Re: [Shorewall-users] DNAT corruption with Multi-ISP: MSS related?

Tue, 08 Mar 2016 08:35:56 -0800 

Let me begin by saying Gmail's petulance with wordwrapping plaintext
really is a bother.

On Mon, Mar 7, 2016 at 9:40 PM, Tom Eastep <teas...@shorewall.net> wrote:
>> Could the problem be related to the net_dnat chain?
>>
>>
>
> No.
>
>>
>> Is there a easy way to better constrain the DNAT rule such that the
>> entry for destination 81.63.145.193 is not generated?

I am not following.

I thought I was specifying an interface and not an address.

I want all web traffic arriving on interface eth3 to be DNATted.
I want no traffic arriving on the ppp0 interface to be DNATted.

This rule:
DNAT   net:eth3    dmz:81.63.145.197     tcp     80,443,8080

is putting traffic through ppp0 on the net_dnat chain.
That will never be matched but I think it is fiddling the MSS.

Again, my apologies for Gmail's wordwrapping :/

root@firewall:~# shorewall show nat
Shorewall 4.6.4.3 NAT Table at firewall - Tue Mar  8 08:16:36 CET 2016

Counters reset Tue Mar  8 08:16:32 CET 2016

Chain PREROUTING (policy ACCEPT 19663 packets, 2051K bytes)
 pkts bytes target     prot opt in     out     source
destination
15986 1144K net_dnat   all  --  ppp0   *       0.0.0.0/0
0.0.0.0/0
 4393  896K net_dnat   all  --  eth3   *       0.0.0.0/0
0.0.0.0/0

Chain INPUT (policy ACCEPT 668 packets, 256K bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 37 packets, 4902 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain POSTROUTING (policy ACCEPT 1855 packets, 114K bytes)
 pkts bytes target     prot opt in     out     source
destination
23282 1913K SNAT       all  --  *      ppp0   !81.63.145.192/29
0.0.0.0/0            to:81.63.145.193
 7510  812K SNAT       all  --  *      eth3   !5.145.30.0/23
0.0.0.0/0            to:5.145.19.28

Chain net_dnat (2 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 DNAT       tcp  --  eth3   *       0.0.0.0/0
81.63.145.193        multiport dports 80,443,8080 to:81.63.145.197
  994 55601 DNAT       tcp  --  eth3   *       0.0.0.0/0
5.145.19.28          multiport dports 80,443,8080 to:81.63.145.197


How can the configuration be better constrained to eliminate ppp0 from
the nat table PREROUTING chain?

Thanks,
jCandlish
.

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://makebettercode.com/inteldaal-eval
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to