Re: [Shorewall-users] DNAT from specific host

Tue, 18 Dec 2018 06:58:41 -0800 

Thanks!
This works perfect, I have a follow up question though and this may be the 
cause to my real problem.
Instead of a dns server in the dmz zone I'd like to reach a dns server over a 
openvpn connection.

The tunnel device tun9 is defined as a zone, we use the tunnel to reach the 
firewall from a Nagios server where the tunnel terminates.
Tcpdump show traffic entering the tunnel and it looks fine from the Shorewall 
perspective in the client.
On the server side the dns traffic from my host on the local lan on the client 
is missing.

When I start Shorewall I get a warning about the tunnel
WARNING: Optional Interface tun9 is not usable -- tun9 not Started

The tunnel interface is defined as an internal interface just like my local 
lan, and I use two external wan interfaces.
I wonder if I have to define the tunnel in some way in Shorewall except in 
interfaces, and if I have done that wrong

nag  tun9    detect  optional,maclist

(Maclist: MACLIST_DISPOSITION=ACCEPT)

Maybe my goal make no sence??
/Göran

-----Ursprungligt meddelande-----
Från: Tom Eastep <teas...@shorewall.net> 
Skickat: den 13 december 2018 18:23
Till: shorewall-users@lists.sourceforge.net
Ämne: Re: [Shorewall-users] DNAT from specific host

On 12/13/18 9:00 AM, Tom Eastep wrote:
> On 12/13/18 12:40 AM, HÖGLUND, Göran via Shorewall-users wrote:
>> Hi
>>
>> I can not figure out how to DNAT traffic from a specific IP address 
>> in one zone to a specific ip address in another zone all let all 
>> other traffic be treated "normally"
>>
>> My idea is:
>>
>> DNAT loc:192.168.0.2 dmz:192.168.1.2 udp 53
>>
>> Seems to fail ..
> 
> That rule will forward UDP DNS requests from 192.168.0.2 in the loc 
> zone to the DNS server at 192.168.1.2 in the dmz zone, PROVIDED THAT 
> there are no existing conntrack entries for udp 53 from 192.168.0.2 to 
> whatever the original destination address in the request.
> 
> If the conntrack utility is installed, you can delete any such entries via:
> 
>       conntrack -D -s 192.168.0.2 -p udp --dport 53
> 

One more thing - DNS sometimes falls back to TCP if the response is too long 
for a single datagram. So you probably want:

        DNAT log:192.168.0.2 dmz:192.168.1.2 udp,tcp 53
                                                ---- -Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________



_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to