I have a multiple internal router on my LAN in a Shorewall 2 interfaces
configuration and a DNAT from public IP to internal subnets.
I set up shorewall with nested zones:
file: /etc/shorewall/zones
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
net ipv4
loc ipv4
loc1:loc ipv4
loc2:loc ipv4
loc3:loc ipv4
file: /etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
loc eth1 detect routeback
net eth0 detect logmartians,nosmurfs
###############################################################################
#ZONE HOST(S) OPTIONS
loc1 eth1:10.10.1.0/24
loc2 eth1:10.10.2.0/24
loc3 eth1:10.10.3.0/24
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
The IP range related to loc zone is: 10.10.10.0/24 and the internal
shorewall loc interface (that is also the internal loc gateway) has
private IP 10.10.10.254
The internal router has interfaces 10.10.10.1
I added the following static routes to my shorewall gateway on interface
eth1:
ip route add -net 10.10.1.0/24 netmask 255.255.255.0 gw 10.10.10.1 dev eth1
ip route add -net 10.10.2.0/24 netmask 255.255.255.0 gw 10.10.10.1 dev eth1
ip route add -net 10.10.3.0/24 netmask 255.255.255.0 gw 10.10.10.1 dev eth1
The public IP range in the net zone is: 88.xx.xx.0/29
where 88.xx.xx.0/29 is my public IP range obfuscated.
Let's suppose that my Shorewall public IP gateway interface is
88.XX.XX.1 on eth0 and i need to DNAT port 22 to internal loc2 zone
host with IP 10.10.2.4
I added the following rule:
etc/shorewall/rules
############################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT
GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
DNAT:info net loc2:10.10.2.4 tcp 22 - 88.xx.xx.1
I also add to the masq file the following line:
etc/shorewall/masq
###############################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT(S)
IPSEC MARK
eth0 eth1
eth1:10.10.2.4 eth0 10.10.10.254 tcp 22
and i set the CONTINUE policy for subnets:
loc loc1 CONTINUE
loc1 loc CONTINUE
loc loc2 CONTINUE
loc2 loc CONTINUE
loc loc3 CONTINUE
loc3 loc CONTINUE
loc net ACCEPT
fw net ACCEPT
from the log i got:
Aug 4 19:10:07 mylinuxbox kernel: [276232.278815]
Shorewall:net_dnat:DNAT:IN=eth0 SRC=88.xx.xx.xx DST=88.xx.xx.1 LEN=48 TOS=0x00
PREC=0x00 TTL=128 ID=4891 DF PROTO=TCP SPT=1128 DPT=22 WINDOW=16384 RES=0x00
SYN URGP=0
Aug 4 19:10:07 mylinuxbox kernel: [276232.278839]
Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=88.xx.xx.xx DST=10.10.2.4 LEN=48
TOS=0x00 PREC=0x00 TTL=127 ID=4891 DF PROTO=TCP SPT=1128 DPT=80 WINDOW=16384
RES=0x00 SYN URGP=0
It seem that DNAT rule work well but after DNAT REJECT policy takes place.
Can anyone help me to solve the configuration error? I need urgently to
set other DNAT rules towards the other nested zones.
Best Regards
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
