[Shorewall-users] Do SNAT rules support ipsets?

Thu, 05 Apr 2018 19:52:39 -0700 

Hi,

I am on Debian Stretch system with multiple IP addresses and shorewall-5.0.15.6.

I have set "/etc/shorewall/snat" to

> SNAT(1.2.3.4)    0.0.0.0/0               eth0:+ip_restricted_endpoints[dst]

My expectation:

Whenever I try to contact an IPv4 address listed in
"ip_restricted_endpoints" ipset I expect that the IP address 1.2.3.4
should be used as outgoing IP address.


But it looks like this doesn't work. It looks like every outgoing
traffic now uses IP 1.2.3.4.
I noticed that because I have set "smtp_bind_address = 4.3.2.1" in my
postfix instance however I see postfix connecting via 1.2.3.4 to other
mail servers.

When I run `shorewall list nat` I see

> Chain POSTROUTING (policy ACCEPT 10119 packets, 716K bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
> 17491  951K SNAT       all  --  *      eth0  0.0.0.0/0            0.0.0.0/0   
>          to:1.2.3.4

I would expect to see something like

> 0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            4.4.2.2       
> tcp dpt:22 match-set ssh-whitelist src


^^^^^^^^^^^^^^^^^^^^^^^^^^^^

I.e. "match-set" command (this is from a a normal rule in rules file
where I use an ipset to control addresses which can ssh into this
box).

Also, iptables file in /var/lib/shorewall just contains

> ...
> :POSTROUTING ACCEPT [0:0]
> -A POSTROUTING -o eth0 -j SNAT --to-source 1.2.3.4
> COMMIT
> ...

So this all looks like snat doesn't support ipsets.

However, `man shorewall-snat` says

> DEST - {[+]interface[:[digit]][:[dest-address[,dest-address]...[exclusion]]}
>     ...
>
>     The interface may be qualified by adding the character ":" followed by a 
> comma-separated list of
>     destination host or subnet addresses to indicate that you only want to 
> change the source IP address for
>     packets being sent to those particular destinations. Exclusion is allowed 
> (see shorewall-exclusion[10](5))
>     as are ipset names preceded by a plus sign '+';
>     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

so I would think it should be supported?! Maybe a bug?


--
Regards,
Igor

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to