Re: [leaf-user] shorewall DNAT problem

Wed, 10 Nov 2010 06:17:52 -0800 

Hi

at 10.11.2010 15:06, Juergen Northe wrote:
> Hello !
> I'm running Bering Leaf 3.1.1R6 with shorewall 3.4.8 R3 and have a
> strange behaviour of having redirected ports.
> 
> We have the zones loc 192.168.146.0/24, fw, net and dmz 192.168.147.0/24.
> 
> In the zone loc is one host (192.168.146.2) running 2 different
> webservers on it. One listening at 443 and the other at 444.
> Requests to the official IP 123.123.123.1 should be DNATed to
> 192.168.146.2:443 and requests for 123.123.123.2 to 192.168.146.2:444.
> 
> DNAT   net   loc:192.168.146.2:443    tcp    443      -     123.123.123.1
> DNAT   net   loc:192.168.146.2:444    tcp      443      -       123.123.123.2
> 
> Nothing special. This works perfect.
> 
> Now I want users located in the dmz be able to connect these
> webservers too and added the follwing rules to the exising ones:
> 
> DNAT   dmz loc:192.168.146.2:443      tcp      443      -     123.123.123.1
> DNAT   dmz loc:192.168.146.2:444      tcp      443      -     123.123.123.2
> 
> I can't connect to the webservers from within the dmz to the offical
> IPs. I cant see any packet arriving at 192.168.146.2 port 443 or 444.

Do you allow that traffic?

> 
> In one testing scenario I forgot the the source port and the offical
> addresses, so it looks like
> 
> DNAT   dmz loc:192.168.146.2:443      tcp      443
> DNAT   dmz loc:192.168.146.2:444      tcp      443
> 
> then all https connections from the dmz hit the webserver at 
> 192.168.146.2:443.
> 
> /etc/shorewall/masq:
> eth1:0    192.168.146.2  123.123.123.1 tcp 443
> eth1:1    192.168.146.2  123.123.123.2 tcp 443
> eth1       192.168.146.0/24   123.123.123.254
> eth1       192.168.147.0/24   123.123.123.254
> 
> I have no idea how solve the riddle. Any help appreciated.

Look at the shorewall log first, then use tcpdump to see if the traffic
arrives at all on your external interfaces, then if it gets sent from
your DMZ interface.

cheers

Erich

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

------------------------------------------------------------------------------
The Next 800 Companies to Lead America's Growth: New Video Whitepaper
David G. Thomson, author of the best-selling book "Blueprint to a 
Billion" shares his insights and actions to help propel your 
business during the next growth cycle. Listen Now!
http://p.sf.net/sfu/SAP-dev2dev
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Reply via email to