[Shorewall-newbies] NAT issue

Tom Eastep teastep at shorewall.net
Fri Jan 23 12:38:49 PST 2004


On Friday 23 January 2004 12:13 pm, Sakthivel Subramanian wrote:
> Hi,
>
> First of all I would like to thank Tom Eastep for this excellent firewall.
>
> I am using Shorewall 1.4.8 on a 2.4.20-8 linux kernel with the basic 2
> interface setup
> eth0 - Connected to a router which provides internet/VPN access
> eth1 - Connected to the LAN
>
> Shorewall/interfaces
> net      eth0           192.168.1.255 blacklist,dropunclean,routefilter
> loc      eth1           10.10.1.255   routefilter
>
> In the current firewall setup, I have a Windows server inside the firewall
> with an IP (10.10.1.10). I have a one-to-one NAT using the Shorewall/nat
> file
> 192.168.1.10  eth0:10         10.10.1.10    No                      No
>
> Machines from our corporate network access the server using the
> 192.168.1.10 IP via the router VPN tunnels and the traffic is controlled by
> shorewall/rules without any problem.
>
> The problem I am facing is locally when my machine (10.10.1.4) tries to
> access the server using the server's external IP (192.168.1.10). I keep
> getting the following message from Shorewall.
> **************
> Jan 23 14:11:41 10.10.1.1 kernel: Shorewall:all2all:REJECT:IN=eth1 OUT=
> MAC=00:a0:cc:3f:68:f6:00:0b:db:ca:78:17:08:00 SRC=10.10.1.4
> DST=192.168.1.10 LEN=245 TOS=0x00 PREC=0x00 TTL=128 ID=6734 PROTO=UDP
> SPT=4502 DPT=389 LEN=225
> **************
>
> Shorewall is rejecting port 389 (LDAP) access to 192.168.1.10 from my
> machine 10.10.1.4 based on all2all policy. Notice the empty output
> interface. (OUT= ) If I try pinging 192.168.1.10 from my machine, I get a
> respose back.
>
> My default policy is
> loc    net    ACCEPT
>
> I explicitly added the following rule but it didn't help.
> ACCEPT:info     loc                     net:192.168.1.10      tcp     389
> ACCEPT:info     loc                     net:192.168.1.10      udp     389
>
> I tried creating a new zone with 192.168.1.0/24 as host list and added
> policy to allow all traffic to that zone and it didn't help either.
>

This is a variation on FAQ 2.

Your entry in /etc/shorewall/nat has "No" in the "ALL INTERFACES" column so 
requests to 192.168.1.10 coming in on eth1 do not get natted. Since you are 
accepting ping loc->fw but you aren't accepting LDAP loc->fw, the ping 
appears to work but LDAP fails.

Unfortunately is not sufficient to just put "Yes" in the ALL INTERFACES 
column. That would cause LDAP requests from 10.10.1.x to 192.168.1.10 to be 
rerouted to 10.10.1.4 but that system's replies will go straight back to the 
10.10.1.x client who would discard them (because they would have the wrong 
source address).

The solution is therefore the same as in FAQ 2.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net




More information about the Shorewall-newbies mailing list