Shorewall users - Aug 2009 - How to do MASQUERADING to a specific address

Hi all,

I''ve been using SuSE and SuSEfirewall for a long time, and now
I''m giving
Shorewall a try. It''s a great piece of software and I have already
moved
some systems to Ubuntu and Shorewall very easily, just following the docs.

But now I''m moving another system and am facing a problem that I could
not
find in the docs.

How do I do MASQUERADING to a specific target?

Supose I have an internal network (192.168.0.0/24) and need to allow one or
more workstations (but not all) to Terminal services (3389/tcp) to some
specific host on the Internet?

In other words, what I need is:

iptables -A FORWARD -p tcp -s 192.168.0.x -d xxx.xxx.xxx.xxx --dport 3389 -j
ACCEPT
iptables -t NAT -A POSTROUTING -p tcp -s 192.168.0.x -d xxx.xxx.xxx.xxx
--dport 3389 -j MASQUERADE

iptables -A FORWARD -p tcp -s 192.168.0.y -d xxx.xxx.xxx.xxx --dport 3389 -j
ACCEPT
iptables -t NAT -A POSTROUTING -p tcp -s 192.168.0.y -d xxx.xxx.xxx.xxx
--dport 3389 -j MASQUERADE

iptables -A FORWARD -p tcp -s 192.168.0.z -d xxx.xxx.xxx.xxx --dport 3389 -j
ACCEPT
iptables -t NAT -A POSTROUTING -p tcp -s 192.168.0.z -d xxx.xxx.xxx.xxx
--dport 3389 -j MASQUERADE

I first would put it in masq file, but I couldn''t find a way to specify
the
destination address and port. Then I would put it in the rules file, but
then and cannot specify MASQ as the action.

What''s the right way to do it?

By the way, I''m running Ubuntu 8.0.4 LTS and Shorewall 4.0.6.

Tnxs in advance,
Braulio W. Gergull


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

Bráulio Gergull wrote:
> Hi all,
> 
> I''ve been using SuSE and SuSEfirewall for a long time, and now
I''m
> giving Shorewall a try. It''s a great piece of software and I have
> already moved some systems to Ubuntu and Shorewall very easily, just
> following the docs.
> 
> But now I''m moving another system and am facing a problem that I
could
> not find in the docs.
> 
> How do I do MASQUERADING to a specific target?
...
> 
> I first would put it in masq file, but I couldn''t find a way to
specify
> the destination address and port.
First of all, using MASQUERADING as a means for controlling access is
not a good idea. You should use MASQUERADING to rewrite the SOURCE IP
address and you should use filter rules to control access.

Then I would put it in the rules file,
> but then and cannot specify MASQ as the action.
> 
> What''s the right way to do it?
/etc/shorewall/masq:

<external if>:xxx.xxx.xxx.xxx	192.168.0.0/24	-	tcp	3389

/etc/shorewall/rules:

ACCEPT	loc:192.168.0.x-192.168.0.z	tcp	3389

The latter, of course, assumes that your loc->net policy is not ACCEPT.
> By the way, I''m running Ubuntu 8.0.4 LTS and Shorewall 4.0.6.
There are 4.2 Shorewall packages available for Hardy -- see the
Shorewall download page.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

Hi,

On Wed, Aug 26, 2009 at 10:58 AM, Tom Eastep <teastep@shorewall.net>
wrote:
> Bráulio Gergull wrote:
> > Hi all,
> >
> > I''ve been using SuSE and SuSEfirewall for a long time, and
now I''m
> > giving Shorewall a try. It''s a great piece of software and I
have
> > already moved some systems to Ubuntu and Shorewall very easily, just
> > following the docs.
> >
> > But now I''m moving another system and am facing a problem
that I could
> > not find in the docs.
> >
> > How do I do MASQUERADING to a specific target?
> ...
> >
> > I first would put it in masq file, but I couldn''t find a way
to specify
> > the destination address and port.
>
> First of all, using MASQUERADING as a means for controlling access is
> not a good idea. You should use MASQUERADING to rewrite the SOURCE IP
> address and you should use filter rules to control access.

That''s a point of view. Generally I have all outgoing traffic blocked,
most
outgoing traffic will be handled by proxies, and for  some exceptions I do
masquerading as necessary on a specif basis. But OK, I''m still trying
to
understand Shorewall concepts more deeply.

Then I would put it in the rules file,
> > but then and cannot specify MASQ as the action.
> >
> > What''s the right way to do it?
>
> /etc/shorewall/masq:
>
> <external if>:xxx.xxx.xxx.xxx   192.168.0.0/24  -       tcp     3389
>
> /etc/shorewall/rules:
>
> ACCEPT  loc:192.168.0.x-192.168.0.z     tcp     3389
>
> The latter, of course, assumes that your loc->net policy is not ACCEPT.
>
Fine, got it!
> By the way, I''m running Ubuntu 8.0.4 LTS and Shorewall 4.0.6.
>
> There are 4.2 Shorewall packages available for Hardy -- see the
> Shorewall download page.
>
Nice to know, I''ll give it a try.

Thanks a lot!

Braulio Gergull


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

Bráulio Gergull wrote:
> 
>     First of all, using MASQUERADING as a means for controlling access is
>     not a good idea. You should use MASQUERADING to rewrite the SOURCE IP
>     address and you should use filter rules to control access.
> 
> 
> That''s a point of view. Generally I have all outgoing traffic
blocked,
> most outgoing traffic will be handled by proxies, and for  some
> exceptions I do masquerading as necessary on a specif basis. But OK,
I''m
> still trying to understand Shorewall concepts more deeply.
It may be a point of view but it is not without reason.

All outgoing connections pass through the nat table POSTROUTING chain.
So having a large set of rules there that duplicate filter rules:

a) Needlessly passes connections such as those from your proxy to the
   net through a series of rules that they can''t possibly match.

b) Needlessly duplicates filtering that you have already done in a more
   focused way in the filter table.

c) Unless the nat and filter rules are carefully synchronized, it is
   possible to send un-masqueraded packets with private source IP
   addresses onto the Internet wasting bandwidth and annoying your
   internal users because their connections time out.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

On Wed, Aug 26, 2009 at 3:14 PM, Tom Eastep <teastep@shorewall.net> wrote:
> Bráulio Gergull wrote:
>
> >
> >     First of all, using MASQUERADING as a means for controlling access
is
> >     not a good idea. You should use MASQUERADING to rewrite the SOURCE
IP
> >     address and you should use filter rules to control access.
> >
> >
> > That''s a point of view. Generally I have all outgoing traffic
blocked,
> > most outgoing traffic will be handled by proxies, and for  some
> > exceptions I do masquerading as necessary on a specif basis. But OK,
I''m
> > still trying to understand Shorewall concepts more deeply.
>
> It may be a point of view but it is not without reason.
>
> All outgoing connections pass through the nat table POSTROUTING chain.
> So having a large set of rules there that duplicate filter rules:
>
> a) Needlessly passes connections such as those from your proxy to the
>   net through a series of rules that they can''t possibly match.
>
> b) Needlessly duplicates filtering that you have already done in a more
>   focused way in the filter table.
>
> c) Unless the nat and filter rules are carefully synchronized, it is
>   possible to send un-masqueraded packets with private source IP
>   addresses onto the Internet wasting bandwidth and annoying your
>   internal users because their connections time out.
>
>
OK, got it! Still learning the inner behavior of shorewall... :)

Thanks again,

Braulio Gergull


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july