Le 01/04/2023 à 18꞉45, Justin Pryzby a écrit :
On Sat, Apr 01, 2023 at 06:10:50PM +0200, Olivier Sannier wrote:
Hello,
I am using Shorewall 5.2.8 on a server that has three interfaces, one
internal, one DMZ and one connected to the Internet.
On that server, there is a service that binds itself only on localhost and
that cannot be configured otherwise.
As I would like to access it from the "loc" zone, I have tried writing this
REDIRECT rule:
REDIRECT loc lo:1883 tcp 1883 - &loc
For redirect, you shouldn't specify an interface nor a zone.
Ah thanks, I missed that, so now, my rule looks like this:
REDIRECT loc 1883 tcp 1883 - &enp4s0
Which, to me, means that a connection coming on enp4s0 tcp port 1883
should be forwarded to the service listening locally on port 1883
I checked with netstat and there is something listening on that port:
tcp 0 0 127.0.0.1:1883 0.0.0.0:* LISTEN -
Bound on 127.0.0.1 as I indicated in my original email
However, when I connect from the loc zone to the address of enp4s0
(10.10.10.254 for that matter) on port 1883, I get a "connection error"
message from telnet.
Using Wireshark on the client computer, I see the SYN packet going out
and a few RST, ACK replies.
Now, as this is kind of a cross zone forward, I tried with a DNAT- rule
written like this:
DNAT- loc :127.0.0.1:1883 tcp 1883 - &enp4s0
And while the rule is accepted, when I connect from the loc zone, I see
those error messages in the system journal:
IPv4: martian destination 127.0.0.1 from 10.10.10.140, dev enp4s0
If I use a simple DNAT rule, then I have to specify the zone, which I
want to be "lo" but that leads back to the original " Rules may not
override a NONE policy" error.
Thanks for your time and patience
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
