On 03/08/2016 02:59 AM, John Candlish wrote: > Let me begin by saying Gmail's petulance with wordwrapping plaintext > really is a bother. > > On Mon, Mar 7, 2016 at 9:40 PM, Tom Eastep <teas...@shorewall.net> wrote: >>> Could the problem be related to the net_dnat chain? >>> >>> >> >> No. >> >>> >>> Is there a easy way to better constrain the DNAT rule such that the >>> entry for destination 81.63.145.193 is not generated? > > I am not following. > > I thought I was specifying an interface and not an address. > > I want all web traffic arriving on interface eth3 to be DNATted. > I want no traffic arriving on the ppp0 interface to be DNATted. > > This rule: > DNAT net:eth3 dmz:81.63.145.197 tcp 80,443,8080 > > is putting traffic through ppp0 on the net_dnat chain. > That will never be matched but I think it is fiddling the MSS. > > Again, my apologies for Gmail's wordwrapping :/ > > root@firewall:~# shorewall show nat > Shorewall 4.6.4.3 NAT Table at firewall - Tue Mar 8 08:16:36 CET 2016 > > Counters reset Tue Mar 8 08:16:32 CET 2016 > > Chain PREROUTING (policy ACCEPT 19663 packets, 2051K bytes) > pkts bytes target prot opt in out source > destination > 15986 1144K net_dnat all -- ppp0 * 0.0.0.0/0 > 0.0.0.0/0 > 4393 896K net_dnat all -- eth3 * 0.0.0.0/0 > 0.0.0.0/0 > > Chain INPUT (policy ACCEPT 668 packets, 256K bytes) > pkts bytes target prot opt in out source > destination > > Chain OUTPUT (policy ACCEPT 37 packets, 4902 bytes) > pkts bytes target prot opt in out source > destination > > Chain POSTROUTING (policy ACCEPT 1855 packets, 114K bytes) > pkts bytes target prot opt in out source > destination > 23282 1913K SNAT all -- * ppp0 !81.63.145.192/29 > 0.0.0.0/0 to:81.63.145.193 > 7510 812K SNAT all -- * eth3 !5.145.30.0/23 > 0.0.0.0/0 to:5.145.19.28 > > Chain net_dnat (2 references) > pkts bytes target prot opt in out source > destination > 0 0 DNAT tcp -- eth3 * 0.0.0.0/0 > 81.63.145.193 multiport dports 80,443,8080 to:81.63.145.197 > 994 55601 DNAT tcp -- eth3 * 0.0.0.0/0 > 5.145.19.28 multiport dports 80,443,8080 to:81.63.145.197 > > > How can the configuration be better constrained to eliminate ppp0 from > the nat table PREROUTING chain? >
You can't. But remember that *only the initial SYN packet* goes through the NAT table. That creates the proper conntrack table entry which then suffices for the life of the connection. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://makebettercode.com/inteldaal-eval
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
