Hello. If there is an answer to this somewhere in the FAQ or
documentation then do let me know, but I''ve yet to find it. :)
My home network consists of one physical server running a firewall
and hosting two vservers (http://www.linux-vserver.org/). I''d like to
host various services on these servers and treat them like real
firewalled servers, but while traffic leaves them just fine, it is
impossible to use DNAT to forward ports to them.
I''ve followed the two-interface quickstart guide, and I have
everything working but this. That is, the traffic I want leaving the
firewall leaves, and the traffic I want blocked is blocked. I''m
SNATing several desktops and wireless clients behind the firewall
just fine. Additionally, I can initiate outbound connections from my
vservers just fine, and they function quite nicely, other than not
being reachable via any DNAT rules I try patterned off of those in
the quickstart guide.
I followed the instructions in the FAQ concerning clearing the number
of DNATed packets and running "shorewall show nat". Sure enough,
packets are reaching the server, and the FAQ indicates that my
gateway is set incorrectly on the vserver. I''ve posted a similar
query to the vserver list, and here are some excerpts of the reply I
received:
---
as the guests reside on the firewall, they will not
''forward'' packets to the host, instead they will, as
the networking _is_ on the host, simply use the host
routing to send and/or receive packets ...
now, that means two things, one which you seem to have
mastered already, namely SNAT-ing the outgoing traffic
to the public IP, nevertheless I''ll mention it here
again so that we know what we are talking about:
basically a rule like this (no idea how to do that
with shorewall) allows your guests to reach the big
world ...
iptables -t nat -I POSTROUTING -s 192.168.0.2 -j SNAT --to 123.45.67.89
you can spice that up with outgoing interface and/or
use a special chain for all guests, or just repeat it
for every guest ...
now for incoming traffic, you have to do a similar
trick to ''map'' the public IP (which will be reached
from the outside) to your guests ...
note: this is _not_ required for packets reaching
the machine on the 192.168.0.x network as they will
already use the proper interface and address
something like
iptables -t nat -I PREROUTING -i eth0 -d 123.45.67.89 \
-p tcp --dport 2222 -j DNAT --to 192.168.0.2:22
should allow you to reach the first guest''s sshd
(assumed it doesn''t clash with the host''s sshd)
from the outside .. of course, the previous SNAT
rule is required to get the replies back ...
---
As the snippet mentions, I seem to have accomplished the first part
in shorewallese. How would I go about implementing the second rule,
the one to DNAT the inbound SSH connection if the DNAT rules in the
documentation aren''t up to the task? Or is this something that
shorewall isn''t made to accomplish, as the networking for the
vservers is all happening on the host system?
I''ve distilled what I am trying to do down to one simple
(hopefully :) task. My external interface eth0 in zone net is at
66.93.216.223. I''d like to forward any SSH connections to
66.93.216.223 to 192.168.0.3. 0.3 is a vserver running sshd and
hosting a number of useful shell apps but no servers. The DNAT rule
examples in the documentation cannot accomplish this because I cannot
set a gateway in the vserver. Is there any way to accomplish this
with shorewall?
If not, is there another virtualization solution that would work
better? I, unfortunately, can''t obtain any additional physical
servers at the moment, but still wish the benefits of multiple,
separate virtual spaces.
Statistics:
# shorewall version
3.0.4
# ip addr
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:c0:9f:0e:5a:25 brd ff:ff:ff:ff:ff:ff
inet 66.93.216.223/24 brd 66.93.216.255 scope global eth0
inet 192.168.0.3/24 brd 192.168.0.255 scope global eth0
inet 192.168.0.2/24 brd 192.168.0.255 scope global secondary eth0
inet6 fe80::2c0:9fff:fe0e:5a25/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:c0:9f:0e:5a:24 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1
inet6 fe80::2c0:9fff:fe0e:5a24/64 scope link
valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
# ip route
66.93.216.0/24 dev eth0 proto kernel scope link src 66.93.216.223
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.1
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.3
default via 66.93.216.1 dev eth0
Please let me know if there is any additional information I can
provide. I''ve been googling and asking about this for some time now,
and am not quite sure where to go from here. Thanks a bunch.
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
I''ll see if I can help. Nolan Darilek wrote:> Hello. If there is an answer to this somewhere in the FAQ or > documentation then do let me know, but I''ve yet to find it. :) > > My home network consists of one physical server running a firewall and > hosting two vservers (http://www.linux-vserver.org/). I''d like to host > various services on these servers and treat them like real firewalled > servers, but while traffic leaves them just fine, it is impossible to > use DNAT to forward ports to them. > > I''ve followed the two-interface quickstart guide, and I have everything > working but this. That is, the traffic I want leaving the firewall > leaves, and the traffic I want blocked is blocked. I''m SNATing several > desktops and wireless clients behind the firewall just fine. > Additionally, I can initiate outbound connections from my vservers just > fine, and they function quite nicely, other than not being reachable > via any DNAT rules I try patterned off of those in the quickstart guide. > > I followed the instructions in the FAQ concerning clearing the number > of DNATed packets and running "shorewall show nat". Sure enough, > packets are reaching the server, and the FAQ indicates that my gateway > is set incorrectly on the vserver. I''ve posted a similar query to the > vserver list, and here are some excerpts of the reply I received: > > --- > > > > as the guests reside on the firewall, they will not > ''forward'' packets to the host, instead they will, as > the networking _is_ on the host, simply use the host > routing to send and/or receive packets ... > > now, that means two things, one which you seem to have > mastered already, namely SNAT-ing the outgoing traffic > to the public IP, nevertheless I''ll mention it here > again so that we know what we are talking about: > > basically a rule like this (no idea how to do that > with shorewall) allows your guests to reach the big > world ... > > iptables -t nat -I POSTROUTING -s 192.168.0.2 -j SNAT --to 123.45.67.89 > > you can spice that up with outgoing interface and/or > use a special chain for all guests, or just repeat it > for every guest ... > > now for incoming traffic, you have to do a similar > trick to ''map'' the public IP (which will be reached > from the outside) to your guests ... > > note: this is _not_ required for packets reaching > the machine on the 192.168.0.x network as they will > already use the proper interface and address > > something like > > iptables -t nat -I PREROUTING -i eth0 -d 123.45.67.89 \ > -p tcp --dport 2222 -j DNAT --to 192.168.0.2:22 >OK, that helps> should allow you to reach the first guest''s sshd > (assumed it doesn''t clash with the host''s sshd) > from the outside .. of course, the previous SNAT > rule is required to get the replies back ... > > --- > > As the snippet mentions, I seem to have accomplished the first part in > shorewallese. How would I go about implementing the second rule, the > one to DNAT the inbound SSH connection if the DNAT rules in the > documentation aren''t up to the task? Or is this something that > shorewall isn''t made to accomplish, as the networking for the vservers > is all happening on the host system? > > I''ve distilled what I am trying to do down to one simple (hopefully :) > task. My external interface eth0 in zone net is at 66.93.216.223. I''d > like to forward any SSH connections to 66.93.216.223 to 192.168.0.3. > 0.3 is a vserver running sshd and hosting a number of useful shell apps > but no servers. The DNAT rule examples in the documentation cannot > accomplish this because I cannot set a gateway in the vserver. Is there > any way to accomplish this with shorewall? > > If not, is there another virtualization solution that would work > better? I, unfortunately, can''t obtain any additional physical servers > at the moment, but still wish the benefits of multiple, separate > virtual spaces. > > Statistics: > > # shorewall version > 3.0.4 > # ip addr > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:c0:9f:0e:5a:25 brd ff:ff:ff:ff:ff:ff > inet 66.93.216.223/24 brd 66.93.216.255 scope global eth0 > inet 192.168.0.3/24 brd 192.168.0.255 scope global eth0 > inet 192.168.0.2/24 brd 192.168.0.255 scope global secondary eth0 > inet6 fe80::2c0:9fff:fe0e:5a25/64 scope link > valid_lft forever preferred_lft forever > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:c0:9f:0e:5a:24 brd ff:ff:ff:ff:ff:ff > inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1 > inet6 fe80::2c0:9fff:fe0e:5a24/64 scope link > valid_lft forever preferred_lft forever > 4: sit0: <NOARP> mtu 1480 qdisc noop > link/sit 0.0.0.0 brd 0.0.0.0 > # ip route > 66.93.216.0/24 dev eth0 proto kernel scope link src 66.93.216.223 > 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.1 > 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.3 > default via 66.93.216.1 dev eth0 >Think you just need a masq statement, something like: eth0 192.168.0.3 66.93.216.223 Remember that 192.168.0.3 is not part of the loc zone it''s part of the fw zone. You should have a masq rule that would cover the loc > net traffic already.> Please let me know if there is any additional information I can > provide. I''ve been googling and asking about this for some time now, > and am not quite sure where to go from here. Thanks a bunch. >Start with that, should that not do the trick, please use the support guidelines from http://www.shorewall.net/support.htm for your version of shorewall. Jerry ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Jan 31, 2006, at 6:10 PM, Jerry Vonau wrote:> I''ll see if I can help. > > Think you just need a masq statement, something like: > eth0 192.168.0.3 66.93.216.223 > > Remember that 192.168.0.3 is not part of the loc zone it''s part of > the fw zone. You should have a masq rule that would cover the loc > > net traffic already. >Excellent, I''ll give that a shot. Should I then set up DNAT as I normally would, DNATing SSH connections to fw:192.168.0.3? Also, should I set ADD_SNAT_ALIASES to YES in shorewall.conf? I''m not sure what "Shorewall will automatically add IP addresses . . ." means. More specifically, to where is it adding them? As aliases on the interfaces themselves, or is there another config file to which I should be adding them? Thanks a bunch for the pointers. ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Nolan Darilek wrote:> > On Jan 31, 2006, at 6:10 PM, Jerry Vonau wrote: > >> I''ll see if I can help. >> >> Think you just need a masq statement, something like: >> eth0 192.168.0.3 66.93.216.223 >> >> Remember that 192.168.0.3 is not part of the loc zone it''s part of >> the fw zone. You should have a masq rule that would cover the loc > >> net traffic already. >> > Excellent, I''ll give that a shot. Should I then set up DNAT as I > normally would, DNATing SSH connections to fw:192.168.0.3? >Yes, off the top of my head, something like: DNAT net fw:192.168.0.3 tcp 22> Also, should I set ADD_SNAT_ALIASES to YES in shorewall.conf? I''m not > sure what "Shorewall will automatically add IP addresses . . ." means.If you are using a single external ip on the firewall, what is the point? You only have one ip to use, leave it as no.> More specifically, to where is it adding them? As aliases on the > interfaces themselves, or is there another config file to which I > should be adding them? >If you have more than one public ip to play with, then you could use shorewall to bind more than one of them to an external interface, that is where you would start to look at using add_snat_aliases.> Thanks a bunch for the pointers. >No problem. I was just wondering if 192.168.0.3 should be bound to the external interface, or the internal one. I just don''t have a spare box with enough jam to try that setup. Jerry ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Jan 31, 2006, at 9:23 PM, Jerry Vonau wrote:> Yes, off the top of my head, something like: > > DNAT net fw:192.168.0.3 tcp 22 >Great, thanks! This is almost exactly what I want, and the last bit might not be possible but I thought I''d ask. :) My firewall, thewordnerd.info, has the internal IP 192.168.0.1, but all of my services are running on 192.168.0.2. I''d like to forward all the relevant ports on 192.168.0.1 to the same port on 0.2 such that "thewordnerd.info" works for just about everything--IMAP server, outbound SMTP, jabber, web, etc. But with the masq line and a DNAT line like the following: Web/DNAT all fw:192.168.0.2 all outbound HTTP connections are bounced back to my internal webserver. If I remove "loc" and make the above line "Web/DNAT net fw" it works from outside, but I can''t access the webserver at http:// thewordnerd.info. I thought that the rule would control only incoming connections with the firewall as destination, but it seems to be snagging any port 80 traffic Is there a way to accomplish this type of setup, or should I instead alias www, mail, etc. to 0.2, set up cnames for the outside IP and use those cnames for, say, wireless clients that need both internal and external access? I''d like to stick with just using thewordnerd.info for everything, but if that isn''t possible then I''ll stop trying and opt for the latter. Thanks again. Glad to have most of this finally working. :) ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Nolan Darilek wrote:> > On Jan 31, 2006, at 9:23 PM, Jerry Vonau wrote: > >> Yes, off the top of my head, something like: >> >> DNAT net fw:192.168.0.3 tcp 22 >> > Great, thanks! This is almost exactly what I want, and the last bit > might not be possible but I thought I''d ask. :) >Great, more uncharted waters ;)> My firewall, thewordnerd.info, has the internal IP 192.168.0.1, but all > of my services are running on 192.168.0.2. I''d like to forward all the > relevant ports on 192.168.0.1 to the same port on 0.2 such that > "thewordnerd.info" works for just about everything--IMAP server, > outbound SMTP, jabber, web, etc. But with the masq line and a DNAT line > like the following: > > Web/DNAT all fw:192.168.0.2 > > all outbound HTTP connections are bounced back to my internal > webserver. If I remove "loc" and make the above line "Web/DNAT net fw" > it works from outside, but I can''t access the webserver at http:// > thewordnerd.info. I thought that the rule would control only incoming > connections with the firewall as destination, but it seems to be > snagging any port 80 trafficThink you need to state the original destination in the rule.> > Is there a way to accomplish this type of setup, or should I instead > alias www, mail, etc. to 0.2, set up cnames for the outside IP and use > those cnames for, say, wireless clients that need both internal and > external access? I''d like to stick with just using thewordnerd.info for > everything, but if that isn''t possible then I''ll stop trying and opt > for the latter. > > Thanks again. Glad to have most of this finally working. :) >Yes, use split dns, anything else is just a workaround for not having a internal dns resolver. What your trying will work, but is, IMHO, not the right way. See FAQ2. Jerry ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642