On 04/05/2018 07:50 PM, Igor Sverkos wrote:
> Hi,
>
> I am on Debian Stretch system with multiple IP addresses and
> shorewall-5.0.15.6.
>
> I have set "/etc/shorewall/snat" to
>
>> SNAT(1.2.3.4) 0.0.0.0/0 eth0:+ip_restricted_endpoints[dst]
>
> My expectation:
>
> Whenever I try to contact an IPv4 address listed in
> "ip_restricted_endpoints" ipset I expect that the IP address 1.2.3.4
> should be used as outgoing IP address.
>
>
> But it looks like this doesn't work. It looks like every outgoing
> traffic now uses IP 1.2.3.4.
> I noticed that because I have set "smtp_bind_address = 4.3.2.1" in my
> postfix instance however I see postfix connecting via 1.2.3.4 to other
> mail servers.
>
> When I run `shorewall list nat` I see
>
>> Chain POSTROUTING (policy ACCEPT 10119 packets, 716K bytes)
>> pkts bytes target prot opt in out source
>> destination
>> 17491 951K SNAT all -- * eth0 0.0.0.0/0 0.0.0.0/0
>> to:1.2.3.4
>
> I would expect to see something like
>
>> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 4.4.2.2
>> tcp dpt:22 match-set ssh-whitelist src
>
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> I.e. "match-set" command (this is from a a normal rule in rules file
> where I use an ipset to control addresses which can ssh into this
> box).
>
> Also, iptables file in /var/lib/shorewall just contains
>
>> ...
>> :POSTROUTING ACCEPT [0:0]
>> -A POSTROUTING -o eth0 -j SNAT --to-source 1.2.3.4
>> COMMIT
>> ...
>
> So this all looks like snat doesn't support ipsets.
>
> However, `man shorewall-snat` says
>
>> DEST - {[+]interface[:[digit]][:[dest-address[,dest-address]...[exclusion]]}
>> ...
>>
>> The interface may be qualified by adding the character ":" followed by a
>> comma-separated list of
>> destination host or subnet addresses to indicate that you only want to
>> change the source IP address for
>> packets being sent to those particular destinations. Exclusion is
>> allowed (see shorewall-exclusion[10](5))
>> as are ipset names preceded by a plus sign '+';
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> so I would think it should be supported?! Maybe a bug?
> It is a bug that was corrected in Shorewall 5.1.7. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
