thr3ads.net - Shorewall users - [Shorewall-users] Big Problems with DNAT Redirection [Jun 2003]

If this information is useful, please help other people find it:
Share via:

Administrateurs Xwaves.net

2003-Jun-30 06:01 UTC

[Shorewall-users] Big Problems with DNAT Redirection

HI !
I have a big probelm: I would like to redirect the http & ftp request from
the internet to an internal server on my local network.. I have to interface on
my firewall: eth0 connected to lan and eth1 connected to internet.. Then I have
put the rules describted in the Documentation but it doesn''t work ! I
cannot access to my web server on an external network ! My server is connected
to an anoter firewall in a dmz zone but, if we are in the local area, we have
full access  and the firewall is transparency !
I have put the result of the command shorewall status when the conneciton fail !
Sorry for my bad english :) !
Thank you for your help

Mathieu
-------------- next part --------------
[H[JShorewall-1.4.5 Status at XfireM - lun jun 30 14:55:16 CEST 2003

Counters reset Mon Jun 30 14:55:10 CEST 2003

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
    9   500 eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 eth1_in    all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
    0     0 eth0_fwd   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    2   120 eth1_fwd   all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
    0     0 ACCEPT     udp  --  *      eth1    0.0.0.0/0            0.0.0.0/0   
udp dpts:67:68
    0     0 fw2all     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
    8   552 fw2all     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain all2all (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain common (4 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 icmpdef    icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:135
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpts:137:139
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:445
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:139
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:445
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:135
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:1900
    0     0 DROP       all  --  *      *       0.0.0.0/0           
255.255.255.255
    0     0 DROP       all  --  *      *       0.0.0.0/0            224.0.0.0/4
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:113
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp spt:53 state NEW
    0     0 DROP       all  --  *      *       0.0.0.0/0           
192.168.0.255
    0     0 DROP       all  --  *      *       0.0.0.0/0           
255.255.255.255

Chain dynamic (4 references)
 pkts bytes target     prot opt in     out     source               destination

Chain eth0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 loc2all    all  --  *      eth1    0.0.0.0/0            0.0.0.0/0

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
    9   500 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    9   500 loc2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain eth1_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    2   120 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    2   120 net2loc    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Chain eth1_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpts:67:68
    0     0 net2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2all (2 references)
 pkts bytes target     prot opt in     out     source               destination
    8   552 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain icmpdef (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain loc2all (2 references)
 pkts bytes target     prot opt in     out     source               destination
    9   500 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2all (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:''
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2loc (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    2   120 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.1 
state NEW tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.1 
state NEW tcp dpt:443
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.1 
state NEW tcp dpt:21
    0     0 net2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain newnotsyn (5 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain reject (10 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with tcp-reset
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-port-unreachable
    0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-host-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-host-prohibited

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source               destination

Jun 30 14:19:49 all2all:REJECT:IN= OUT=eth1 SRC=80.218.36.107 DST=62.2.17.60
LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=54626 DF PROTO=UDP SPT=1025 DPT=53 LEN=52
Jun 30 14:19:51 all2all:REJECT:IN= OUT=eth1 SRC=80.218.36.107 DST=62.2.17.61
LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=55319 DF PROTO=UDP SPT=1025 DPT=53 LEN=52
Jun 30 14:19:51 all2all:REJECT:IN= OUT=eth1 SRC=80.218.36.107 DST=62.2.24.158
LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=55320 DF PROTO=UDP SPT=1025 DPT=53 LEN=52
Jun 30 14:19:51 all2all:REJECT:IN= OUT=eth1 SRC=80.218.36.107 DST=62.2.17.60
LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=55320 DF PROTO=UDP SPT=1025 DPT=53 LEN=52
Jun 30 14:19:51 all2all:REJECT:IN= OUT=eth1 SRC=80.218.36.107 DST=62.2.17.61
LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=55320 DF PROTO=UDP SPT=1025 DPT=53 LEN=52
Jun 30 14:19:51 all2all:REJECT:IN= OUT=eth1 SRC=80.218.36.107 DST=62.2.24.158
LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=55320 DF PROTO=UDP SPT=1025 DPT=53 LEN=52
Jun 30 14:19:51 all2all:REJECT:IN= OUT=eth1 SRC=80.218.36.107 DST=62.2.17.60
LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=55321 DF PROTO=UDP SPT=1025 DPT=53 LEN=52
Jun 30 14:24:14 net2all:DROP:IN=eth1 OUT= SRC=80.218.36.166 DST=80.218.36.107
LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=50291
SEQ=256
Jun 30 14:24:15 net2all:DROP:IN=eth1 OUT= SRC=80.218.36.166 DST=80.218.36.107
LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=50291
SEQ=512
Jun 30 14:26:36 net2all:DROP:IN=eth1 OUT= SRC=80.218.36.166 DST=80.218.36.107
LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=36015 DF PROTO=TCP SPT=1116 DPT=80
WINDOW=5840 RES=0x00 SYN URGP=0
Jun 30 14:26:39 net2all:DROP:IN=eth1 OUT= SRC=80.218.36.166 DST=80.218.36.107
LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=36016 DF PROTO=TCP SPT=1116 DPT=80
WINDOW=5840 RES=0x00 SYN URGP=0
Jun 30 14:27:13 net2all:ACCEPT:IN=eth1 OUT= SRC=80.218.36.166 DST=80.218.36.107
LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=64640 DF PROTO=TCP SPT=1117 DPT=80
WINDOW=5840 RES=0x00 SYN URGP=0
Jun 30 14:29:43 net2all:ACCEPT:IN=eth1 OUT= SRC=61.172.83.100 DST=80.218.36.107
LEN=78 TOS=0x00 PREC=0x00 TTL=104 ID=63787 PROTO=UDP SPT=1025 DPT=137 LEN=58
Jun 30 14:31:53 net2all:ACCEPT:IN=eth1 OUT= SRC=212.174.23.90 DST=80.218.36.107
LEN=78 TOS=0x00 PREC=0x00 TTL=112 ID=42005 PROTO=UDP SPT=1026 DPT=137 LEN=58
Jun 30 14:32:14 net2all:ACCEPT:IN=eth1 OUT= SRC=195.142.131.117
DST=80.218.36.107 LEN=78 TOS=0x00 PREC=0x00 TTL=110 ID=41516 PROTO=UDP SPT=1027
DPT=137 LEN=58
Jun 30 14:44:13 net2all:DROP:IN=eth1 OUT= SRC=80.218.36.166 DST=80.218.36.107
LEN=28 TOS=0x00 PREC=0x00 TTL=46 ID=38730 PROTO=ICMP TYPE=8 CODE=0 ID=16375
SEQ=0
Jun 30 14:44:19 net2all:DROP:IN=eth1 OUT= SRC=80.218.36.166 DST=80.218.36.107
LEN=28 TOS=0x00 PREC=0x00 TTL=46 ID=58852 PROTO=ICMP TYPE=8 CODE=0 ID=16375
SEQ=256
Jun 30 14:44:25 net2all:DROP:IN=eth1 OUT= SRC=80.218.36.166 DST=80.218.36.107
LEN=28 TOS=0x00 PREC=0x00 TTL=46 ID=57600 PROTO=ICMP TYPE=8 CODE=0 ID=16375
SEQ=512
Jun 30 14:44:31 net2all:DROP:IN=eth1 OUT= SRC=80.218.36.166 DST=80.218.36.107
LEN=28 TOS=0x00 PREC=0x00 TTL=46 ID=65292 PROTO=ICMP TYPE=8 CODE=0 ID=16375
SEQ=768
Jun 30 14:44:37 net2all:DROP:IN=eth1 OUT= SRC=80.218.36.166 DST=80.218.36.107
LEN=28 TOS=0x00 PREC=0x00 TTL=46 ID=58091 PROTO=ICMP TYPE=8 CODE=0 ID=16375
SEQ=1024

NAT Table

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    60 net_dnat   all  --  eth1   *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 1 packets, 60 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 eth1_masq  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain eth1_masq (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      *       192.168.0.0/24       0.0.0.0/0

Chain net_dnat (1 references)
 pkts bytes target     prot opt in     out     source               destination
    1    60 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:80 to:192.168.0.1
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:443 to:192.168.0.1
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:21 to:192.168.0.1

Mangle Table

Chain PREROUTING (policy ACCEPT 12 packets, 680 bytes)
 pkts bytes target     prot opt in     out     source               destination
   12   680 pretos     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 9 packets, 500 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 3 packets, 180 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 8 packets, 552 bytes)
 pkts bytes target     prot opt in     out     source               destination
    8   552 outtos     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 11 packets, 732 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain outtos (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:22 TOS set 0x10
    8   552 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:20 TOS set 0x08
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:20 TOS set 0x08

Chain pretos (1 references)
 pkts bytes target     prot opt in     out     source               destination
    9   500 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:20 TOS set 0x08
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:20 TOS set 0x08

tcp      6 431995 ESTABLISHED src=192.168.0.150 dst=192.168.0.253 sport=2774
dport=22 src=192.168.0.253 dst=192.168.0.150 sport=22 dport=2774 [ASSURED] use=1
tcp      6 85 SYN_SENT src=80.218.36.166 dst=80.218.36.107 sport=1126 dport=80
[UNREPLIED] src=192.168.0.1 dst=80.218.36.166 sport=80 dport=1126 use=1
tcp      6 431875 ESTABLISHED src=192.168.0.150 dst=192.168.0.253 sport=2787
dport=22 src=192.168.0.253 dst=192.168.0.150 sport=22 dport=2787 [ASSURED] use=1
udp      17 39 src=80.218.36.107 dst=62.2.17.61 sport=1029 dport=53
src=62.2.17.61 dst=80.218.36.107 sport=53 dport=1029 [ASSURED] use=1
tcp      6 119 SYN_SENT src=80.218.36.166 dst=80.218.36.107 sport=1127 dport=80
[UNREPLIED] src=192.168.0.1 dst=80.218.36.166 sport=80 dport=1127 use=1
tcp      6 12 SYN_SENT src=80.218.36.166 dst=80.218.36.107 sport=1124 dport=80
[UNREPLIED] src=192.168.0.1 dst=80.218.36.166 sport=80 dport=1124 use=1
udp      17 11 src=80.218.36.107 dst=62.2.28.73 sport=68 dport=67 src=62.2.28.73
dst=80.218.36.107 sport=67 dport=68 use=1
tcp      6 59 SYN_SENT src=80.218.36.166 dst=80.218.36.107 sport=1125 dport=80
[UNREPLIED] src=192.168.0.1 dst=80.218.36.166 sport=80 dport=1125 use=1
tcp      6 431531 ESTABLISHED src=192.168.0.150 dst=192.168.0.253 sport=2704
dport=22 src=192.168.0.253 dst=192.168.0.150 sport=22 dport=2704 [ASSURED] use=1

Tom Eastep

2003-Jun-30 06:53 UTC

head link

[Shorewall-users] Big Problems with DNAT Redirection

On Mon, 2003-06-30 at 06:00, Administrateurs Xwaves.net
wrote:> HI !
> I have a big probelm: I would like to redirect the http & ftp request
from the internet to an internal server on my local network.. I have to
interface on my firewall: eth0 connected to lan and eth1 connected to internet..
Then I have put the rules describted in the Documentation but it
doesn''t work ! I cannot access to my web server on an external network
! My server is connected to an anoter firewall in a dmz zone but, if we are in
the local area, we have full access  and the firewall is transparency !
> I have put the result of the command shorewall status when the conneciton
fail !
> Sorry for my bad english :) !
The default gateway for the servers MUST be set to the IP address of the
internal interface on the Shorewall box in order for this to work.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Shorewall users - Jun 2003 - Big Problems with DNAT Redirection

[Shorewall-users] Big Problems with DNAT Redirection

[Shorewall-users] Big Problems with DNAT Redirection