugs in port forwarding DNAT?
I''m not sure if this is my fault or not, we''ve got a new shorewall box set up, and I''m running into a strange issue. I have the following rules: # iMAIL Servers - TCP and UDP, ports 80 (HTTP), 8383 (legacy), 110 (pop3) DNAT net loc:192.168.1.80:80 tcp 8383 - xxx.xxx.xxx.80 DNAT net loc:192.168.1.80 tcp smtp,http,110 - xxx.xxx.xxx.80 DNAT net loc:192.168.1.99:80 tcp 8383 - xxx.xxx.xxx.99 DNAT net loc:192.168.1.99 tcp smtp,http,110 - xxx.xxx.xxx.99 Basically, we want to allow smtp, web, and POP into a mail server (with a web interface). There used to be a web interface on 8383, but it''s not part of the software any more. I want to be able to forward incoming traffic directed to xxx.xxx.xxx.80:8383 to 192.168.1.80:80, but as soon as I do that with the rules above, I am unable to connect to *ANY* port on xxx.xxx.xxx.80. If I comment out the loc:192.168.1.80:80 lines, the rest of the port forwards work correctly. I''ve tried any number of combinations of different things, including trying to forward xxx.xxx.xxx.80:8383 to xxx.xxx.xxx.80:80 and *then* nat''ing that to the 192.168.1.80 address, but nothing seems to help as long as I''ve got that 8383 -> 80 port forward. Is this an iptables issue, a shorewall issue, or a configuration issue? Here''s my setup: RedHat 7.3 iptables 1.2.5 shorewall 1.3.1 (with the errata fix) If there''s anything else you need from me, let me know. Thanks, Benjamin Reed <ranger@befunk.com>
On Wed, 12 Jun 2002, ranger@www.scenespot.org wrote:> I''m not sure if this is my fault or not, we''ve got a new shorewall box set > up, and I''m running into a strange issue. I have the following rules: > # iMAIL Servers - TCP and UDP, ports 80 (HTTP), 8383 (legacy), 110 (pop3) > DNAT net loc:192.168.1.80:80 tcp 8383 - xxx.xxx.xxx.80 > DNAT net loc:192.168.1.80 tcp smtp,http,110 - xxx.xxx.xxx.80 > DNAT net loc:192.168.1.99:80 tcp 8383 - xxx.xxx.xxx.99 > DNAT net loc:192.168.1.99 tcp smtp,http,110 - xxx.xxx.xxx.99 > > Basically, we want to allow smtp, web, and POP into a mail server (with a > web interface). There used to be a web interface on 8383, but it''s not > part of the software any more. I want to be able to forward incoming > traffic directed to xxx.xxx.xxx.80:8383 to 192.168.1.80:80, but as soon as > I do that with the rules above, I am unable to connect to *ANY* port on > xxx.xxx.xxx.80. > If I comment out the loc:192.168.1.80:80 lines, the rest of the port > forwards work correctly. I''ve tried any number of combinations of > different things, including trying to forward xxx.xxx.xxx.80:8383 to > xxx.xxx.xxx.80:80 and *then* nat''ing that to the 192.168.1.80 address, but > nothing seems to help as long as I''ve got that 8383 -> 80 port forward. > Is this an iptables issue, a shorewall issue, or a configuration issue? >Beats the hell out of me...> Here''s my setup: > > RedHat 7.3The _one_ system in my network where I always build my own kernel is my firewall. I want to know exactly what is in that kernel.> iptables 1.2.5 > shorewall 1.3.1 (with the errata fix) > > If there''s anything else you need from me, let me know. >Add the 80:8383->80:80 rule, restart Shorewall, try to connect to the xxxx.xxxx.xxxx.80 forwarded ports, capture the output from "shorewall status" and send it to me. Be sure that you have log rate limiting disabled... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Benjamin Reed
2002-Jun-13 01:30 UTC
[Shorewall-users] possible bugs in port forwarding DNAT?
Tom Eastep [teastep@shorewall.net] wrote:> Beats the hell out of me...Sorry, should have set down the crack pipe before sending. I double-checked all of my info *except* for paying attention to where I was testing from. Happens I ssh''ed into a box on another network to test (makes sense, doesn''t it?), except that box happens to be the shorewall firewall for that other network. Strangely enough, I don''t allow connections from the firewall to port 8383 in the wild! ;) -- Benjamin Reed a.k.a. Ranger Rick (ranger@befunk.com) http://ranger.befunk.com/ "With my mighty robot powers, I can get sick of things much faster than you humans." -- Bender, on Futurama
On Wed, 12 Jun 2002, Benjamin Reed wrote:> Tom Eastep [teastep@shorewall.net] wrote: > > Beats the hell out of me... > > Sorry, should have set down the crack pipe before sending. > > I double-checked all of my info *except* for paying attention to where I > was testing from. Happens I ssh''ed into a box on another network to test > (makes sense, doesn''t it?), except that box happens to be the shorewall > firewall for that other network. Strangely enough, I don''t allow > connections from the firewall to port 8383 in the wild! ;) >No problem -- as I point out on the troubleshooting page, many problems testing the firewall are not with the firewall but with the test setup itself :-) Glad to hear that you found the cause... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net