Hello, I have the rule: DNAT net:1.2.3.4 net:2.3.4.5 tcp 119 - all When I tried to ''telnet shorewall_host 119'' from 1.2.3.4, I got Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0 ... Then I added routeback to interfaces file: net eth0 - routeback and now telnet timeouts. Nothing in the log. I can ''telnet 2.3.4.5 119'' successfully from firewall itself. Any ideas? Shorewall 1.4.2. Regards, Nerijus
On Thu, 2003-10-23 at 11:35, Nerijus Baliunas wrote:> Hello, > > I have the rule: > > DNAT net:1.2.3.4 net:2.3.4.5 tcp 119 - all > > When I tried to ''telnet shorewall_host 119'' from 1.2.3.4, > I got > Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0 ... > > Then I added routeback to interfaces file: > net eth0 - routeback > and now telnet timeouts. Nothing in the log. I can > ''telnet 2.3.4.5 119'' successfully from firewall itself. > > Any ideas?My first suggestion is to not do such sillyness. What is happening is that 1.2.3.4 connects to the ip address of your firewall (let''s say 5.6.7.8). Your firewall is redirecting the request to 2.3.4.5 who is sending its response to 1.2.3.4. This response of course does not go through your firewall so when 1.2.3.4 get it, the response still has a source IP address of 2.3.4.5. Since 1.2.3.4 thinks it is talking to 5.6.7.8, it discards the response from 2.3.4.5. You can "fix" this by changing your rule to: DNAT net:1.2.3.4 net:2.3.4.5 tcp 119 - all:5.6.7.8 This makes all of the requests forwarded to 2.3.4.5 look like they came from 5.6.7.8. Now 2.3.4.5 will sends it''s response to 5.6.7.8 who will rewrite the source IP to 5.6.7.8 before sending it on to 1.2.3.4. The downside of this "fix" is that 2.3.4.5 doesn''t know the actual client address but rather thinks that all of the forwarded connections are coming directly from 5.6.7.8. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Thu, 23 Oct 2003 12:28:50 -0700 Tom Eastep <teastep@shorewall.net> wrote:> DNAT net:1.2.3.4 net:2.3.4.5 tcp 119 - all:5.6.7.8I already noticed that :5.6.7.8 should probably help, and I tried it now - it works, thanks. Sorry that I didn''t notice it earlier and asked stupid question.> This makes all of the requests forwarded to 2.3.4.5 look like they came > from 5.6.7.8. Now 2.3.4.5 will sends it''s response to 5.6.7.8 who will > rewrite the source IP to 5.6.7.8 before sending it on to 1.2.3.4. > > The downside of this "fix" is that 2.3.4.5 doesn''t know the actual > client address but rather thinks that all of the forwarded connections > are coming directly from 5.6.7.8.Well, this "fix" is what I need actually - my ISP does not have NNTP server currently, and I am using another host and its NNTP server, which allows connections from 5.6.7.8, but not from 1.2.3.4. BTW, is it dangerous to enable routeback? Should I better use some user space port redirector for this purpose? Regards, Nerijus
On Thu, 2003-10-23 at 12:54, Nerijus Baliunas wrote:> > Well, this "fix" is what I need actually - my ISP does not have NNTP > server currently, and I am using another host and its NNTP server, > which allows connections from 5.6.7.8, but not from 1.2.3.4. > > BTW, is it dangerous to enable routeback? Should I better use some > user space port redirector for this purpose? >You might want to add a ''net net DROP'' policy. That way, the only net->net traffic through your firewall will be what you allow by rules. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Thu, 23 Oct 2003 13:00:16 -0700 Tom Eastep <teastep@shorewall.net> wrote:> > BTW, is it dangerous to enable routeback? Should I better use some > > user space port redirector for this purpose? > > You might want to add a ''net net DROP'' policy. That way, the only > net->net traffic through your firewall will be what you allow by rules.I have the policy net all DROP is it enough? Regards, Nerijus
On Thu, 2003-10-23 at 13:18, Nerijus Baliunas wrote:> On Thu, 23 Oct 2003 13:00:16 -0700 Tom Eastep <teastep@shorewall.net> wrote: > > > > BTW, is it dangerous to enable routeback? Should I better use some > > > user space port redirector for this purpose? > > > > You might want to add a ''net net DROP'' policy. That way, the only > > net->net traffic through your firewall will be what you allow by rules. > > I have the policy > net all DROP > is it enough?Yes. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net