Hi, I manage a shorewall router with 3 NIC, one local, one wan and one dmz with public ips. I''ve noticed that if I connect to a host in the dmz to a local dnated port, it redirect me to the dnated local host. Is that a normal behavior ?>From my point of view it looks like a security hole.But I''m sure I missed something. Any thing to avoid this unwanted behavior ? Thanks, David ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
On Aug 18, 2011, at 11:57 AM, elhijo wrote:> Hi, > I manage a shorewall router with 3 NIC, one local, one wan and one dmz with public ips. > I''ve noticed that if I connect to a host in the dmz to a local dnated port, it redirect me to the dnated local host.I''m not understanding what problem your are trying to report. If your DMZ has public IP addresses, what is the purpose of your DNAT rules? Thanks, -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
On Aug 18, 2011, at 2:24 PM, Tom Eastep wrote:> > On Aug 18, 2011, at 11:57 AM, elhijo wrote: > >> Hi, >> I manage a shorewall router with 3 NIC, one local, one wan and one dmz with public ips. >> I''ve noticed that if I connect to a host in the dmz to a local dnated port, it redirect me to the dnated local host. > > I''m not understanding what problem your are trying to report. If your DMZ has public IP addresses, what is the purpose of your DNAT rules? >Are you doing something like this? DNAT net dmz:w.x.y.z:p2 tcp p1 - w.x.y.z If so, you will be able to connect from the net to port p2 on w.x.y.z unless your iptables and kernel support "Extended Connection Tracking Match Support" (see the output of ''shorewall show capabilities''). I have discovered that iptables 1.4.12 is broken in that area. I''ve posted a correcting patch to the Netfilter Development list. If you do this: DNAT net dmz:w.x.y.z:p2 tcp p1 then if you connect from the net to port p1 on ANY of your public IP addresses, the connection will be forwarded to p2 on w.x.y.z. You correct that by also placing y.x.y.z in the ORIGINAL DEST column as shown in the first rule above. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
Tom Eastep wrote:> On Aug 18, 2011, at 2:24 PM, Tom Eastep wrote: > > >> On Aug 18, 2011, at 11:57 AM, elhijo wrote: >> >> >>> Hi, >>> I manage a shorewall router with 3 NIC, one local, one wan and one dmz with public ips. >>> I''ve noticed that if I connect to a host in the dmz to a local dnated port, it redirect me to the dnated local host. >>> >> I''m not understanding what problem your are trying to report. If your DMZ has public IP addresses, what is the purpose of your DNAT rules? >> >> > > Are you doing something like this? > > DNAT net dmz:w.x.y.z:p2 tcp p1 - w.x.y.z > > If so, you will be able to connect from the net to port p2 on w.x.y.z unless your iptables and kernel support "Extended Connection Tracking Match Support" (see the output of ''shorewall show capabilities''). I have discovered that iptables 1.4.12 is broken in that area. I''ve posted a correcting patch to the Netfilter Development list. > > If you do this: > > DNAT net dmz:w.x.y.z:p2 tcp p1 > > then if you connect from the net to port p1 on ANY of your public IP addresses, the connection will be forwarded to p2 on w.x.y.z. You correct that by also placing y.x.y.z in the ORIGINAL DEST column as shown in the first rule above. > > -Tom > > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > Get a FREE DOWNLOAD! and learn more about uberSVN rich system, > user administration capabilities and model configuration. Take > the hassle out of deploying and managing Subversion and the > tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >Hi Tom, No here is what I''m doing DNAT net loc:w.x.y.z:p1 tcp p2 ACCEPT net dmz:r.s.t.u.v tcp p3 If I do "telnet r.s.t.u.v p2" (or any other ip in the dmz) I''m redirected to w.x.y.z:p1 I would expect a reject connexion (as my default net2dmz rule is reject) If I "nmap r.s.t.u.v" I can see p2 opened... I hop I''m more clear :) Thanks, David ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
> No here is what I''m doing > > DNAT net loc:w.x.y.z:p1 tcp p2 > ACCEPT net dmz:r.s.t.u.v tcp p3 > > > If I do "telnet r.s.t.u.v p2" (or any other ip in the dmz) I''m > redirected to w.x.y.z:p1 > I would expect a reject connexion (as my default net2dmz rule is > reject) > If I "nmap r.s.t.u.v" I can see p2 opened... > > I hop I''m more clear :)I assume that you only want the first DNAT rule to apply to connections addressed to the firewall''s external IP address? If so, and assuming that the firewall''s address is a.b.c.d, then change your first rule to: DNAT net loc:w.x.y.z:p1 tcp p2 - a.b.c.d -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
Tom Eastep wrote:>> No here is what I''m doing >> >> DNAT net loc:w.x.y.z:p1 tcp p2 >> ACCEPT net dmz:r.s.t.u.v tcp p3 >> >> >> If I do "telnet r.s.t.u.v p2" (or any other ip in the dmz) I''m >> redirected to w.x.y.z:p1 >> I would expect a reject connexion (as my default net2dmz rule is >> reject) >> If I "nmap r.s.t.u.v" I can see p2 opened... >> >> I hop I''m more clear :) >> > > I assume that you only want the first DNAT rule to apply to connections > addressed to the firewall''s external IP address? If so, and assuming > that the firewall''s address is a.b.c.d, then change your first rule to: > > DNAT net loc:w.x.y.z:p1 tcp p2 - a.b.c.d > > -Tom > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------------ > Get a FREE DOWNLOAD! and learn more about uberSVN rich system, > user administration capabilities and model configuration. Take > the hassle out of deploying and managing Subversion and the > tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2 > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >As easy as pie :) Thanks Tom, I''ll test this one this weekend during of hours. I''ll keep you updated. Have a nice weekend, David ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2