I have a debian woody machine acting as a firewall for a small
network. I am trying to do a simple DNAT to port 80 on the protected
webserver and masquerade all traffic from the protect subnet outbound.
After having read the FAQ and various posts regarding problems with
DNAT I''m afraid I''m no closer to a solution. Based on the
output from
"shorewall show nat" I believe that my masq rules are completely wrong
(although I believe they are correct based on examples and everything
I''ve read), and I''m led to believe that my DNAT rules are
working.
However, a tcpdump of the affected interfaces shows the traffic coming
into the appropriate card, but never traversing the firewall. I
apologize in advance if I''ve missed something obvious or dumb and I
appreciate any insight you folks can provide.
gateway:/etc/shorewall# cat masq
#INTERFACE SUBNET ADDRESS PROTO PORT(S)
eth0 192.168.25.0/24
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
gateway:/etc/shorewall# cat rules
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL RATE USER/
# PORT PORT(S)
DEST LIMIT GROUP
ACCEPT net fw tcp 22
DNAT net loc:192.168.25.2 tcp 80
ACCEPT net fw tcp 25
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
gateway:/etc/shorewall# cat policy
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
loc net ACCEPT
net all DROP info
fw all ACCEPT info
#
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT info
#LAST LINE -- DO NOT REMOVE
gateway:/etc/shorewall# shorewall show nat
Shorewall-2.0.3a NAT at gateway - Wed Sep 29 12:19:43 CDT 2004
Counters reset Wed Sep 29 11:56:40 CDT 2004
Chain PREROUTING (policy ACCEPT 1197 packets, 100K bytes)
pkts bytes target prot opt in out source destination
658 54981 net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 24 packets, 1862 bytes)
pkts bytes target prot opt in out source destination
21 1682 eth0_masq all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 24 packets, 1862 bytes)
pkts bytes target prot opt in out source destination
Chain eth0_masq (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 192.168.25.0/24 0.0.0.0/0
Chain net_dnat (1 references)
pkts bytes target prot opt in out source destination
3 144 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 to:192.168.25.2
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gary Buckmaster wrote:> I > apologize in advance if I''ve missed something obvious or dumb and I > appreciate any insight you folks can provide.Possibly you should review the instructions for submitting a problem report (http://shorewall.net/support.htm) -- you haven''t provided us with some of the detail we need to really analyze the problem.> > gateway:/etc/shorewall# cat masq > #INTERFACE SUBNET ADDRESS PROTO PORT(S) > eth0 192.168.25.0/24 > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > > gateway:/etc/shorewall# cat rules > #ACTION SOURCE DEST PROTO DEST SOURCE > ORIGINAL RATE USER/ > # PORT PORT(S) > DEST LIMIT GROUP > ACCEPT net fw tcp 22 > DNAT net loc:192.168.25.2 tcp 80 > ACCEPT net fw tcp 25 > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > gateway:/etc/shorewall# cat policy > #SOURCE DEST POLICY LOGLIMIT:BURST> # LEVEL > loc net ACCEPT > net all DROP info > fw all ACCEPT info > # > # THE FOLLOWING POLICY MUST BE LAST > # > all all REJECT info > #LAST LINE -- DO NOT REMOVE > > gateway:/etc/shorewall# shorewall show nat > Shorewall-2.0.3a NAT at gateway - Wed Sep 29 12:19:43 CDT 2004<output deleted> Assuming that your web server''s IP address is 192.168.25.2 and that your local network is 192.168.25.0/24 and that eth0 is your external interface, I see nothing wrong with the "shorewall show nat" output. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBW0ryO/MAbZfjDLIRAj/kAJsHKjd+t2ECV4aIGXaYAKwYaM23HACbBnHZ +pIRxZIgFuJofsucaI0MGE4=gD0M -----END PGP SIGNATURE-----
Gary Buckmaster
2004-Sep-30 00:39 UTC
Re: DNAT + Masq Problem - Yes I read the FAQ I promise
Hi Tom,
I''m sorry for my incomplete post. Your summary of my network topology
is correct which is why I don''t understand why DNAT and Masq are not
functioning. As requested:
gateway:/# shorewall version
2.0.3a
gateway:/# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:07:95:eb:64:9c brd ff:ff:ff:ff:ff:ff
inet 64.207.228.181/26 brd 64.207.228.191 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:e0:7d:da:a1:bd brd ff:ff:ff:ff:ff:ff
inet 192.168.25.1/24 brd 192.168.25.255 scope global eth1
gateway:/# ip route show
64.207.228.128/26 dev eth0 proto kernel scope link src 64.207.228.181
192.168.25.0/24 dev eth1 proto kernel scope link src 192.168.25.1
default via 64.207.228.129 dev eth0
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gary Buckmaster wrote:> Hi Tom, > > I''m sorry for my incomplete post. Your summary of my network topology > is correct which is why I don''t understand why DNAT and Masq are not > functioning. As requested:If neither are working, the only explaination that I can think of is that your local systems have the wrong default gateway or you haven''t set IP_FORWARDING=On in shorewall.conf (the Debian default is IP_FORWARDING=On and the two- and three-interface QuickStart guides include a note for Debian users to change that). If that''s not it, I hope someone else is willing to help you because I''m getting out of the Shorewall support business. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD4DBQFBW1lsO/MAbZfjDLIRAszbAJikC5gxHhK6dSQFuM/NuqqzVPUjAJ4sg6Oa tfTeBs7MlQRvp7VSIIeC1w==yjtl -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote:> Gary Buckmaster wrote: > >>>Hi Tom, >>> >>>I''m sorry for my incomplete post. Your summary of my network topology >>>is correct which is why I don''t understand why DNAT and Masq are not >>>functioning. As requested: > > > If neither are working, the only explaination that I can think of is > that your local systems have the wrong default gateway or you haven''t > set IP_FORWARDING=On in shorewall.conf (the Debian default is > IP_FORWARDING=OnThe Debian default is IP_FORWARDING=Keep Sorry for the confusion, - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBW1tbO/MAbZfjDLIRAidCAKDCImwMeNiMXk344CfM6DyTG38pGQCgrpG7 JFlzpLZ+1RtVZCbFXCDow0I=xiHJ -----END PGP SIGNATURE-----
make sure for ip 192.168.25.2, set its default gateway to 192.168.25.1 (fw) On Wed, 29 Sep 2004 17:55:09 -0700, Tom Eastep <teastep@shorewall.net> wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Gary Buckmaster wrote: > > Hi Tom, > > > > I''m sorry for my incomplete post. Your summary of my network topology > > is correct which is why I don''t understand why DNAT and Masq are not > > functioning. As requested: > > If neither are working, the only explaination that I can think of is > that your local systems have the wrong default gateway or you haven''t > set IP_FORWARDING=On in shorewall.conf (the Debian default is > IP_FORWARDING=On and the two- and three-interface QuickStart guides > include a note for Debian users to change that). > > If that''s not it, I hope someone else is willing to help you because I''m > getting out of the Shorewall support business. > > - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD4DBQFBW1lsO/MAbZfjDLIRAszbAJikC5gxHhK6dSQFuM/NuqqzVPUjAJ4sg6Oa > tfTeBs7MlQRvp7VSIIeC1w=> =yjtl > > > -----END PGP SIGNATURE----- > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Gary Buckmaster
2004-Sep-30 03:07 UTC
Re: DNAT + Masq Problem - Yes I read the FAQ I promise
Tom, I''m afraid that right now, I feel pretty foolish.> If neither are working, the only explaination that I can think of is > that your local systems have the wrong default gateway or you haven''t > set IP_FORWARDING=On in shorewall.conf (the Debian default is > IP_FORWARDING=On and the two- and three-interface QuickStart guides > include a note for Debian users to change that).IP_FORWARDING was set to "keep" as you said. This turned out to solve the problem.> > If that''s not it, I hope someone else is willing to help you because I''m > getting out of the Shorewall support business. >I greatly appreciate your willingness to help. I apologize if my issue caused excess frustration. I hope that you will reconsider your decision regarding supporting the project you''re clearly working so hard on. Having one or two people who are patient and willing to help others with their issues is easily one the best ways to grow a user community. Once again, thank you for your help. Best, Gary
My firewall is also performing mail proxying for the protected subnet(s). Is it possible to specify in the Masq rulesets to not masquerade connections bound for specific ports? If I want to force outbound connections to speak to the firewall''s port 25, is that to be done via Masq or am I doing things incorrectly? -Gary
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gary Buckmaster wrote:> My firewall is also performing mail proxying for the protected > subnet(s). Is it possible to specify in the Masq rulesets to not > masquerade connections bound for specific ports? If I want to force > outbound connections to speak to the firewall''s port 25, is that to be > done via Masq or am I doing things incorrectly? >You don''t need any address rewriting for that. You will have two separate connections: loc->fw fw->net - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBXEMVO/MAbZfjDLIRAu/oAJoDA1KcFWANTPM8Hqyz3B0LpYF4xACgn+hI Ec7w/ewudRW3N2GBvY1o4XQ=z9U2 -----END PGP SIGNATURE-----
Hi again Tom, I''m sorry if I don''t understand what you mean. My setup requires almost all outbound traffic (from 192.168.25.0/24 to the internet and beyond) to be masqueraded, *except* I will want to have any connections from my protected MTA to be made directly to the firewall on port 25. This is because I have postfix on the firewall in relay mode and it''s filtering virii and spam. On the exterior NIC is isn''t a problem, but on the internal NIC, I believe the Masq rule is causing all connections from my MTA to the mail proxy to be denied. Am I just misunderstanding what you''re saying? Best, Gary On Thu, 30 Sep 2004 10:32:05 -0700, Tom Eastep <teastep@shorewall.net> wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Gary Buckmaster wrote: > > My firewall is also performing mail proxying for the protected > > subnet(s). Is it possible to specify in the Masq rulesets to not > > masquerade connections bound for specific ports? If I want to force > > outbound connections to speak to the firewall''s port 25, is that to be > > done via Masq or am I doing things incorrectly? > > > > You don''t need any address rewriting for that. You will have two > separate connections: > > loc->fw > fw->net > > - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFBXEMVO/MAbZfjDLIRAu/oAJoDA1KcFWANTPM8Hqyz3B0LpYF4xACgn+hI > Ec7w/ewudRW3N2GBvY1o4XQ> =z9U2 > -----END PGP SIGNATURE----- >
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gary Buckmaster wrote:> Hi again Tom, > > I''m sorry if I don''t understand what you mean. My setup requires > almost all outbound traffic (from 192.168.25.0/24 to the internet and > beyond) to be masqueraded, *except* I will want to have any > connections from my protected MTA to be made directly to the firewall > on port 25. This is because I have postfix on the firewall in relay > mode and it''s filtering virii and spam. On the exterior NIC is isn''t > a problem, but on the internal NIC, I believe the Masq rule is causing > all connections from my MTA to the mail proxy to be denied.Nonsense -- they are most likely being denied because you don''t have a loc->fw ACCEPT rule for TCP port 25. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBXFPWO/MAbZfjDLIRAmWqAKDI4DbU0cycX/gxbhUPZRz3pjgmwACgnUWz HvHdoZAM7NJcTwFdh53T1c4=cvbS -----END PGP SIGNATURE-----