Shorewall users - Apr 2003 - DNAT & rfc1918

Hi,

I''m using RFC1918 addresses for my internal net and DMZ. I need to
forward smtp requests to a system on my DMZ, I''m trying a DNAT rule
like
this:

DNAT    net     dmz:192.168.1.2 tcp     25

I would also like to keep the ''norfc1918'' option enabled on my
external
interface (and only my external interface).

No matter what I try, if I have ''norfc1918'' enabled, packets
to port 25
on my firewall get dropped using the ''man1918'' mechanism. This
occurs
regardless of how I have MANGLE_ENABLED, MARK_IN_FORWARD_CHAIN and
NAT_BEFORE_RULES set. If I remove the ''norfc1918'' option, all
works
fine.

I understand why this is happening and presumably I can fix it by
modifying the rfc1918 file, but can it be fixed in another way?

(actually, I don''t quite understand - according to the comments in the
interfaces file, if I have MANGLE_ENABLED set to ''No'',
''norfc1918''
should not apply to destination addresses?)

Here''s the pertinent files:

interfaces:

-       eth0            detect
dmz     eth1            detect          dropunclean,tcpflags
net     eth2            detect          norfc1918,dropunclean,tcpflags

zones:

svr     Server          Internal Server
net     Net             Internet
loc     Local           Local Networks
dmz     DMZ             Demilitarized Zone

hosts:

svr             eth0:192.168.2.54
loc             eth0:192.168.2.0/24

nat:

(empty)

rfc1918:

(default)

masq:

eth2                    eth0
eth2                    eth1

rules:

ACCEPT  loc     fw      tcp     22
ACCEPT  svr     dmz     tcp     22
ACCEPT  fw      dmz     tcp     53
ACCEPT  fw      dmz     udp     53
ACCEPT  net     dmz     tcp     53
ACCEPT  net     dmz     udp     53
ACCEPT  dmz     net     tcp     53
ACCEPT  dmz     net     udp     53
DNAT    net     dmz:192.168.1.2 tcp     25
ACCEPT  net     dmz:192.168.1.2 tcp     25



Cheers,

Ross
--
Ross Parker
OctigaBay Systems Corp.

phone: 604-415-9379 x5453
cell:  604-817-3500

On 7 Apr 2003, Ross Parker wrote:
> I''m using RFC1918 addresses for my internal net and DMZ. I need to
> forward smtp requests to a system on my DMZ, I''m trying a DNAT
rule like
> this:
> 
> DNAT    net     dmz:192.168.1.2 tcp     25
> 
> I would also like to keep the ''norfc1918'' option enabled
on my external
> interface (and only my external interface).
> 
> No matter what I try, if I have ''norfc1918'' enabled,
packets to port 25
> on my firewall get dropped using the ''man1918'' mechanism.
This occurs
> regardless of how I have MANGLE_ENABLED, MARK_IN_FORWARD_CHAIN and
> NAT_BEFORE_RULES set. If I remove the ''norfc1918'' option,
all works
> fine.
> 
May I see a log message of one of these dropped packets please?

Thanks,
-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Mon, 7 Apr 2003, Tom Eastep wrote:
> On 7 Apr 2003, Ross Parker wrote:
> 
> > I''m using RFC1918 addresses for my internal net and DMZ. I
need to
> > forward smtp requests to a system on my DMZ, I''m trying a
DNAT rule like
> > this:
> > 
> > DNAT    net     dmz:192.168.1.2 tcp     25
> > 
> > I would also like to keep the ''norfc1918'' option
enabled on my external
> > interface (and only my external interface).
> > 
> > No matter what I try, if I have ''norfc1918'' enabled,
packets to port 25
> > on my firewall get dropped using the ''man1918''
mechanism. This occurs
> > regardless of how I have MANGLE_ENABLED, MARK_IN_FORWARD_CHAIN and
> > NAT_BEFORE_RULES set. If I remove the ''norfc1918''
option, all works
> > fine.
> > 
> 
> May I see a log message of one of these dropped packets please?
> 
The reason I ask is that if it is being dropped in ''man1918''
then it is
being dropped before any header rewritting occurs; that would mean that
the ORIGINAL destination IP address is 192.168.1.2!!! It rather should be 
an external IP address on your firewall/gateway. There isn''t a box
ahead
of the Shorewall one that''s also DNATing SMTP is there?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Tom,

> > May I see a log message of one of these dropped packets please?
> > 
> 
> The reason I ask is that if it is being dropped in
''man1918'' then it is
> being dropped before any header rewritting occurs; that would mean that
> the ORIGINAL destination IP address is 192.168.1.2!!! It rather should be 
> an external IP address on your firewall/gateway. There isn''t a box
ahead
> of the Shorewall one that''s also DNATing SMTP is there?


Thunk, thunk, thunk - banging my head against the wall. Sorry.

I have a test setup here, and (obviously not thinking too hard) I picked
an rfc1918 address for my external test network!

Having fixed that bit of brain-fade, it all works as advertised...

Cheers,

Ross
-- 
Ross Parker
OctigaBay Systems Corp.

phone: 604-415-9379 x5453
cell:  604-817-3500