Shorewall users - Oct 2003 - Accessing public interface(dmz) from the inside

I have the basic 3 NIC firewall, with zones for loc, net, dmz and fw.  
Substantially the same as in the example.

For the purposes of this problem, consider my IPs on the firewall to be 
net.machturtle.com, loc.machturtle.com, and dmz.machturtle.com.  DMZ is a a 
two host network that has "public.machturtle.com"  (192.168.37.151) at
the
other end of the wire from dmz.machturtle.com.

I''ve been up and running fine for sometime.  I''ve added a
webserver to
public.machturtle.com on 8080.  The following rule gives the public access to 
this server by using the url http://net.machturtle.com:8080/

DNAT    net     dmz:192.168.37.151 tcp 8080

Works great.

I can access it using http://public.machturtle.com from systems on the local 
network.  However, I cannot access it using
"http://net.machturtle.com:8080/"
from the local network.  It times out.  This is the problem I want to solve.

I tried adding:

DNAT   loc    dmz:192.168.3.151 tcp 8080

That did allow me to access it, but when I did that the ANY request on 8080 to 
any server from local was sent to the DMZ, even if it was to a host on the 
"outside".

Ideas?

David


-- 
David Corbin <dcorbin@machturtle.com>

On Sun, 2003-10-05 at 07:16, David Corbin wrote:
> 
> I can access it using http://public.machturtle.com from systems on the
local
> network.  However, I cannot access it using
"http://net.machturtle.com:8080/"
> from the local network.  It times out.  This is the problem I want to
solve.
> 
> I tried adding:
> 
> DNAT   loc    dmz:192.168.3.151 tcp 8080
> 
> That did allow me to access it, but when I did that the ANY request on 8080
to
> any server from local was sent to the DMZ, even if it was to a host on the 
> "outside".
> 
> Ideas?
> 
DNAT loc dmz:192.168.3.151 tcp	8080 - <ip of external if>

See the FAQs if your external interface has a dynamic IP address.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Because it is dynamic, I went and looked at the FAQ.  I''ve opted for
the DNS
solution (/etc/hosts) solution.  (I''d actually tried this, but it
didn''t work
because I''d made a type in the IP address.)

But, as I understand it, the dynamic solution won''t work well *anyway*,
because my IP frequently (well occaisionally) changes out from under me.  I 
suppose I could monitor it (actually, it is monitored, after a fashion) and 
restart shorewall, but all I have to say to that is "ugh". 
Isn''t there a
solution that would let the mapping be solely based on interface, and not IP?

David

On Sunday 05 October 2003 11:13, Tom Eastep wrote:
> On Sun, 2003-10-05 at 07:16, David Corbin wrote:
> > I can access it using http://public.machturtle.com from systems on the
> > local network.  However, I cannot access it using
> > "http://net.machturtle.com:8080/" from the local network. 
It times out.
> > This is the problem I want to solve.
> >
> > I tried adding:
> >
> > DNAT   loc    dmz:192.168.3.151 tcp 8080
> >
> > That did allow me to access it, but when I did that the ANY request on
> > 8080 to any server from local was sent to the DMZ, even if it was to a
> > host on the "outside".
> >
> > Ideas?
>
> DNAT loc dmz:192.168.3.151 tcp	8080 - <ip of external if>
>
> See the FAQs if your external interface has a dynamic IP address.
>
> -Tom
-- 
David Corbin <dcorbin@machturtle.com>

On Sun, 2003-10-05 at 08:51, David Corbin wrote:
> Because it is dynamic, I went and looked at the FAQ.  I''ve opted
for the DNS
> solution (/etc/hosts) solution.  (I''d actually tried this, but it
didn''t work
> because I''d made a type in the IP address.)
> 
> But, as I understand it, the dynamic solution won''t work well
*anyway*,
> because my IP frequently (well occaisionally) changes out from under me.  I
> suppose I could monitor it (actually, it is monitored, after a fashion) and
> restart shorewall, but all I have to say to that is "ugh".
It''s what a lot of people do...
>  Isn''t there a 
> solution that would let the mapping be solely based on interface, and not
IP?
> 
So what you are asking me is if there is a better solution. If I knew a
better solution, do you think that I would have wasted my free time on
Sunday Morning answering your post only to describe an inferior
approach?

Sometimes I wonder why I keep doing this.....

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Sunday 05 October 2003 12:42, Tom Eastep wrote:
> >  Isn''t there a
> > solution that would let the mapping be solely based on interface, and
not
> > IP?
>
> So what you are asking me is if there is a better solution. If I knew a
> better solution, do you think that I would have wasted my free time on
> Sunday Morning answering your post only to describe an inferior
> approach?
>
> Sometimes I wonder why I keep doing this.....
>
> -Tom
OK. I earned that.   What I meant was, doesn''t the underlying system 
(iptables) allow the direct reference of interfaces?  When I read the FAQ, 
because I seem to remember that iptables does allow that, I assumed
we''re
dealing with a limitation of shorewall itself.  So, the question is:

Is Iptables the limiting factor or shorewall?

-- 
David Corbin <dcorbin@machturtle.com>

On Sun, 5 Oct 2003, David Corbin wrote:
> OK. I earned that.   What I meant was, doesn''t the underlying
system
> (iptables) allow the direct reference of interfaces?  When I read the FAQ,
> because I seem to remember that iptables does allow that, I assumed
we''re
> dealing with a limitation of shorewall itself.  So, the question is:
>
> Is Iptables the limiting factor or shorewall?
David -- think about the problem. You are trying to access a host by FQDN.
An FQDN is a user-friendly name for one or more *IP ADDRESSES*. Therefore,
to redirect an FQDN *and only that FQDN* requires that you redirect only
the IP addresses associated with that FQDN. Consequently there can be no
solution that doesn''t involve IP addresses.

The other solution of course is to use Bind 9 views or multiple DNS
servers so that the FQDN resolves differently from remote and local
clients;  although I favor that approach (as stated multiple places in the
documentation), most people blanch at the suggestion.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Sunday 05 October 2003 16:56, Tom Eastep wrote:
> On Sun, 5 Oct 2003, David Corbin wrote:
> > OK. I earned that.   What I meant was, doesn''t the underlying
system
> > (iptables) allow the direct reference of interfaces?  When I read the
> > FAQ, because I seem to remember that iptables does allow that, I
assumed
> > we''re dealing with a limitation of shorewall itself.  So, the
question
> > is:
> >
> > Is Iptables the limiting factor or shorewall?
>
> David -- think about the problem. You are trying to access a host by FQDN.
> An FQDN is a user-friendly name for one or more *IP ADDRESSES*. Therefore,
> to redirect an FQDN *and only that FQDN* requires that you redirect only
> the IP addresses associated with that FQDN. Consequently there can be no
> solution that doesn''t involve IP addresses.
>
I have thought about the problem, and I''m suggesting that the firewall
rules
might still be based on interface rather than on IP address.  Maybe my case 
is different from others, because I only have one public IP, and all 
redirection from that IP (DNATing) is to the same single box.

As long as "something else" assures that the FQDN maps to the IP
address of
the interface, I''d be good to go. Since "something else (ddclient
+
zoneedit)" already IS doing that, It''s just a question of the
firewall HAS to
be based on IP, or could be based on interface.
> The other solution of course is to use Bind 9 views or multiple DNS
> servers so that the FQDN resolves differently from remote and local
> clients;  although I favor that approach (as stated multiple places in the
> documentation), most people blanch at the suggestion.
And it is what I''m doing now.  It''s just a question of if a
better solution is
possible.  (i.e. can shorewall be made into a better product, that can handle 
dynamic IP mapping like this without two DNS configurations)

-- 
David Corbin <dcorbin@machturtle.com>

On Sun, 5 Oct 2003, David Corbin wrote:
> And it is what I''m doing now.  It''s just a question of if
a better solution is
> possible.  (i.e. can shorewall be made into a better product, that can
handle
> dynamic IP mapping like this without two DNS configurations)
What you are asking is for special treatment on packets arriving on the
local interface that are addressed to the external interface.

There is no provision in iptables for matching the original destination IP
address to a particular firewall interface. The only matches available are
on the incoming or outgoing interface (and in some contexts, only one or
the other may be used).

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net