Le 02/04/2023 à 00꞉48, Justin Pryzby a écrit :
On Sat, Apr 01, 2023 at 11:00:17PM +0200, Olivier Sannier wrote:
However, when I connect from the loc zone to the address of enp4s0
(10.10.10.254 for that matter) on port 1883, I get a "connection error"
message from telnet.
Using Wireshark on the client computer, I see the SYN packet going out and a
few RST, ACK replies.
You should run wireshark/tcpdump on the shorewall device, and specify
"-i lo" to see what's happening on that interface.
I have run it on enp4s0 and I see the RST,ACK replies
I have run it on lo and I see nothing coming through
It'd be useful to log the request, like REDIRECT:INFO:mqtt
That'll at least indicate whether the rule is being hit.
Indeed, that's useful and here is what I get in the system log:
server kernel: loc_dnat REDIRECT mqtt IN=enp4s0 OUT=
MAC=50:3e:aa:0a:e2:0e:70:85:c2:75:2d:71:08:00 SRC=10.10.10.140
DST=10.10.10.254 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=4850 DF PROTO=TCP
SPT=51232 DPT=1883 WINDOW=64240 RES=0x00 SYN URGP=0
So it seems the rule is hit, but it does not seem to do what I think it
should do.
Why DNAT- and not DNAT ?
Because without the "-" I must specify the zone (lo:127.0.0.1:1883) and
this gives me an invalid rule, with the same cascade of error messages
as the one I got when I tried to specify lo in the REDIRECT rule.
And while the rule is accepted, when I connect from the loc zone, I see
those error messages in the system journal:
IPv4: martian destination 127.0.0.1 from 10.10.10.140, dev enp4s0
I think the first test would be to disable routefilter on that
interface. And maybe instead use rpfilter/sfilter.
https://shorewall.org/MultiISP.html#Martians
https://shorewall.org/manpages/shorewall-interfaces.html
routefilter is not specified on any interface, and ROUTE_FILTER is set
to No in shorewall.conf.
In that same file, LOG_MARTIANS is set to Yes
If I use a simple DNAT rule, then I have to specify the zone, which I want
to be "lo" but that leads back to the original " Rules may not override a
NONE policy" error.
You can use DNAT (for which I think REDIRECT is just shorthand) but
specify $FW.
Specifying $FW:127.0.0.1:1883 leads to "martians" and specifying
$FW::1883 leads to the same RST,ACK packets coming back from interface
enp4s0
Just for the experience, I redirected to port 22 instead of 1883 as I
know there is a SSH server bound on 0.0.0.0:22 and applied the rule.
This time, the redirection works perfectly, I can connect using an ssh
client via port 1883 on enp4s0
So with the current configuration REDIRECT/DNAT are only working with a
destination bound on 0.0.0.0 and not on a specific address.
The question is then how to redirect to a destination that is
specifically bound to a given ip address of the server interface?_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
