Hi We have a Shorewall configuration where we: * sets up one-to-one NAT in the file /etc/shorewall/nat * sets up port forwarding rules for specific IPs and ports in /etc/shorewall/rules So basically, what we want to achieve is that all traffic to ip 10.10.10.10 should point to inside 192.168.0.2 _except_ for port 80 which should go to 192.168.0.3. Unfortunately, with this setup the more general one-to-one rule ends up in the NAT chain "nat_in", while the more specific port forwarding ends up in the chain "dnat". And, in the configuration generated by shorewall, the nat_in chain is placed above the dnat chain. This is done in file "Misc.pm", lines 1446-1448. Should we do our configuration some other way, or is this something that should be fixed in Shorewall? BR, David Westlund ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 09/25/2012 05:00 AM, David Westlund wrote:> We have a Shorewall configuration where we: * sets up one-to-one NAT > in the file /etc/shorewall/nat * sets up port forwarding rules for > specific IPs and ports in /etc/shorewall/rules > > So basically, what we want to achieve is that all traffic to ip > 10.10.10.10 should point to inside 192.168.0.2 _except_ for port 80 > which should go to 192.168.0.3. > > Unfortunately, with this setup the more general one-to-one rule ends > up in the NAT chain "nat_in", while the more specific port forwarding > ends up in the chain "dnat". And, in the configuration generated by > shorewall, the nat_in chain is placed above the dnat chain. This is > done in file "Misc.pm", lines 1446-1448. > > Should we do our configuration some other way, or is this something > that should be fixed in Shorewall?Currently, the only way to achieve what you are asking is to replace each entry in /etc/shorewall/nat with an entry in /etc/shorewall/masq and a DNAT- entry in /etc/shorewall/rules. I''ll add a way to allow DNAT to preempt /etc/shorewall/nat in the 4.5.9 release. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 09/25/2012 06:37 AM, Tom Eastep wrote:> > Currently, the only way to achieve what you are asking is to replace > each entry in /etc/shorewall/nat with an entry in /etc/shorewall/masq > and a DNAT- entry in /etc/shorewall/rules. > > I''ll add a way to allow DNAT to preempt /etc/shorewall/nat in the 4.5.9 > release.David -- which version of Shorewall are you running? As I went to look at this problem, I see the following in a test configuration using Shorewall 4.5.8: *nat :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :eth0_in - [0:0] :eth0_masq - [0:0] :eth0_out - [0:0] :net_dnat - [0:0] :wlan0_in - [0:0] :wlan0_masq - [0:0] :wlan0_out - [0:0] -A PREROUTING -i eth0 -j net_dnat -A PREROUTING -i wlan0 -j net_dnat -A PREROUTING -i eth0 -j eth0_in -A PREROUTING -i wlan0 -j wlan0_in -A POSTROUTING -o eth0 -j eth0_out -A POSTROUTING -o eth0 -j eth0_masq -A POSTROUTING -o wlan0 -j wlan0_out -A POSTROUTING -o wlan0 -j wlan0_masq -A eth0_in -d 172.16.1.2 -j DNAT --to-destination 192.168.111.1 -A eth0_masq -s 192.168.1.0/24 -j SNAT --to-source 206.124.146.177 -A eth0_out -s 192.168.111.1 -j SNAT --to-source 172.16.1.2 -A net_dnat -p 6 --dport 9999 -j DNAT --to-destination 1.2.3.4 -A wlan0_in -d 172.16.1.2 -j DNAT --to-destination 192.168.111.1 -A wlan0_masq -s 192.168.1.0/24 -j SNAT --to-source 206.124.146.177 -A wlan0_out -s 192.168.111.1 -j SNAT --to-source 172.16.1.2 COMMIT As you can see, the jumps from PREROUTING to the net_dnat chain are before the jumps to the <interface>_in chains. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ How fast is your code? 3 out of 4 devs don\\\''t know how their code performs in production. Find out how slow your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219672;13503038;z? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 09/26/2012 10:49 AM, Tom Eastep wrote:> On 09/25/2012 06:37 AM, Tom Eastep wrote: >> >> Currently, the only way to achieve what you are asking is to replace >> each entry in /etc/shorewall/nat with an entry in /etc/shorewall/masq >> and a DNAT- entry in /etc/shorewall/rules. >> >> I''ll add a way to allow DNAT to preempt /etc/shorewall/nat in the 4.5.9 >> release. > > David -- which version of Shorewall are you running? As I went to look > at this problem, I see the following in a test configuration using > Shorewall 4.5.8: > > *nat > :PREROUTING ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > :POSTROUTING ACCEPT [0:0] > :eth0_in - [0:0] > :eth0_masq - [0:0] > :eth0_out - [0:0] > :net_dnat - [0:0] > :wlan0_in - [0:0] > :wlan0_masq - [0:0] > :wlan0_out - [0:0] > -A PREROUTING -i eth0 -j net_dnat > -A PREROUTING -i wlan0 -j net_dnat > -A PREROUTING -i eth0 -j eth0_in > -A PREROUTING -i wlan0 -j wlan0_in > -A POSTROUTING -o eth0 -j eth0_out > -A POSTROUTING -o eth0 -j eth0_masq > -A POSTROUTING -o wlan0 -j wlan0_out > -A POSTROUTING -o wlan0 -j wlan0_masq > -A eth0_in -d 172.16.1.2 -j DNAT --to-destination 192.168.111.1 > -A eth0_masq -s 192.168.1.0/24 -j SNAT --to-source 206.124.146.177 > -A eth0_out -s 192.168.111.1 -j SNAT --to-source 172.16.1.2 > -A net_dnat -p 6 --dport 9999 -j DNAT --to-destination 1.2.3.4 > -A wlan0_in -d 172.16.1.2 -j DNAT --to-destination 192.168.111.1 > -A wlan0_masq -s 192.168.1.0/24 -j SNAT --to-source 206.124.146.177 > -A wlan0_out -s 192.168.111.1 -j SNAT --to-source 172.16.1.2 > COMMIT > > As you can see, the jumps from PREROUTING to the net_dnat chain are > before the jumps to the <interface>_in chains.Okay -- I''ve tracked this down. The problem was corrected in Shorewall 4.5.6. In earlier versions, you can reorder these statements in Misc.pm function add_interface_jumps(): addnatjump ''PREROUTING'' , ''nat_in''; addnatjump ''POSTROUTING'' , ''nat_out''; addnatjump ''PREROUTING'', ''dnat''; to this: addnatjump ''PREROUTING'', ''dnat''; addnatjump ''PREROUTING'' , ''nat_in''; addnatjump ''POSTROUTING'' , ''nat_out''; Roberto: This defect is still present in the version currently in Wheezy. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ How fast is your code? 3 out of 4 devs don\\\''t know how their code performs in production. Find out how slow your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219672;13503038;z? http://info.appdynamics.com/FreeJavaPerformanceDownload.html