On Sat, Apr 01, 2023 at 11:00:17PM +0200, Olivier Sannier wrote: > Le 01/04/2023 à 18꞉45, Justin Pryzby a écrit : > > On Sat, Apr 01, 2023 at 06:10:50PM +0200, Olivier Sannier wrote: > > > Hello, > > > > > > I am using Shorewall 5.2.8 on a server that has three interfaces, one > > > internal, one DMZ and one connected to the Internet. > > > On that server, there is a service that binds itself only on localhost and > > > that cannot be configured otherwise. > > > As I would like to access it from the "loc" zone, I have tried writing > > > this > > > REDIRECT rule: > > > REDIRECT loc lo:1883 tcp 1883 - &loc > > For redirect, you shouldn't specify an interface nor a zone. > > Ah thanks, I missed that, so now, my rule looks like this: > REDIRECT loc 1883 tcp 1883 - &enp4s0 > > Which, to me, means that a connection coming on enp4s0 tcp port 1883 should > be forwarded to the service listening locally on port 1883 > I checked with netstat and there is something listening on that port: > tcp 0 0 127.0.0.1:1883 0.0.0.0:* LISTEN - > > Bound on 127.0.0.1 as I indicated in my original email > > However, when I connect from the loc zone to the address of enp4s0 > (10.10.10.254 for that matter) on port 1883, I get a "connection error" > message from telnet. > Using Wireshark on the client computer, I see the SYN packet going out and a > few RST, ACK replies.
You should run wireshark/tcpdump on the shorewall device, and specify "-i lo" to see what's happening on that interface. It'd be useful to log the request, like REDIRECT:INFO:mqtt That'll at least indicate whether the rule is being hit. > Now, as this is kind of a cross zone forward, I tried with a DNAT- rule > written like this: > DNAT- loc :127.0.0.1:1883 tcp 1883 - &enp4s0 Why DNAT- and not DNAT ? It's not the cause of your immediate problem, but I don't know why you wouldn't want an ACCEPT rule in the filter chain, which is elided when you specify "-". > And while the rule is accepted, when I connect from the loc zone, I see > those error messages in the system journal: > IPv4: martian destination 127.0.0.1 from 10.10.10.140, dev enp4s0 I think the first test would be to disable routefilter on that interface. And maybe instead use rpfilter/sfilter. https://shorewall.org/MultiISP.html#Martians https://shorewall.org/manpages/shorewall-interfaces.html > If I use a simple DNAT rule, then I have to specify the zone, which I want > to be "lo" but that leads back to the original " Rules may not override a > NONE policy" error. You can use DNAT (for which I think REDIRECT is just shorthand) but specify $FW. Also (I don't think I've ever done this, and I have no reason to believe it's what you want) but you can create a loopback zone. https://shorewall.org/manpages/shorewall-zones.html -- Justin _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
