Re: [Shorewall-users] DNAT corruption with Multi-ISP: MSS related?

Tue, 08 Mar 2016 08:30:41 -0800 

On Mon, Mar 7, 2016 at 9:40 PM, Tom Eastep <teas...@shorewall.net> wrote:
>> Could the problem be related to the net_dnat chain?

>
> No.
>

>> Is there a easy way to better constrain the DNAT rule such that the
>> entry for destination 81.63.145.193 is not generated?
>> DNAT    net:eth3        dmz:81.63.145.197     tcp     80,443,8080
>>
>> The eth3 interface gets its address via DHCP but will always fall
>> within the 5.145.19.28/19 range.
>>
>
> You are apparently specifying that IP address in the ORIGINAL_DEST
> column.

Let me begin by saying Gmail's petulance with wordwrapping plaintext
really is a bother.

I am not following.

I thought I was specifying an interface and not an address.

I want all web traffic arriving on interface eth3 to be DNATted.
I want no traffic arriving on the ppp0 interface to be DNATted.

This rule:
Web(DNAT)  net:eth3  dmz:81.63.145.197

is putting traffic through ppp0 on the net_dnat chain.
That will never be matched but I think it is fiddling the MSS.

Again, my apologies for Gmail's wordwrapping :/

root@firewall:~# shorewall show nat
Shorewall 4.6.4.3 NAT Table at firewall - Tue Mar  8 08:16:36 CET 2016

Counters reset Tue Mar  8 08:16:32 CET 2016

Chain PREROUTING (policy ACCEPT 5 packets, 300 bytes)
 pkts bytes target     prot opt in     out     source
destination
22067 1580K net_dnat   all  --  ppp0   *       0.0.0.0/0
0.0.0.0/0
 5518 1160K net_dnat   all  --  eth3   *       0.0.0.0/0
0.0.0.0/0

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
36844 2901K SNAT       all  --  *      ppp0   !81.63.145.192/29
0.0.0.0/0            to:81.63.145.193
14629 1257K SNAT       all  --  *      eth3   !5.145.30.0/23
0.0.0.0/0            to:5.145.19.28

Chain net_dnat (2 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 DNAT       tcp  --  eth3   *       0.0.0.0/0
81.63.145.193        multiport dports 80,443,8080 to:81.63.145.197
 1037 57477 DNAT       tcp  --  eth3   *       0.0.0.0/0
5.145.19.28          multiport dports 80,443,8080 to:81.63.145.197


How can the configuration be better constrained to eliminate ppp0 from
the PREROUTING chain?

Thanks,
jCandlish
.

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://makebettercode.com/inteldaal-eval
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to