I have an internal FTP server in the same zone as a workstation.
Both machines have an address in the 10.1.1.0/24 subnet (eth1). However,
the firewall is DNAT''ing external (eth0) FTP requests to the internal
FTP server. This is working just fine.
How bad of an idea is it to use the external DNS name of the FTP
server
to access this FTP server from my workstation (which is really on the
same subnet)? I realize that split DNS would probably be better, but
in this case I would like the firewall to perform DNAT.
To do this, I have set up the appropriate "loc loc ACCEPT" policy, and
have the following rule:
DNAT loc loc:10.1.1.251 tcp ftp,ftp-data - 207.130.4.2
Here is the error of the rejection:
Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=10.1.1.2
DST=10.1.1.251 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=12019 DF
PROTO=TCP SPT=46662 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0
Examining the tables, I see a loc2loc defined:
Chain loc2loc (0 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.1.1.252 state NEW tcp dpt:5900
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.1.1.251 state NEW tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.1.1.251 state NEW tcp dpt:20
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
But, as you can see, there are no references to this chain. The
packets are being reaching the end of the FORWARD chain.
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source
destination
11386 2198K dynamic all -- * * 0.0.0.0/0
0.0.0.0/0
11369 2197K loc2net all -- * eth0 0.0.0.0/0
0.0.0.0/0
15 636 loc2adm all -- * eth2 0.0.0.0/0
0.0.0.0/0
Am I missing a configuration that would insert a loc2loc into the
eth1_fwd chain, or is this something which is fundamentally a bad idea
to begin with, hence not included into shorewall''s ability?
Thank you for your attention.
Cordially,
|nank