Shorewall users - Sep 2005 - DNAT doesn't work with aliases

I am trying to setup port forwards on some aliased addresses in 2.4.3. As an
example:

Eth0 66.193.183.5 with alias eth0:0 66.193.183.7 on the pub zone
Eth1 192.168.15.1 on priv zone with routeback enabled

Rules:
DNAT      pub    priv:192.168.15.7     tcp   http    -   66.193.183.7
DNAT      priv   priv:192.168.15.7     tcp   http    -   66.193.183.7  (To
redirect inside... I know, bad fix.)

Masq:
Eth1:192.168.15.7   eth1  192.168.15.1    tcp   http

The problem I am having is that everything works fine from the inside.....
If I try to hit 66.193.183.7 from priv it forwards it on without an issue.
However, anything coming from pub will not forward back. Any DNAT rules on
the main address of the interface 66.193.183.5 port forward with no problem.
I looked at FAQ 18 and I can''t see where I have anything wrong. Any
ideas?

Thanks!

________________________________________
Chip Burke
________________________________________





-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

How are you testing this?  It appears to be working from here.  NMAP reports
HTTP open and there is a web page that comes up.

- Bob Coffman



-----Original Message-----
From: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Chip Burke
Sent: Thursday, September 01, 2005 8:48 AM
To: shorewall-users@lists.sourceforge.net
Subject: [Shorewall-users] DNAT doesn''t work with aliases


I am trying to setup port forwards on some aliased addresses in 2.4.3. As an
example:

Eth0 66.193.183.5 with alias eth0:0 66.193.183.7 on the pub zone Eth1
192.168.15.1 on priv zone with routeback enabled

Rules:
DNAT      pub    priv:192.168.15.7     tcp   http    -   66.193.183.7
DNAT      priv   priv:192.168.15.7     tcp   http    -   66.193.183.7  (To
redirect inside... I know, bad fix.)

Masq:
Eth1:192.168.15.7   eth1  192.168.15.1    tcp   http

The problem I am having is that everything works fine from the inside.....
If I try to hit 66.193.183.7 from priv it forwards it on without an issue.
However, anything coming from pub will not forward back. Any DNAT rules on
the main address of the interface 66.193.183.5 port forward with no problem.
I looked at FAQ 18 and I can''t see where I have anything wrong. Any
ideas?

Thanks!

________________________________________
Chip Burke
________________________________________





-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO September
19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile &
Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security
* Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Shorewall-users mailing list Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

That is our old firewall that I have installed and you are hitting
currently. I put in the Shorewall box last night as we can''t afford
much
down time and after 30 minutes of screwing around I could not get it to work
on the aliased addresses inbound. So I just took it off line and put the old
firewall back in.

________________________________________
Chip Burke


-----Original Message-----
From: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Robert K
Coffman Jr - Info From Data Corporation
Sent: Thursday, September 01, 2005 12:29 PM
To: shorewall-users@lists.sourceforge.net
Subject: RE: [Shorewall-users] DNAT doesn''t work with aliases

How are you testing this?  It appears to be working from here.  NMAP reports
HTTP open and there is a web page that comes up.

- Bob Coffman



-----Original Message-----
From: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Chip Burke
Sent: Thursday, September 01, 2005 8:48 AM
To: shorewall-users@lists.sourceforge.net
Subject: [Shorewall-users] DNAT doesn''t work with aliases


I am trying to setup port forwards on some aliased addresses in 2.4.3. As an
example:

Eth0 66.193.183.5 with alias eth0:0 66.193.183.7 on the pub zone Eth1
192.168.15.1 on priv zone with routeback enabled

Rules:
DNAT      pub    priv:192.168.15.7     tcp   http    -   66.193.183.7
DNAT      priv   priv:192.168.15.7     tcp   http    -   66.193.183.7  (To
redirect inside... I know, bad fix.)

Masq:
Eth1:192.168.15.7   eth1  192.168.15.1    tcp   http

The problem I am having is that everything works fine from the inside.....
If I try to hit 66.193.183.7 from priv it forwards it on without an issue.
However, anything coming from pub will not forward back. Any DNAT rules on
the main address of the interface 66.193.183.5 port forward with no problem.
I looked at FAQ 18 and I can''t see where I have anything wrong. Any
ideas?

Thanks!

________________________________________
Chip Burke
________________________________________





-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO September
19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile &
Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security
* Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Shorewall-users mailing list Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users




-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Chip Burke wrote:
> I am trying to setup port forwards on some aliased addresses in 2.4.3. As
an
> example:
>
> Eth0 66.193.183.5 with alias eth0:0 66.193.183.7 on the pub zone
> Eth1 192.168.15.1 on priv zone with routeback enabled
>
> Rules:
> DNAT      pub    priv:192.168.15.7     tcp   http    -   66.193.183.7
> DNAT      priv   priv:192.168.15.7     tcp   http    -   66.193.183.7  (To
> redirect inside... I know, bad fix.)
>
> Masq:
> Eth1:192.168.15.7   eth1  192.168.15.1    tcp   http
>
> The problem I am having is that everything works fine from the inside.....
> If I try to hit 66.193.183.7 from priv it forwards it on without an issue.
> However, anything coming from pub will not forward back. Any DNAT rules on
> the main address of the interface 66.193.183.5 port forward with no
problem.
> I looked at FAQ 18 and I can''t see where I have anything wrong.
Any ideas?
>
Are you SURE that the incoming requests are actually being forwarded to
192.168.15.7? Or are you just seeming them with tcpdump on the
firewall''s public interface? If only the latter, you may have a stale
ARP cache in the upstream router.

If so, is the default gateway of host 192.167.15.7 set to 192.168.15.1?

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key