Hi all, I''m running shorewall-3.0.5 and am having an issue with DNAT. The shorewall machine has 3 interfaces, one for Internet, one for the LAN and one for public DMZ. - LAN to Internet is masqueraded - DMZ and Internet interfaces are bridged We are running an http server on a machine from our DMZ. There is also an http server on our LAN, thus I forwarded a port from our firewall to port 80 of the LAN machine. THE ISSUE is that when I enable the forward rule, all packet arriving on port 80 of the firewall are forwarded to the LAN event though the dest IP is one of the DMZ public. The rule is DNAT net loc:lan_machine_ip:80 tcp 80 The resulting iptables part is DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:lan_machine_ip:80 The problem is that we should be able to specify a destination IP (where I could put the firewall IP) and I didn''t see a way of doing that in Shorewall. Is that a known limitation ? ------------------ Bruno LEON ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Have you tried something along the lines of: ACCEPT net net:dmz_webserver_ip tcp 80 - dmz_webserver_ip DNAT net loc:lan_webserver_ip tcp 80 - firewall_ip You also may need the routeback option on the bridged interface. Thank you, Bryan Vukich On Mon, 2007-01-29 at 15:09 +0100, Leon Bruno wrote:> > Hi all, > > I''m running shorewall-3.0.5 and am having an issue with DNAT. > The shorewall machine has 3 interfaces, one for Internet, one for the > LAN and one for public DMZ. > - LAN to Internet is masqueraded > - DMZ and Internet interfaces are bridged > > We are running an http server on a machine from our DMZ. > There is also an http server on our LAN, thus I forwarded a port from > our firewall to port 80 of the LAN machine. > > THE ISSUE is that when I enable the forward rule, all packet arriving > on port 80 of the firewall are forwarded to the LAN event though the > dest IP is one of the DMZ public. > > The rule is DNAT net loc:lan_machine_ip:80 tcp > 80 > The resulting iptables part is DNAT tcp -- * * > 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 > to:lan_machine_ip:80 > > The problem is that we should be able to specify a destination IP > (where I could put the firewall IP) and I didn''t see a way of doing > that in Shorewall. > > Is that a known limitation ? > > ------------------ > Bruno LEON > > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Leon Bruno wrote:> > The problem is that we should be able to specify a destination IP (where > I could put the firewall IP) and I didn''t see a way of doing that in > Shorewall. >That is the purpose of the ORIGINAL DEST column. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Ok that did the trick, I had tried tcp 80:firewall_ip but this was the wrong syntax. I''ll read the documentation slowly next time. Thanks a lot ! Bruno -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Bryan Vukich Sent: lundi 29 janvier 2007 16:31 To: Shorewall Users Subject: Re: [Shorewall-users] NAT & DMZ pulbic Have you tried something along the lines of: ACCEPT net net:dmz_webserver_ip tcp 80 - dmz_webserver_ip DNAT net loc:lan_webserver_ip tcp 80 - firewall_ip You also may need the routeback option on the bridged interface. Thank you, Bryan Vukich On Mon, 2007-01-29 at 15:09 +0100, Leon Bruno wrote:> > Hi all, > > I''m running shorewall-3.0.5 and am having an issue with DNAT. > The shorewall machine has 3 interfaces, one for Internet, one for the > LAN and one for public DMZ. > - LAN to Internet is masqueraded > - DMZ and Internet interfaces are bridged > > We are running an http server on a machine from our DMZ. > There is also an http server on our LAN, thus I forwarded a port from > our firewall to port 80 of the LAN machine. > > THE ISSUE is that when I enable the forward rule, all packet arriving > on port 80 of the firewall are forwarded to the LAN event though the > dest IP is one of the DMZ public. > > The rule is DNAT net loc:lan_machine_ip:80 tcp > 80 > The resulting iptables part is DNAT tcp -- * * > 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 > to:lan_machine_ip:80 > > The problem is that we should be able to specify a destination IP > (where I could put the firewall IP) and I didn''t see a way of doing > that in Shorewall. > > Is that a known limitation ? > > ------------------ > Bruno LEON > > > > ---------------------------------------------------------------------- > --- Take Surveys. Earn Cash. Influence the Future of IT Join > SourceForge.net''s Techsay panel and you''ll get the chance to share > your opinions on IT & business topics through brief surveys - and earn> cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEV > DEV _______________________________________________ Shorewall-users > mailing list Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV