Hello folks
I have as DNAT configuration issue that I like to submit to your
experiences and see why it is not working
here is my network layout
int-machine (INT-NET.IP1) ----- (INT-NET.IP2) int-FW (DMZ-NET.IP2)
--------------- (DMZ-NET.IP3) dmz-machine
|
(DMZ-NET.IP1)
ext-FW
|
internet
|
client public IP
dmz-machine has a public address accessible from my client public IP
What I am trying to achieve is to redirect all incoming traffic on
dmz-machine:port1 to int-machine:port1
and dmz machine is running shorewall+ulogd for that matter and external
security issues
Note that the dmz-machine is mono interfaced which might be the cause of
my problem but you'll tell me
I do not own the Firewalls (int-FW and ext-FW) but rules have been
configured properly as:
- incomming traffic from client to dmz-machine on port1 is running because
telnet dmz-machine port1+ tcpdump + shorewall ulog tail -f show
proper traces and
nc -l DMZ-NET.IP3 port1 running on dmz-machine receives the packets
from my telnet connection
- incomming traffic from dmz-machine to int-machine on port1 is running
because
telnet DMZ-NET-IP2 port1+ tcpdump + shorewall ulog tail -f show
proper traces and
nc -l INT-NET.IP1port1 running on int-machine receives the packets
from my telnet connection
the rules I wrote in /etc/shorewall rules are
ACCEPT net:client-public-IP net:DMZ-NET.IP2 tcp port1
DNAT:ULOG net:client-public-IP net:DMZ-NET.IP2:port1 tcp
port1 - DMZ-NET.IP3
in the /var/log/ulogd/ulogd.syslogemu I can see
May 6 14:45:27 factory Shorewall:net_dnat:DNAT: IN=eth0 OUT= MAC=....
SRC=client-public-IP DST=DMZ-NET.IP3 LEN=60 TOS=00 PREC=0x00 TTL=51
ID=64859 CE DF PROTO=TCP SPT=45343 DPT=port1 SEQ=3031743659 ACK=0
WINDOW=5840 SYN URGP=0
but no other messages can be seen
Note that I had not put the accept rule in the 1st place and got
May 6 15:41:15 factory Shorewall:FORWARD:REJECT: IN=eth0 OUT=eth0
MAC=.... SRC=client-public-IP DST=DMZ-NET.IP2 LEN=60 TOS=00 PREC=0x00
TTL=50 ID=24825 DF PROTO=TCP SPT=56811 DPT=port1 SEQ=3334722914 ACK=0
WINDOW=5840 SYN URGP=0
therefore the rule seems to remove this traces
the packet never makes it to int-machine (empty tcpdump outpout)
tcpdump on dmz-machine only shows incoming traffic and no other traffic
not even on lo interface :-(
zones shorewall cfg file
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
interfaces shorewall cfg file
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect tcpflags,logmartians,nosmurfs
policy shorewall cfg file
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
# LEVEL BURST MASK
$FW net ACCEPT
net $FW DROP ULOG
net all DROP ULOG
# The FOLLOWING POLICY MUST BE LAST
all all REJECT ULOG
nat& hosts shorewall cfg files are empty
I also tried to use the infos provided in
http://www.shorewall.net/manpages/shorewall-nesting.html
but this lead to the same behaviour
I also tried sysctl -w net.ipv4.ip_forward=1 without any more success
Does someone has a clue on what is wrong or if it is possible at all
Thanks
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
