Hi there, I''m new to shorewall, using version 1.3.5b. I am attempting to set up a masquerading/DNATting two-interface firewall which will manage connections for several internal servers using a range of external (real) ip addresses. I have followed the quick-start guide and was able to get masquerading working for my outbound connections to the internet. However, I have not been able to get DNAT to work as I expect. An instance of the DNAT rules I have placed in my rules file is as follows: DNAT net loc:10.1.0.38 tcp 80,443 - xxx.xxx.xxx.203 It should be noted that xxx.xxx.xxx.203 is not the address of my firewall''s external interface card, but another address being routed to the firewall. I have installed snort and verified that packets destined for this IP address are hitting the outside interface of the firewall, but they are not making it through to the inside. If I remove the ORIGINAL DEST entry and restart the firewall, I find that connections to the firewall''s IP address at port 80 are successfully forwarded to 10.1.0.38. It seems to be the ORIGINAL DEST entry which causes the problem. Unfortunately, I don''t see anything in syslog, even when I add an INFO or DEBUG option in the DNAT line. I''d be happy to send along the output of "shorewall status" if that would help. Shorewall is a fantastic product, by the way. Thanks very much for your time. -- Rg3
On Tue, 30 Jul 2002, metapope wrote:> > DNAT net loc:10.1.0.38 tcp 80,443 - xxx.xxx.xxx.203 >See if it works correctly if you express it as two separate rules. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Tue, 30 Jul 2002, metapope wrote:> > I''d be happy to send along the output of "shorewall status" if that would > help. >Please do -- I''ve tested that every which way I can think of and it always works for me. Be sure that you try to connect to ....203 port 80 or 443 before you capture the status. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> > > > DNAT net loc:10.1.0.38 tcp 80,443 - xxx.xxx.xxx.203 > > > > See if it works correctly if you express it as two separate rules. > -TomHi Tom, Thanks for your reply. I tried expressing this as two seperate rules, and I''m afraid I was still unsuccessful. I did, however, notice your new setup guide, and found that to be a very helpful reference. I believe the solution I am looking for is akin to the situation outlined in section 5.2.4 of your setup guide, which deals with Static NAT. By entering a NAT rule in /etc/shorewall/nat and replacing the DNAT line above with an ACCEPT line, I found I was able to forward packets to the correct port on the correct machine, but only if that machine were within a particular IP address range. . . for instance, I can successfully port-forward to 10.1.1.9 or 10.1.1.108, but not to 10.1.0.38 or 10.1.0.40. I''ve tried this with a number of machines on the 10.1.1.* and 10.1.0.* networks, and this seems to be the only difference between them. So I guess I''ve solved the first problem, but stumbled into a different one. To troubleshoot this issue, I''ve set up a remote machine to ping several port-forwaded machines in sequence, while I watch the output of "shorewall show nat." I can see the packet counters increment for the PREROUTING chain regardless of which IP address I''m pinging, however the only packets which make it as far as the OUTPUT eth0_in chain are those destined for machines with 10.1.1.* addresses. I''ve gone through my configuration files to make sure I haven''t put a 10.1.0.0/24 where I meant to put a 10.1.0.0/22, but I can''t seem to pin anything down. When I stop and clear shorewall, I am able to ping any internal machine, be it in the 10.1.1.* range or the 10.1.0.* range, so I don''t think it''s a matter of adding a new gateway. I''m afraid I can only bring this firewall online for a few hours a day, and I forgot to save the "shorewall status" output before I took it offline. I''m not sure sending you the offline version would be helpful, but I''ll probably be able to capture some more data tomorrow. Thanks very much for your help. And thanks, also, for your new setup guide. By going through the guide step by step and setting up this firewall, I''ve finally been able to wrap my mind around iptables somewhat. -- Rg3
Hello, Just thought I''d follow up. . . I installed snort on both interfaces on the firewall for some packet-level debugging. It would seem that the issue I was having was not related to routing, as such, but was related to ARP. My extenal router was ARPing for the external IP addresses, but was not recieving any response from the internal network/firewall. Actually - that''s not exactly true - it would recieve _one_ response from the internal network and would be able to route to that internal machine, but it revieves _only_ one, and will not route to any other machines. This is why I intially thought I was having routing issues. As a workaround, I was able to add all my external IP addresses to my outside firewall interface (using "ifconfig eth0 add xxx.xxx.xxx.xxx"), and this seems to have solved my problem. It occurs to me in retrospect that this is probably the sort of issue proxyarp is meant to resolve, so I''ll have to give that a try at some point. Anyway, thanks very much for your help. And thanks, again, for Shorewall. Once that issue was resolved, Shorewall "just worked," and I couldn''t be happier. Cheers, -- Rg3
On Thu, 8 Aug 2002, metapope wrote:> > As a workaround, I was able to add all my external IP addresses to my > outside firewall interface (using "ifconfig eth0 add xxx.xxx.xxx.xxx"), > and this seems to have solved my problem. It occurs to me in retrospect > that this is probably the sort of issue proxyarp is meant to resolve >Yes, it is -- Didn''t the Shorewall Setup Guide make that clear? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> Yes, it is -- Didn''t the Shorewall Setup Guide make that clear? > > -TomIndeed, it does describe the function of proxyarp. However, I had been going by the Two-Interface and Three-Interface QuickStart guides up until last Thursday, and these don''t seem to deal with proxyarp at all. -- Rg3
On Thu, 8 Aug 2002, metapope wrote:> Indeed, it does describe the function of proxyarp. However, I had been > going by the Two-Interface and Three-Interface QuickStart guides up until > last Thursday, and these don''t seem to deal with proxyarp at all.Yep -- those guides are for very vanilla single external IP setups where Proxy ARP isn''t relevant. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net