Olivier Bourdon
2010-May-06 13:50 UTC
DNAT configuration issue on single interface machine
Hello folks I have as DNAT configuration issue that I like to submit to your experiences and see why it is not working here is my network layout int-machine (INT-NET.IP1) ----- (INT-NET.IP2) int-FW (DMZ-NET.IP2) --------------- (DMZ-NET.IP3) dmz-machine | (DMZ-NET.IP1) ext-FW | internet | client public IP dmz-machine has a public address accessible from my client public IP What I am trying to achieve is to redirect all incoming traffic on dmz-machine:port1 to int-machine:port1 and dmz machine is running shorewall+ulogd for that matter and external security issues Note that the dmz-machine is mono interfaced which might be the cause of my problem but you''ll tell me I do not own the Firewalls (int-FW and ext-FW) but rules have been configured properly as: - incomming traffic from client to dmz-machine on port1 is running because telnet dmz-machine port1+ tcpdump + shorewall ulog tail -f show proper traces and nc -l DMZ-NET.IP3 port1 running on dmz-machine receives the packets from my telnet connection - incomming traffic from dmz-machine to int-machine on port1 is running because telnet DMZ-NET-IP2 port1+ tcpdump + shorewall ulog tail -f show proper traces and nc -l INT-NET.IP1port1 running on int-machine receives the packets from my telnet connection the rules I wrote in /etc/shorewall rules are ACCEPT net:client-public-IP net:DMZ-NET.IP2 tcp port1 DNAT:ULOG net:client-public-IP net:DMZ-NET.IP2:port1 tcp port1 - DMZ-NET.IP3 in the /var/log/ulogd/ulogd.syslogemu I can see May 6 14:45:27 factory Shorewall:net_dnat:DNAT: IN=eth0 OUT= MAC=.... SRC=client-public-IP DST=DMZ-NET.IP3 LEN=60 TOS=00 PREC=0x00 TTL=51 ID=64859 CE DF PROTO=TCP SPT=45343 DPT=port1 SEQ=3031743659 ACK=0 WINDOW=5840 SYN URGP=0 but no other messages can be seen Note that I had not put the accept rule in the 1st place and got May 6 15:41:15 factory Shorewall:FORWARD:REJECT: IN=eth0 OUT=eth0 MAC=.... SRC=client-public-IP DST=DMZ-NET.IP2 LEN=60 TOS=00 PREC=0x00 TTL=50 ID=24825 DF PROTO=TCP SPT=56811 DPT=port1 SEQ=3334722914 ACK=0 WINDOW=5840 SYN URGP=0 therefore the rule seems to remove this traces the packet never makes it to int-machine (empty tcpdump outpout) tcpdump on dmz-machine only shows incoming traffic and no other traffic not even on lo interface :-( zones shorewall cfg file #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 interfaces shorewall cfg file #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect tcpflags,logmartians,nosmurfs policy shorewall cfg file #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # LEVEL BURST MASK $FW net ACCEPT net $FW DROP ULOG net all DROP ULOG # The FOLLOWING POLICY MUST BE LAST all all REJECT ULOG nat& hosts shorewall cfg files are empty I also tried to use the infos provided in http://www.shorewall.net/manpages/shorewall-nesting.html but this lead to the same behaviour I also tried sysctl -w net.ipv4.ip_forward=1 without any more success Does someone has a clue on what is wrong or if it is possible at all Thanks ------------------------------------------------------------------------------
On 05/06/2010 06:50 AM, Olivier Bourdon wrote:> > I do not own the Firewalls (int-FW and ext-FW) but rules have been > configured properly as:> > the packet never makes it to int-machine (empty tcpdump outpout) > tcpdump on dmz-machine only shows incoming traffic and no other traffic > not even on lo interface :-(> > Does someone has a clue on what is wrong or if it is possible at all >For this to work: a) int-FW must accept port1 traffic from dmz-machine -> int-machine; and b) You must apply the miserable hack in Shorewall FAQ 1g on dmz-machine (where that FAQ refers to ''public address'', just use the address of the machine''s only NIC). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
Olivier Bourdon
2010-May-07 15:26 UTC
Re: DNAT configuration issue on single interface machine
Tom Eastep <teastep <at> shorewall.net> writes:> > On 05/06/2010 06:50 AM, Olivier Bourdon wrote: > > > > > I do not own the Firewalls (int-FW and ext-FW) but rules have been > > configured properly as: > > > > > the packet never makes it to int-machine (empty tcpdump outpout) > > tcpdump on dmz-machine only shows incoming traffic and no other traffic > > not even on lo interface > > > > > Does someone has a clue on what is wrong or if it is possible at all > > > > For this to work: > > a) int-FW must accept port1 traffic from dmz-machine -> int-machine; and > b) You must apply the miserable hack in Shorewall FAQ 1g on dmz-machine > (where that FAQ refers to ''public address'', just use the address of the > machine''s only NIC). > > -TomThanks a million Tom works like a charm but after restarting shorewall I had to relaunch the forwarding command sysctl -w net.ipv4.ip_forward=1 to make it work and therefore change the IP_FORWARDING option to On in shorewall.conf Thanks again for your help ------------------------------------------------------------------------------