Hi list, This is my first post there. CONTEXT : -------------- I have a little lan behind a shorewalled box (internet) -- NET_IP [gateway] LOC-IP -- (lan X.Y.0.0) internet -> net zone connected to the gateway via a ppp interface lan -> loc zone connected to the gateway via eth1 NET_IP and LOC_IP are defined in shorewall params file GOAL : --------- i want to forward http and smtp requests targetting NET_IP to a "server" box on the lan. for requests coming from the net side i have written a simple line in shorewal rules file : DNAT net loc:server_ip tcp http,smtp - $NET_IP => OK for requests coming from the lan, i have to avoid the server answering directly => SNAT necessary. DNAT loc loc:server_ip tcp http,smtp - $NET_IP:$LOC_IP => OK BUT... PROBLEM : -------------- when this 2nd rule is defined, connections coming from net zone are also SNATed ???????? so all requests to server seem to come from $LOC_IP :-( shorewall versions : - 2.0.1 on mandrake 10.0 official (native package) - 2.0.9 on the same box (installed from tgz file ) i''m still wondering what i missed... help please...
Considering you don''t have DMZ, and the internal client and server are in the same subnet (zone LOC), the communication between Client and Server are done using Ethernet communications (ie, directly via Ethernet). So FW never know/see this traffic. So, you only need the first DNAT rule. [Guilsson] On Mon, 04 Oct 2004 12:45:18 +0200, Pascal Vilarem <pvilarem-ml@9online.fr> wrote:> Hi list, > > This is my first post there. > > CONTEXT : > -------------- > I have a little lan behind a shorewalled box > > (internet) -- NET_IP [gateway] LOC-IP -- (lan X.Y.0.0) > > internet -> net zone connected to the gateway via a ppp interface > lan -> loc zone connected to the gateway via eth1 > NET_IP and LOC_IP are defined in shorewall params file > > GOAL : > --------- > i want to forward http and smtp requests targetting NET_IP to a > "server" box on the lan. > > for requests coming from the net side i have written a simple line in > shorewal rules file : > > DNAT net loc:server_ip tcp http,smtp - $NET_IP > > => OK > > for requests coming from the lan, i have to avoid the server answering > directly => SNAT necessary. > > DNAT loc loc:server_ip tcp http,smtp - > $NET_IP:$LOC_IP > > => OK BUT... > > PROBLEM : > -------------- > when this 2nd rule is defined, connections coming from net zone are > also SNATed ???????? > so all requests to server seem to come from $LOC_IP :-( > > shorewall versions : > - 2.0.1 on mandrake 10.0 official (native package) > - 2.0.9 on the same box (installed from tgz file ) > > i''m still wondering what i missed... help please... > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
thanks for your answer. actually the firewall does see this traffic for a very simple reason : the internal client uses the official DNS of the firewall : www.mydomain.com so the ip retrieved from DNS is NET_IP and not the real ip of the web server (even if it is on the same subnet as the client, youre perfectly right on this point) further more the http server uses also https with as ssl certificate for www.mydomain.com... so i need this alias. i guess a workaround would consist in setting up an internal DNS... but this is rather a heavy solution, and i''d like to avoid it. Guilsson wrote:>Considering you don''t have DMZ, and the internal client and server are >in the same subnet (zone LOC), the communication between Client and >Server are done using Ethernet communications (ie, directly via >Ethernet). So FW never know/see this traffic. > >So, you only need the first DNAT rule. > >[Guilsson] > >On Mon, 04 Oct 2004 12:45:18 +0200, Pascal Vilarem ><pvilarem-ml@9online.fr> wrote: > > >>Hi list, >> >>This is my first post there. >> >>CONTEXT : >>-------------- >> I have a little lan behind a shorewalled box >> >> (internet) -- NET_IP [gateway] LOC-IP -- (lan X.Y.0.0) >> >> internet -> net zone connected to the gateway via a ppp interface >> lan -> loc zone connected to the gateway via eth1 >> NET_IP and LOC_IP are defined in shorewall params file >> >>GOAL : >>--------- >> i want to forward http and smtp requests targetting NET_IP to a >>"server" box on the lan. >> >> for requests coming from the net side i have written a simple line in >>shorewal rules file : >> >> DNAT net loc:server_ip tcp http,smtp - $NET_IP >> >> => OK >> >> for requests coming from the lan, i have to avoid the server answering >>directly => SNAT necessary. >> >> DNAT loc loc:server_ip tcp http,smtp - >>$NET_IP:$LOC_IP >> >> => OK BUT... >> >>PROBLEM : >>-------------- >> when this 2nd rule is defined, connections coming from net zone are >>also SNATed ???????? >> so all requests to server seem to come from $LOC_IP :-( >> >>shorewall versions : >>- 2.0.1 on mandrake 10.0 official (native package) >>- 2.0.9 on the same box (installed from tgz file ) >> >>i''m still wondering what i missed... help please... >> >>_______________________________________________ >>Shorewall-users mailing list >>Post: Shorewall-users@lists.shorewall.net >>Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users >>Support: http://www.shorewall.net/support.htm >>FAQ: http://www.shorewall.net/FAQ.htm >> >> >> >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > > >
Pascal wrote on 04/10/2004 14:06:37:> thanks for your answer. > > actually the firewall does see this traffic for a very simple reason : > > i guess a workaround would consist in setting up an internal DNS... > but this is rather a heavy solution, and i''d like to avoid it. > > Guilsson wrote: > > >Considering you don''t have DMZ, and the internal client and server are > >in the same subnet (zone LOC), the communication between Client andI would put a third card in your box and implement a ProxyArp solution. Anyway, I don''t like the idea of opening a port directly to my internal lan. If not possible, I heard about dns bind using different views for external/internal networks. May be it''s worth a look. cheers, ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eduardo Ferreira wrote:> Pascal wrote on 04/10/2004 14:06:37: > > >>thanks for your answer. >> >>actually the firewall does see this traffic for a very simple reason : >> >>i guess a workaround would consist in setting up an internal DNS... >>but this is rather a heavy solution, and i''d like to avoid it. >> >>Guilsson wrote: >> >> >>>Considering you don''t have DMZ, and the internal client and server are >>>in the same subnet (zone LOC), the communication between Client and > > > I would put a third card in your box and implement a ProxyArp solution. > Anyway, I don''t like the idea of opening a port directly to my internal > lan. > > If not possible, I heard about dns bind using different views for > external/internal networks. May be it''s worth a look. >That''s the best solution. But you can also fix your original problem by adding ":<your local network>" to the SOURCE column in your DNAT rule. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBYYwwO/MAbZfjDLIRAvmxAJ911odeAnNMaXZpBpWjho67V/n+6ACgs2TM Mhx9cBE6Z0i6UY0XSbjCVxo=koUG -----END PGP SIGNATURE-----
A million thanks Tom : the "original problem" is fixed. I agree with you all : a little DMZ is a better solution. for the while i cannot change things... but i hope i''ll be able to do it soon. again thx for your help :-) Pascal Tom Eastep wrote:>-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Eduardo Ferreira wrote: > > >>Pascal wrote on 04/10/2004 14:06:37: >> >> >> >> >>>thanks for your answer. >>> >>>actually the firewall does see this traffic for a very simple reason : >>> >>>i guess a workaround would consist in setting up an internal DNS... >>>but this is rather a heavy solution, and i''d like to avoid it. >>> >>>Guilsson wrote: >>> >>> >>> >>> >>>>Considering you don''t have DMZ, and the internal client and server are >>>>in the same subnet (zone LOC), the communication between Client and >>>> >>>> >>I would put a third card in your box and implement a ProxyArp solution. >>Anyway, I don''t like the idea of opening a port directly to my internal >>lan. >> >>If not possible, I heard about dns bind using different views for >>external/internal networks. May be it''s worth a look. >> >> >> > >That''s the best solution. But you can also fix your original problem by >adding ":<your local network>" to the SOURCE column in your DNAT rule. > >- -Tom >- -- >Tom Eastep \ Nothing is foolproof to a sufficiently talented fool >Shoreline, \ http://shorewall.net >Washington USA \ teastep@shorewall.net >PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.2.4 (GNU/Linux) >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > >iD8DBQFBYYwwO/MAbZfjDLIRAvmxAJ911odeAnNMaXZpBpWjho67V/n+6ACgs2TM >Mhx9cBE6Z0i6UY0XSbjCVxo>=koUG >-----END PGP SIGNATURE----- >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > > >