Re: [Shorewall-users] outgoing connection problem: Xen Routed configuration

Bruce Bannerman Thu, 20 Feb 2020 14:24:23 -0800

I did a few tests yesterday with DNAT, SNAT and the current rules.

I stopped and started the shorewall service using 'systemctl restart shorewall’ 
prior to running the tests to create the dump file.


I then did a shorewall reload.

I just replaced the ACCEPT with DNAT during the previous tests.


The relevant params and rules that I have in place are:

=====
/etc/shorewall/params
#
E_FW=203.214.66.98
E_DNS=203.214.66.100
E_SMTP=203.214.66.100
E_WWW=203.214.66.103
E_SMTPS_B=203.214.66.104
E_SMTPS_G=203.214.66.105
E_SMTPS_F=203.214.66.106
#


/etc/shorewall/rules
#
# ===== net - Internet =====
#
<snip>
#
#ACTION                 SOURCE          DEST                    PROTO   DPORT   
                        SPORT   ORIGDEST
#
ACCEPT:$LOG             net             dmz:$E_DNS              udp     domain
ACCEPT:$LOG             net             dmz:$E_DNS              tcp     domain
#
ACCEPT:$LOG             net             dmz:$E_WWW              tcp     
http,https
ACCEPT:$LOG             net             dmz:$E_SMTP             tcp     smtp
#
ACCEPT:$LOG             net             dmz:$E_SMTPS_B          tcp     
imaps,submissions,submission
ACCEPT:$LOG             net             dmz:$E_SMTPS_G          tcp     
imaps,submissions,submission
ACCEPT:$LOG             net             dmz:$E_SMTPS_F          tcp     
imaps,submissions,submission
#
<snip>
# ===== DMZ =====
#
#ACTION                 SOURCE          DEST                    PROTO   DPORT   
                        SPORT   ORIGDEST
#
ACCEPT:$LOG             dmz              net                    udp     domain  
                        -       -
ACCEPT:$LOG             dmz              net                    tcp     domain  
                        -       -
#
ACCEPT:$LOG             dmz              net                    tcp     
http,https                      -       -
#
ACCEPT:$LOG             dmz              net                    tcp     smtp    
                        -       -
#
ACCEPT:$LOG             dmz              net                    tcp     
imaps,submissions,submission    -       -
#
<snip>
=====

Kind regards,

Bruce


> On 21 Feb 2020, at 08:05, Tom Eastep <[email protected]> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> On 2/20/20 11:40 AM, Bruce Bannerman wrote:
>> Many thanks for your reply and taking the time to look Tom.
>> 
>> You are correct, the Reverse Proxy’s IP address is 203.214.66.103.
>> 
>> The web server is 172.16.4.203.
>> 
>> I have no problems connecting to the Web Server from the Reverse
>> Proxy using Ping, ssh etc and vice versa.
>> 
>> I have a similar situation between my smtp and imaps servers. Both
>> use public IPs. .100 and .104 respectively.
>> 
>> .100 is a secondary IP for .103, established using IP ADDRESS ADD
>> at boot via /etc/network/interfaces (Debian).
>> 
>> Similarly, .105 and .106 are secondary IPs for .104.
>> 
>> I hope this helps.
>> 
> 
> Okay -- I see a number of entries similar to this one:
> 
> ipv4     2 tcp      6 407402 ESTABLISHED src=220.181.108.91
> dst=203.214.66.103 sport=54830 dport=443 src=172.16.4.103
> dst=220.181.108.91 sport=443 dport=54830 [ASSURED] mark=0 zone=0 use=2
> 
> The original connection was made from 220.181.108.91 to
> 203.214.66.103:443. That connection was forwarded to 172.16.4.103.
> 
> Response packets from 172.16.4.103 to 203.214.66.103 will have their
> source IP changed back to 203.214.66.103.
> 
> The entries would be what I would expect if this DNAT rule were to be
> in place when the connections were established:
> 
>  DNAT net  dmz:172.16.4.103  tcp 80,443 - 203.214.66.103
> 
> Did you have such a rule before setting up this test?
> 
> - -Tom
> - -- 
> Tom Eastep        \ Q: What do you get when you cross a mobster
> Shoreline,         \    with an international standard?
> Washington, USA     \ A: Someone who makes you an offer you
> http://shorewall.org <http://shorewall.org/> \    can't understand
>                      \________________________________________
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org <http://gpgtools.org/>
> 
> iQIzBAEBCgAdFiEEFNMNR63CLO6yqbL8luaz8kI6TRAFAl5O9KIACgkQluaz8kI6
> TRAxwA//eIchGoPhiLRK3OTFlmesOLFMvsEcoeOVeyVEXpYqidRtwbLYSLhMtNUA
> naO57YaDGnC94yYMOthJbS5N1pvQhRFO11uz4I+fPdUIe1KEq7sxYEw/FX7zYeXB
> F1I4arlxndW0LKE7zac+vcA/RgQlvb09h2OyasGPe1Ba+cPiGZ7Fk4XAdEf+0vln
> HK+66TXVORa4N+dmRXl36E/9kCuV7dr68/le69PLNDkb+xreAywswCYWVuSIORYP
> caqwwSLPpTdFpnb80U3EvlLKccnPEN/KwBqZHhL5mF2lR47nJirEDNoXt9N0orlL
> jlrljTfQ0B9MSFQSpeeehEp1ZESSks9OVV5HwvjlnJpNsUpsmQKY5HMiTfRBKcU4
> h5sVTbrMAQBNdQMvdwdQ7xs8qnVPeFdX0b65+Go8jlgCN/ROuetdKS0ST8VvRyEm
> V70LWsI8Pfd3zU4t7SN2H9H2nj+EBWPJs1CFeIDn0iqtwaTudfb5u9EmiWHSsOLF
> F19MwS6m9TG75s6MyhqBdBxQvNfcb4Z8nVGH4my5U6i7asfEbvuVfYRpkqsP7aNp
> zxd1hmwwtREwwW83tAKJpnd9JoP/tOk9hYGqt+nZ3fyicO/Uvy1qW+POITE3e4wx
> UwP3uAyNQc2uONEPUryFD5Hjiwf5tiqaQxjVPr0atvx1A9b2umU=
> =KrwI
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> [email protected] 
> <mailto:[email protected]>
> https://lists.sourceforge.net/lists/listinfo/shorewall-users 
> <https://lists.sourceforge.net/lists/listinfo/shorewall-users>

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] outgoing connection problem: Xen Routed configuration

Reply via email to