Shorewall users - May 2004 - is it possible to use DNAT only to change the destination port?

Hi all,

I couldn''t find a way to use DNAT as a target in the rules file to 
generate a rule like the following in the nat table:

iptables -t nat -I eth2_in -s 192.168.230.121 -d 10.1.16.23 -p tcp --dport 
57822 -j DNAT --to-destination 10.1.16.23:22

Chain eth2_in (1 references)
 pkts bytes     target          prot opt        in     out      source     
                destination
    0     0             DNAT            tcp  --                  *      *  
        192.168.230.121         10.1.16.23          tcp dpt:57822 
to:10.1.16.23:22

did I miss anything?

I''m using (in this box), Shorewall 2.0.2c (I try to keep myself 
up-to-date, but this is nearly impossible with Shorewall - and I''m not 
complaining, I swear! ;-) and kernel 2.4.21.

TIA

/out-to-lunch - back in 1 hour...

________________________
Eduardo Ferreira
Icatu Holding S.A.
Supervisor de TI
(5521) 3804-8606

Eduardo Ferreira wrote:
> Hi all,
> 
> I couldn''t find a way to use DNAT as a target in the rules file to
> generate a rule like the following in the nat table:
> 
> iptables -t nat -I eth2_in -s 192.168.230.121 -d 10.1.16.23 -p tcp --dport 
> 57822 -j DNAT --to-destination 10.1.16.23:22
> 
> Chain eth2_in (1 references)
>  pkts bytes     target          prot opt        in     out      source     
>                 destination
>     0     0             DNAT            tcp  --                  *      *  
>         192.168.230.121         10.1.16.23          tcp dpt:57822 
> to:10.1.16.23:22
> 
> did I miss anything?
> 
DNAT	<src>:192.168.230.121	<dst>:10.1.16.23:22	tcp 57822 \
	- 10.1.16.23	

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote on 28/05/2004 12:09:30:
> Eduardo Ferreira wrote:
[... snip ...]
> > 
> > iptables -t nat -I eth2_in -s 192.168.230.121 -d 10.1.16.23 -p tcp 
--dport 
> > 57822 -j DNAT --to-destination 10.1.16.23:22
> 
> DNAT   <src>:192.168.230.121   <dst>:10.1.16.23:22   tcp 57822
\
>    - 10.1.16.23 
> 
> -Tom
duh, I knew I was missing something.

But the problem remains because, once the PREROUTING chain in nat table is 
checked before the FORWARD
chain in the filter table, traffic is allowed no matter if you use port 
tcp/22 or tcp/57822 - any way out? mark packets it the mangle table? Is 
PREROUTING chain in mangle checked before nat PREROUTING?

tks,
________________________
Eduardo Ferreira
Icatu Holding S.A.
Supervisor de TI
(5521) 3804-8606

On Fri, May 28, 2004 at 12:02:38PM -0300, Eduardo Ferreira
wrote:
> Hi all,
> 
> I couldn''t find a way to use DNAT as a target in the rules file to
> generate a rule like the following in the nat table:
> 
> iptables -t nat -I eth2_in -s 192.168.230.121 -d 10.1.16.23 -p tcp --dport 
> 57822 -j DNAT --to-destination 10.1.16.23:22 
Here''s what I''m using for a similar port redirection.

   DNAT  net  fw:192.168.0.1:22  tcp  443  -  -  4/min:8

Eduardo Ferreira wrote:
> Tom Eastep wrote on 28/05/2004 12:09:30:
> 
> 
>>Eduardo Ferreira wrote:
> 
> [... snip ...]
> 
>>>iptables -t nat -I eth2_in -s 192.168.230.121 -d 10.1.16.23 -p tcp 
> 
> --dport 
> 
>>>57822 -j DNAT --to-destination 10.1.16.23:22
>>
>>DNAT   <src>:192.168.230.121   <dst>:10.1.16.23:22   tcp
57822 \
>>   - 10.1.16.23 
>>
>>-Tom
> 
> 
> duh, I knew I was missing something.
> 
> But the problem remains because, once the PREROUTING chain in nat table is 
> checked before the FORWARD
> chain in the filter table, traffic is allowed no matter if you use port 
> tcp/22 or tcp/57822 - any way out? mark packets it the mangle table? Is 
> PREROUTING chain in mangle checked before nat PREROUTING?
You''re on your own.... see http://shorewall.net/NetfilterOverview.html

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> Eduardo Ferreira wrote:
> 
>> Tom Eastep wrote on 28/05/2004 12:09:30:
>>
>>
>>> Eduardo Ferreira wrote:
>>
>>
>> [... snip ...]
>>
>>>> iptables -t nat -I eth2_in -s 192.168.230.121 -d 10.1.16.23 -p
tcp
>>
>>
>> --dport
>>
>>>> 57822 -j DNAT --to-destination 10.1.16.23:22
>>>
>>>
>>> DNAT   <src>:192.168.230.121   <dst>:10.1.16.23:22  
tcp 57822 \
>>>   - 10.1.16.23
>>> -Tom
>>
>>
>>
>> duh, I knew I was missing something.
>>
>> But the problem remains because, once the PREROUTING chain in nat 
>> table is checked before the FORWARD
>> chain in the filter table, traffic is allowed no matter if you use 
>> port tcp/22 or tcp/57822 - any way out? mark packets it the mangle 
>> table? Is PREROUTING chain in mangle checked before nat PREROUTING?
> 
> 
> You''re on your own.... see
http://shorewall.net/NetfilterOverview.html
While iptables provides a way to check the original destination in the 
FORWARD rule, it doesn''t provide a way to check the original port. 
Hence, there''s nothing that I can do in Shorewall to automate this for
you.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote on 28/05/2004 13:49:11:
> Tom Eastep wrote:
> > Eduardo Ferreira wrote:
> >> Tom Eastep wrote on 28/05/2004 12:09:30:
> >>> Eduardo Ferreira wrote:
> >> [... snip ...]
> >>
> >>>> iptables -t nat -I eth2_in -s 192.168.230.121 -d
10.1.16.23 \
> >> -p tcp --dport 57822 -j DNAT --to-destination 10.1.16.23:22
> >>>
> >>>
> >>> DNAT   <src>:192.168.230.121   <dst>:10.1.16.23:22
tcp 57822 \
> >>>   - 10.1.16.23
> >>> -Tom
> >>
> >>[... snip ...]
> >> - any way out? mark packets it the mangle 
> >> table? Is PREROUTING chain in mangle checked before nat
PREROUTING?
> > 
> 
> While iptables provides a way to check the original destination in the 
> FORWARD rule, it doesn''t provide a way to check the original port.
> Hence, there''s nothing that I can do in Shorewall to automate this
for
you.
> 
I was able to mark packets in the mangle''s PREROUTING chain for packets
with
the original port (tcp/57822) and later I could use an ACCEPT rule in the 
vpn2loc 
chain to accept packets tcp/22 only if they were marked.  [Hence,
mangle''s
PREROUTING
is checked before nat''s PREROUTING ]

In Shorewall, I changed the DNAT to a DNAT- rule and included the mark 
rule in 
tcrules file.  Is there a way to code this ACCEPT rule in Shorewall:
     iptables -I vpn2loc -p tcp --dport 22 -m mark --mark 0x33 -j ACCEPT 
other than using good old start script?

tks,
________________________
Eduardo Ferreira
Icatu Holding S.A.
Supervisor de TI
(5521) 3804-8606

Eduardo Ferreira wrote:
> Tom Eastep wrote on 28/05/2004 13:49:11:
> 
> 
>>Tom Eastep wrote:
>>
>>>Eduardo Ferreira wrote:
>>>
>>>>Tom Eastep wrote on 28/05/2004 12:09:30:
>>>>
>>>>>Eduardo Ferreira wrote:
>>>>
>>>>[... snip ...]
>>>>
>>>>
>>>>>>iptables -t nat -I eth2_in -s 192.168.230.121 -d
10.1.16.23 \
>>>>
>>>>-p tcp --dport 57822 -j DNAT --to-destination 10.1.16.23:22
>>>>
>>>>>
>>>>>DNAT   <src>:192.168.230.121  
<dst>:10.1.16.23:22   tcp 57822 \
>>>>>  - 10.1.16.23
>>>>>-Tom
>>>>
>>>>[... snip ...]
>>>>- any way out? mark packets it the mangle 
>>>>table? Is PREROUTING chain in mangle checked before nat
PREROUTING?
>>>
>>While iptables provides a way to check the original destination in the 
>>FORWARD rule, it doesn''t provide a way to check the original
port.
>>Hence, there''s nothing that I can do in Shorewall to automate
this for
> 
> you.
> 
> 
> I was able to mark packets in the mangle''s PREROUTING chain for
packets
> with
> the original port (tcp/57822) and later I could use an ACCEPT rule in the 
> vpn2loc 
> chain to accept packets tcp/22 only if they were marked.  [Hence,
mangle''s
> PREROUTING
> is checked before nat''s PREROUTING ]
> 
> In Shorewall, I changed the DNAT to a DNAT- rule and included the mark 
> rule in 
> tcrules file.  Is there a way to code this ACCEPT rule in Shorewall:
>      iptables -I vpn2loc -p tcp --dport 22 -m mark --mark 0x33 -j ACCEPT 
> other than using good old start script?
You could place it in /etc/shorewall/vpn2loc and use -A rather than -I

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote on 28/05/2004 14:12:46:
> Eduardo Ferreira wrote:
> > Tom Eastep wrote on 28/05/2004 13:49:11:
> >>Tom Eastep wrote:
> >>>Eduardo Ferreira wrote:
> >>>>Tom Eastep wrote on 28/05/2004 12:09:30:
> >>>>>Eduardo Ferreira wrote:
> >>>>
> >>>>[... snip ...]
> > In Shorewall, I changed the DNAT to a DNAT- rule and included the mark
> > rule in 
> > tcrules file.  Is there a way to code this ACCEPT rule in Shorewall:
> >      iptables -I vpn2loc -p tcp --dport 22 -m mark --mark 0x33 -j 
ACCEPT 
> > other than using good old start script?
> 
> You could place it in /etc/shorewall/vpn2loc and use -A rather than -I
Thanks, Tom. if it wasn''t so early, I could call it a day ;)

/Any plans of making this a feature? Is it asking too much?

________________________
Eduardo Ferreira
Icatu Holding S.A.
Supervisor de TI
(5521) 3804-8606

Eduardo Ferreira wrote:
> Tom Eastep wrote on 28/05/2004 14:12:46:
> 
>>Eduardo Ferreira wrote:
>>
>>>Tom Eastep wrote on 28/05/2004 13:49:11:
>>>
>>>>Tom Eastep wrote:
>>>>
>>>>>Eduardo Ferreira wrote:
>>>>>
>>>>>>Tom Eastep wrote on 28/05/2004 12:09:30:
>>>>>>
>>>>>>>Eduardo Ferreira wrote:
>>>>>>
>>>>>>[... snip ...]
>>>
>>>In Shorewall, I changed the DNAT to a DNAT- rule and included the
mark
> 
> 
>>>rule in 
>>>tcrules file.  Is there a way to code this ACCEPT rule in Shorewall:
>>>     iptables -I vpn2loc -p tcp --dport 22 -m mark --mark 0x33 -j 
> 
> ACCEPT 
> 
>>>other than using good old start script?
>>
>>You could place it in /etc/shorewall/vpn2loc and use -A rather than -I
> 
> 
> Thanks, Tom. if it wasn''t so early, I could call it a day ;)
> 
> /Any plans of making this a feature? Is it asking too much?
Shorewall can''t use MARK internally -- that would interfere with the 
tcrules file.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net