-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 05/26/2017 09:17 AM, Vieri Di Paola wrote:
>
> ________________________________ From: Tom Eastep
> <[email protected]>
>>
>> Looks like you are redirecting port 80 to port 62001, but no
>> process is listening on that port.
>
>
> How do you know there's no process listening on that port?
In the dump, 62001 did not appear in the output of ss.
>
> I ran this on the shorewall machine:
>
> # ss -tnap | fgrep 62001 LISTEN 0 128 :::62001
> :::*
> users:(("/usr/sbin/apach",pid=29038,fd=12),("/usr/sbin/apach",pid=29033,fd=12),("/usr/sbin/apach",pid=29032,fd=12),("/usr/sbin/apach",pid=29031,fd=12),("/usr/sbin/apach",pid=28968,fd=12),("/usr/sbin/apach",pid=27512,fd=12),("/usr/sbin/apach",pid=27461,fd=12),("/usr/sbin/apach",pid=22872,fd=12),("/usr/sbin/apach",pid=19472,fd=12),("/usr/sbin/apach",pid=19099,fd=12),("/usr/sbin/apach",pid=19094,fd=12))
>
>
ESTAB 0 0 ::ffff:10.215.144.92:62001
::ffff:10.215.246.167:47475
users:(("/usr/sbin/apach",pid=29031,fd=26))
> TIME-WAIT 0 0 ::ffff:10.215.144.92:62001
> ::ffff:10.215.248.193:37020 ESTAB 0 0
> ::ffff:10.215.144.92:62001
> ::ffff:10.215.246.167:57504
> users:(("/usr/sbin/apach",pid=27512,fd=26)) TIME-WAIT 0 0
> ::ffff:10.215.144.92:62001
> ::ffff:10.215.248.193:34666
>
> It's an apache/php process and it is serving a page as I can test
> by directly connecting a "loc" host with IP address 10.215.144.48
> to Shorewall's IP address 10.215.144.92 ($FW).
>
> Also, the redirection was not supposed to match in my previous
> example because the destination IP of www.shorewall.net was in an
> ipset whitelist. In fact, the rule is: REDIRECT:info:OUT1
> loc:$MY_NETWORKS!$OUT_VIP 62001 tcp 80 -
> !+OUT_WL,+OUT_MANUAL_WL,$MY_EXTRA_NETWORKS,$MY_WAN
>
> # host www.shorewall.net www.shorewall.net is an alias for
> shorewall.mastermindpro.com. shorewall.mastermindpro.com has
> address 63.135.54.24 # ipset list OUT_WL | grep 63.135
> 63.135.48.0/20 timeout 0
>
> Anyway, in order to simplify things even further, I added
> 10.215.144.48 to $OUT_VIP in order to explicitly avoid the
> redirection. I then tried to access http://www.shorewall.net from
> 10.215.144.48 but had the exact same issue (BTW I can open the web
> page at 10.215.144.92, ie. $FW, on port 62001 from 10.215.144.48).
>
> I'm attaching another dump in the hope we can shed some light on
> this (open port 80 at 63.135.54.24 from 10.215.144.48 via Squid
> TPROXY).
Looking in the dump, packets to port 80 from the loc zone, match this
rule:
6 304 ~excl0 tcp -- enp11s0 * 10.215.144.48
0.0.0.0/0 tcp dpt:80
The connection to www.shorewall.net was TPROXYed there:
6 304 ~excl0 tcp -- enp11s0 * 10.215.144.48
0.0.0.0/0 tcp dpt:80
In the NAT table PREROUTING chain, all new connections from the 'loc'
zone are passed through the chain 'loc_dnat':
Chain loc_dnat (1 references)
pkts bytes target prot opt in out source
destination
300 16532 ~excl12 tcp -- * * 10.215.144.0/22
0.0.0.0/0 tcp dpt:80
266 15960 ~excl12 tcp -- * * 10.215.246.0/23
0.0.0.0/0 tcp dpt:80
19 1140 ~excl12 tcp -- * * 10.215.248.0/24
0.0.0.0/0 tcp dpt:80
10.215.144.48 falls into the first rule which jumps to ~excl2 where it
matches this rule:
45 2280 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 source IP range 10.215.144.44-10.215.144.48
It appears, however, that no attempt was made by Squid to connect to
www.shorewall.net. The only output chain with any traffic was fw-net3
and there, only a single packet in the ESTABLISHED state was processes.
- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJZKKatAAoJEJbms/JCOk0QwawP/30+p+V/kx3dGx+OccMogsh0
gpHB0YutDfTUUrJIVCAN1D9JEyB+GLku/rsXVbh1sOybsSOycR5xrhj3edcnuCbp
oubVlT7sD69MdA8bCd4pA2gYOxK5bNSI+nqBwxlhs6P9YUooubULkM4CQitiePA1
8fmfdeynQXgvE2riE7NtTSEvfgsgLbX2oYQw3hTizz3YEo7xU+hE0fAxZk4tqxb8
GqTN6ooSMI3Df1x3a+zko1MhPsdmd6hdylvmWgQclXo9OyVk1QWO2JFqHXlOQA9G
3ntkl9/IbDoA5oPcVKv3P/+TGI6bzXUxqKaA4xLoTboyk8DRXnXYh4r+TqmPXB3Q
rRPnMUWyvrS6ptu0ozCC9TqZCBfOXdysiNqUuO/bwz24mE/sGwSC9nK7dgQ2ffcg
1zUEMjwwfL8mfZ6J4fhZqueZVtXNR7jkngij08gSSoirw6alF9+j1hK9tKR8LhJK
5u8MEGnySPhPVmHVmKztKJkOv0CXh/JqiXxHI5PQWWaDYpxB51Rg12EUZdt/pk4u
Nx01CCwDTIIAKTcURQcE6uT1wepJRuOVGaFEwGIEye1VSdhTUtl5NkAHsxCqzpeK
d8qJgYJA8eEDj2CKFaKj7QDSnKTnwNwIxPP8LiAAF8uPwfjZbe6WikxGlwsxkSZz
E4c0gfHU7T+ZP4io3w0r
=5+B5
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
