Hello everyone! I have a problem trying to develop on shorewall some rules to redirect some kind of traffic between two servers on Internet (both wit publics IPs). I want to redirect all traffic with destination host A (82.xx.xx.xx) port (xxxx) to host B (87.yy.yy.yy) port (xxxx). I can´t do it with shorewall, or I couldn´t be able to do it. Then I saw some iptables rules that do the job: /sbin/iptables -t nat -A PREROUTING -p tcp -m tcp -d 82.xx.xx.xx --dport xxxx -j DNAT --to-destination 87.yy.yy.yy /sbin/iptables -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -d 87.yy.yy.yy --dport xxxx -j SNAT --to-source 82.xx.xx.xx The problem is that I can´t put this rules on shorewall and this rules only work if shorewall is stopped. If shorewall is running and y execute this rules, the system doesn´t tell me anything, but don´t work. If I stop shorewall and run this rules, works. Any suggestion about how implement this issue? Thanks a lot everybody! ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Prasanna Krishnamoorthy
2008-Jan-31 09:15 UTC
Re: Problems developing IpTables rules with shorewall
On Jan 31, 2008 1:59 PM, Raul Gil <raul@sistematica.es> wrote:> > I want to redirect all traffic with destination host A (82.xx.xx.xx) port > (xxxx) to host B (87.yy.yy.yy) port (xxxx). > > > /sbin/iptables -t nat -A PREROUTING -p tcp -m tcp -d 82.xx.xx.xx --dport > xxxx -j DNAT --to-destination 87.yy.yy.yy > > /sbin/iptables -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -d 87.yy.yy.yy > --dport xxxx -j SNAT --to-source 82.xx.xx.xxThese translate into one DNAT rule in the rules file, and one line in the masq file respectively. Basically, the issue is that the packet will return directly to the public IP which is the source of the packet, which is not what you want. So you need to DNAT to change the destination, and you need to SNAT so that the packet returns to the original source via our DNAT mapping. Prasanna. -- www.elinanetworks.com Seamless, secure delivery of applications. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Raul Gil wrote:> > > Hello everyone! > > > > I have a problem trying to develop on shorewall some rules to redirect > some kind of traffic between two servers on Internet (both wit publics IPs). > > I want to redirect all traffic with destination host A (82.xx.xx.xx) > port (xxxx) to host B (87.yy.yy.yy) port (xxxx). > > I can´t do it with shorewall, or I couldn´t be able to do it. > > > > Then I saw some iptables rules that do the job: > > //sbin/iptables -t nat -A PREROUTING -p tcp -m tcp -d 82.xx.xx.xx > --dport xxxx -j DNAT --to-destination 87.yy.yy.yy/ > > //sbin/iptables -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -d > 87.yy.yy.yy --dport xxxx -j SNAT --to-source 82.xx.xx.xx/ > > / / > > The problem is that I can´t put this rules on shorewall and this rules > only work if shorewall is stopped. If shorewall is running and y execute > this rules, the system doesn´t tell me anything, but don´t work. If I > stop shorewall and run this rules, works. > > > > Any suggestion about how implement this issue?I''ll assume that your external interface is ''eth0'' and is associated with zone ''net''. In /etc/shorewall/interfaces, add the ''routeback'' option to eth0: net eth0 ... routeback,... In /etc/shorewall/rules: DNAT- net net:87.yy.yy.yy tcp - - 82.xx.xx.xx In /etc/shorewall/masq: eth0:87.yy.yy.yy 0.0.0.0/0 82.xx.xx.xx -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> ... develop on shorewall some rules to redirect > some kind of traffic between two servers on > Internet (both wit publics IPs). I want to redirect > all traffic with destination host A (82.xx.xx.xx > port (xxxx) to host B (87.yy.yy.yy) port (xxxx). ...If I understand your need correctly, I do exactly this with Shorewall. In my "rules" file I have this entry: DNAT net loc:172.16.1.51:22 tcp 2647 It redirects traffic from ipA:2647 to ipB:22 (ipB seems to be on the Internet, but is actually behind my firewall). This illustrates a few Shorewall oddities you may encounter: First, the REDIRECT statement is used only if you''re changing ports but not machines. To change machines or both machine and port, use the (somewhat less obvious) DNAT statement. Second, although colon (:) most often denotes a range in Shorewall, in this particular circumstance it allows specification of a port. And third, the documentation for this particular option can be hard to find. I had to go through a "reference" manual with a fine toothed comb, and mentally correct a few errors I ran across while doing so. (As a general rule of thumb, either _all_ Shorewall or _no_ Shorewall. Trying to mix Shorewall with raw IPTables most often leads to disaster. Also, which of A or B is behind your firewall? Assuming Shorewall is on your firewall, if A and B are both outside the firewall on the open Internet, it would seem the traffic would never traverse the system with your rule at all. I must be on the wrong track here...) thanks! -Chuck Kollars ____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/