Re: [Shorewall-users] Shorewall Disobeying rules?

Tom Eastep Wed, 05 Aug 2020 11:14:09 -0700

On 8/5/20 9:30 AM, colony.three--- via Shorewall-users wrote:
> Thank you Tom, but actually there is a DNS ACCEPT rule.
> 
> I didn't make this clear enough but I am trying to dnat from net to local, 
> for example incoming port 51554 to local 10.2.20.51:554 .  Here are my rules:
> 
> # Cameras
> ACCEPT          net:10.2.1.4    $FW             tcp     50554   -
> DNAT            net     local:10.2.20.50:554    tcp     50554   -
> ACCEPT          net             $FW             tcp     51554   -
> DNAT            net     local:10.2.20.51:554    tcp     51554   -
> ACCEPT          net:10.2.1.4    $FW             udp     50554   -
> DNAT            net     local:10.2.20.50:554    udp     50554   -
> ACCEPT          net:10.2.1.4    $FW             udp     51554   -
> DNAT            net     local:10.2.20.51:554    udp     51554   -
> ACCEPT          net:10.2.1.4    $FW             tcp     50443   -
> DNAT            net     local:10.2.20.50:443    tcp     50443   -
> ACCEPT          local           $FW             udp     domain,ntp      -
> 
> ACCEPT          net             $FW             tcp     51443   -
> DNAT            net     local:10.2.20.51:443    tcp     51443   -
> 
> ACCEPT          net             $FW             tcp     5180    -
> DNAT            net     local:10.2.20.51:80     tcp     5180    -
>


The dump looks nothing like that. There is only 1 DNAT rule and no DNS
ACCEPT from local->fw.

Chain local-fw (1 references)
 pkts bytes target     prot opt in     out     source
destination
  808 67518 dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
  808 67518 smurfs     all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
    0     0 tcpflags   tcp  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:2222
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0            icmptype 8 /* Ping */
  106 18444 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0            ADDRTYPE match dst-type ANYCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
  702 49074 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 10
level 6 prefix "local-fw REJECT "
  702 49074 reject     all  --  *      *       0.0.0.0/0
0.0.0.0/0           [goto]

NAT Table

Chain PREROUTING (policy ACCEPT 1038 packets, 79062 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0
0.0.0.0/0            tcp dpt:5180 to:10.2.20.51:80

Chain INPUT (...


> 
> As a test I also tried incoming 5180 to local 10.2.20.51:80 but that doesn't 
> work in a browser.  tcpdump shows traffic on both interfaces but a browser 
> can't get a connexion. Here's what happens:
> 
> # tcpdump 'tcp port 5180' -i eth0
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
> 19:13:30.083040 IP andromeda2.darkmtter.org.38466 > 10.2.1.106.5180: Flags 
> [S], seq 4088927536, win 29200, options [mss 1460,nop,wscale 7], length 0
> 19:13:30.083860 IP 10.2.1.106.5180 > andromeda2.darkmtter.org.38466: Flags 
> [S.], seq 2964644306, ack 4088927537, win 14600, options [mss 1460,nop,wscale 
> 4], length 0
> 19:13:30.084728 IP andromeda2.darkmtter.org.38466 > 10.2.1.106.5180: Flags 
> [.], ack 1, win 229, length 0
> 19:13:30.085209 IP andromeda2.darkmtter.org.38466 > 10.2.1.106.5180: Flags 
> [P.], seq 1:316, ack 1, win 229, length 315
> 19:13:30.085840 IP 10.2.1.106.5180 > andromeda2.darkmtter.org.38466: Flags 
> [.], ack 316, win 980, length 0
> 19:13:30.087748 IP 10.2.1.106.5180 > andromeda2.darkmtter.org.38466: Flags 
> [P.], seq 1:286, ack 316, win 980, length 285
> 19:13:30.088661 IP andromeda2.darkmtter.org.38466 > 10.2.1.106.5180: Flags 
> [.], ack 286, win 237, length 0
> 19:13:30.089035 IP andromeda2.darkmtter.org.38466 > 10.2.1.106.5180: Flags 
> [F.], seq 316, ack 286, win 237, length 0
> 19:13:30.123597 IP 10.2.1.106.5180 > andromeda2.darkmtter.org.38466: Flags 
> [.], ack 317, win 980, length 0
> 19:13:30.942376 IP 10.2.1.106.5180 > andromeda2.darkmtter.org.38466: Flags 
> [F.], seq 286, ack 317, win 980, length 0
> 19:13:30.944365 IP andromeda2.darkmtter.org.38466 > 10.2.1.106.5180: Flags 
> [.], ack 287, win 237, length 0
> ^C
> 11 packets captured
> 11 packets received by filter
> 0 packets dropped by kernel
> 
> # tcpdump 'tcp port 80' -i eth1
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
> 19:13:59.521650 IP andromeda2.darkmtter.org.38474 > 10.2.20.51.http: Flags 
> [S], seq 3884695726, win 29200, options [mss 1460,nop,wscale 7], length 0
> 19:13:59.522504 IP 10.2.20.51.http > andromeda2.darkmtter.org.38474: Flags 
> [S.], seq 3405756270, ack 3884695727, win 14600, options [mss 1460,nop,wscale 
> 4], length 0
> 19:13:59.523379 IP andromeda2.darkmtter.org.38474 > 10.2.20.51.http: Flags 
> [.], ack 1, win 229, length 0
> 19:13:59.523848 IP andromeda2.darkmtter.org.38474 > 10.2.20.51.http: Flags 
> [P.], seq 1:316, ack 1, win 229, length 315: HTTP: GET / HTTP/1.1
> 19:13:59.524422 IP 10.2.20.51.http > andromeda2.darkmtter.org.38474: Flags 
> [.], ack 316, win 980, length 0
> 19:13:59.527942 IP 10.2.20.51.http > andromeda2.darkmtter.org.38474: Flags 
> [P.], seq 1:286, ack 316, win 980, length 285: HTTP: HTTP/1.1 302 Moved 
> Temporarily
> 19:13:59.529091 IP andromeda2.darkmtter.org.38474 > 10.2.20.51.http: Flags 
> [.], ack 286, win 237, length 0
> 19:13:59.529487 IP andromeda2.darkmtter.org.38474 > 10.2.20.51.http: Flags 
> [F.], seq 316, ack 286, win 237, length 0
> 19:13:59.565954 IP 10.2.20.51.http > andromeda2.darkmtter.org.38474: Flags 
> [.], ack 317, win 980, length 0
> 19:13:59.651925 IP 10.2.20.51.http > andromeda2.darkmtter.org.38474: Flags 
> [F.], seq 286, ack 317, win 980, length 0
> 19:13:59.652996 IP andromeda2.darkmtter.org.38474 > 10.2.20.51.http: Flags 
> [.], ack 287, win 237, length 0
> ^C
> 11 packets captured
> 11 packets received by filter
> 0 packets dropped by kernel
> #
> 

The TCP connection is being made! So this doesn't look like a firewall
issue. Note the error 302 being returned by the web server.

-Tom
-- 
Tom Eastep        \ Q: What do you get when you cross a mobster
Shoreline,         \    with an international standard?
Washington, USA     \ A: Someone who makes you an offer you
http://shorewall.org \    can't understand
                      \________________________________________

signature.asc
Description: OpenPGP digital signature

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Shorewall Disobeying rules?

Reply via email to