thr3ads.net - Shorewall users - DNAT: Use new DNS [Dec 2006]

If this information is useful, please help other people find it:
Share via:

Christian Bayer

2006-Dec-13 07:12 UTC

DNAT: Use new DNS

Hello,

following problem:

I have a network 172.17.180.64/255.255.255.192 (LOC). Default Gateway 
172.17.180.67
The Shorewall Firewall is Defaultgateway and has IP 172.17.180.67.

Behind a OTHER CISCO Gateway 172.17.180.68 is a DMZ which uses the 
Subnet 10.100.100.0/255.255.255.0
In this DMZ is a DNS Server with IP 10.100.100.11

The Problem:
On all Clients in the 172.17.180.64/255.255.255.192 net the OLD DNS 
Server (10.10.10.11 !!!) is written in the Network Settings,
and the CISCO Accepts only Packets to the 10.100.100.x subnet.

The only thing i want is to FORWARD all UDP/TCP 53 connects to 
10.10.10.11 to the new DNS 10.100.100.11 !!!

I already used the follwing RULE on 172.17.180.67:
DNAT      loc     loc:10.100.100.11               udp     53   -   
10.10.10.11
DNAT      loc     loc:10.100.100.11               tcp     53   -   
10.10.10.11

but this doesnt work.

Please Help !!

-- 
Christian 


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep

2006-Dec-13 16:25 UTC

head link

Re: DNAT: Use new DNS

Christian Bayer wrote:> Hello,
> 
> following problem:
> 
> I have a network 172.17.180.64/255.255.255.192 (LOC). Default Gateway 
> 172.17.180.67
> The Shorewall Firewall is Defaultgateway and has IP 172.17.180.67.
> 
> Behind a OTHER CISCO Gateway 172.17.180.68 is a DMZ which uses the 
> Subnet 10.100.100.0/255.255.255.0
> In this DMZ is a DNS Server with IP 10.100.100.11
> 
> The Problem:
> On all Clients in the 172.17.180.64/255.255.255.192 net the OLD DNS 
> Server (10.10.10.11 !!!) is written in the Network Settings,
> and the CISCO Accepts only Packets to the 10.100.100.x subnet.
> 
> The only thing i want is to FORWARD all UDP/TCP 53 connects to 
> 10.10.10.11 to the new DNS 10.100.100.11 !!!
> 
> I already used the follwing RULE on 172.17.180.67:
> DNAT      loc     loc:10.100.100.11               udp     53   -   
> 10.10.10.11
> DNAT      loc     loc:10.100.100.11               tcp     53   -   
> 10.10.10.11
> 
> but this doesnt work.
> 
> Please Help !!
> 
A configuration such as yours is covered in the Shorewall documentation in the
article at http://www.shorewall.net/Multiple_Zones.html (From the documentation
index, follow the link labeled "Routing on ONe Interface").

As described there, you need to: set the ''routeback'' option on
your local
interface in /etc/shorewall/interfaces.

You *may* also need to add this entry to your /etc/shorewall/masq file.

	<local_if>:10.100.100.11      172.17.180.0/26      172.17.180.67

but simply adding ''routeback'' (along with your DNAT rules)
should be enough.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Christian Bayer

2006-Dec-14 11:38 UTC

head link

Re: DNAT: Use new DNS

Dear Tom,

Ifconfig
eth0      Link encap:Ethernet  HWaddr 00:E0:7D:A7:0B:BF
          inet addr:172.17.180.67  Bcast:172.17.180.127  
Mask:255.255.255.192


/etc/shorewall/rules:
DNAT:info       loc     loc:10.100.100.11       udp     53 -    10.10.10.11
DNAT:info       loc     loc:10.100.100.11       tcp     53 -    10.10.10.11

/etc/shorewall/interfaces
loc     eth0            detect          dhcp,routeback

/etc/shorewall/masq
eth0:10.100.100.11      172.17.180.0/26      172.17.180.67

now a nslookup from 172.17.180.71 to 10.10.10.11 does the follwing:
 > server 10.10.10.11
DNS request timed out.
    timeout was 2 seconds.
Standardserver:  [10.10.10.11]
Address:  10.10.10.11
 >

Logfile on Gateway:
Dec 14 10:53:47 gw-lauf1 kernel: Shorewall:loc_dnat:DNAT:IN=eth0 OUT= 
MAC=00:e0:7d:a7:0c:bf:09:a0:f8:03:d4:c0:08:00 SRC=172.17.180.71 
DST=10.10.10.11 LEN=63 TOS=0x00 PREC=0x00 TTL=127 ID=50778 PROTO=UDP 
SPT=56997 DPT=53 LEN=43

I think that the gateway doesnt rewrite the Destination IP from 
10.10.10.11 to 10.100.100.11.
And then the Cisco doesnt accept these Packets.

Log from TCPDUMP:
12:36:40.098449 172.17.180.71.17322 > 10.10.10.11.53:  10+ A? 
ica.company. (28)
12:36:40.098561 172.17.180.71.17322 > 10.10.10.11.53:  10+ A? 
ica.company. (28)
12:36:40.098817 172.17.180.71.17322 > 10.100.100.11.53:  10+ A? 
ica.company. (28)
12:36:40.109417 10.100.100.11.53 > 172.17.180.71.17322:  10* 3/1/3 A 
10.100.100.24,[|domain] (DF)


Any Answers ??

Christian



Tom Eastep schrieb:> Christian Bayer wrote:
>   
>> Hello,
>>
>> following problem:
>>
>> I have a network 172.17.180.64/255.255.255.192 (LOC). Default Gateway 
>> 172.17.180.67
>> The Shorewall Firewall is Defaultgateway and has IP 172.17.180.67.
>>
>> Behind a OTHER CISCO Gateway 172.17.180.68 is a DMZ which uses the 
>> Subnet 10.100.100.0/255.255.255.0
>> In this DMZ is a DNS Server with IP 10.100.100.11
>>
>> The Problem:
>> On all Clients in the 172.17.180.64/255.255.255.192 net the OLD DNS 
>> Server (10.10.10.11 !!!) is written in the Network Settings,
>> and the CISCO Accepts only Packets to the 10.100.100.x subnet.
>>
>> The only thing i want is to FORWARD all UDP/TCP 53 connects to 
>> 10.10.10.11 to the new DNS 10.100.100.11 !!!
>>
>> I already used the follwing RULE on 172.17.180.67:
>> DNAT      loc     loc:10.100.100.11               udp     53   -   
>> 10.10.10.11
>> DNAT      loc     loc:10.100.100.11               tcp     53   -   
>> 10.10.10.11
>>
>> but this doesnt work.
>>
>> Please Help !!
>>
>>     
>
> A configuration such as yours is covered in the Shorewall documentation in
the
> article at http://www.shorewall.net/Multiple_Zones.html (From the
documentation
> index, follow the link labeled "Routing on ONe Interface").
>
> As described there, you need to: set the ''routeback''
option on your local
> interface in /etc/shorewall/interfaces.
>
> You *may* also need to add this entry to your /etc/shorewall/masq file.
>
> 	<local_if>:10.100.100.11      172.17.180.0/26      172.17.180.67
>
> but simply adding ''routeback'' (along with your DNAT
rules) should be enough.
>
> -Tom
>   
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep

2006-Dec-14 15:16 UTC

head link

Re: DNAT: Use new DNS

Christian Bayer wrote:
> 
> Logfile on Gateway:
> Dec 14 10:53:47 gw-lauf1 kernel: Shorewall:loc_dnat:DNAT:IN=eth0 OUT>
MAC=00:e0:7d:a7:0c:bf:09:a0:f8:03:d4:c0:08:00 SRC=172.17.180.71
> DST=10.10.10.11 LEN=63 TOS=0x00 PREC=0x00 TTL=127 ID=50778 PROTO=UDP
> SPT=56997 DPT=53 LEN=43
That looks correct.
> 
> I think that the gateway doesnt rewrite the Destination IP from
> 10.10.10.11 to 10.100.100.11.
> And then the Cisco doesnt accept these Packets.
Nonsense -- the last packet that you show in the trace below is a response from
10.100.100.11 back to 172.17.180.71. But it should be returned to 172.16.180.67
rather than 162.17.180.61.
> 
> Log from TCPDUMP:
> 12:36:40.098449 172.17.180.71.17322 > 10.10.10.11.53:  10+ A?
> ica.company. (28)
> 12:36:40.098561 172.17.180.71.17322 > 10.10.10.11.53:  10+ A?
> ica.company. (28)
> 12:36:40.098817 172.17.180.71.17322 > 10.100.100.11.53:  10+ A?
> ica.company. (28)
> 12:36:40.109417 10.100.100.11.53 > 172.17.180.71.17322:  10* 3/1/3 A
> 10.100.100.24,[|domain] (DF)
> 
> 
> Any Answers ??eth0      Link encap:Ethernet  HWaddr 00:E0:7D:A7:0B:BF
         inet addr:172.17.180.67  Bcast:172.17.180.127  Mask:255.255.255.192

Yes -- In your original post, you told me that your internal interface was
172.17.180.64/255.255.255.192 which is 172.17.180.64/26. But I wrote (and you
blindly copied) a masq entry as follows:

	/etc/shorewall/masq
	eth0:10.100.100.11      172.17.180.0/26      172.17.180.67

See the problem?
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Christian Bayer

2006-Dec-14 15:32 UTC

head link

Re: DNAT: Use new DNS

NO COMMENT !!!

it was a very hard week !!

Thanks Tom !!

Christian

Tom Eastep schrieb:> Christian Bayer wrote:
>
>   
>> Logfile on Gateway:
>> Dec 14 10:53:47 gw-lauf1 kernel: Shorewall:loc_dnat:DNAT:IN=eth0
OUT>> MAC=00:e0:7d:a7:0c:bf:09:a0:f8:03:d4:c0:08:00 SRC=172.17.180.71
>> DST=10.10.10.11 LEN=63 TOS=0x00 PREC=0x00 TTL=127 ID=50778 PROTO=UDP
>> SPT=56997 DPT=53 LEN=43
>>     
>
> That looks correct.
>
>   
>> I think that the gateway doesnt rewrite the Destination IP from
>> 10.10.10.11 to 10.100.100.11.
>> And then the Cisco doesnt accept these Packets.
>>     
>
> Nonsense -- the last packet that you show in the trace below is a response
from
> 10.100.100.11 back to 172.17.180.71. But it should be returned to
172.16.180.67
> rather than 162.17.180.61.
>
>   
>> Log from TCPDUMP:
>> 12:36:40.098449 172.17.180.71.17322 > 10.10.10.11.53:  10+ A?
>> ica.company. (28)
>> 12:36:40.098561 172.17.180.71.17322 > 10.10.10.11.53:  10+ A?
>> ica.company. (28)
>> 12:36:40.098817 172.17.180.71.17322 > 10.100.100.11.53:  10+ A?
>> ica.company. (28)
>> 12:36:40.109417 10.100.100.11.53 > 172.17.180.71.17322:  10* 3/1/3 A
>> 10.100.100.24,[|domain] (DF)
>>
>>
>> Any Answers ??
>>     
> eth0      Link encap:Ethernet  HWaddr 00:E0:7D:A7:0B:BF
>          inet addr:172.17.180.67  Bcast:172.17.180.127 
Mask:255.255.255.192
>
> Yes -- In your original post, you told me that your internal interface was
> 172.17.180.64/255.255.255.192 which is 172.17.180.64/26. But I wrote (and
you
> blindly copied) a masq entry as follows:
>
> 	/etc/shorewall/masq
> 	eth0:10.100.100.11      172.17.180.0/26      172.17.180.67
>
> See the problem?
> -Tom
>   
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Shorewall users - Dec 2006 - DNAT: Use new DNS

DNAT: Use new DNS

Re: DNAT: Use new DNS

Re: DNAT: Use new DNS

Re: DNAT: Use new DNS

Re: DNAT: Use new DNS