[Shorewall-newbies] NAT issue

Sakthivel Subramanian sakthi at altair.com
Fri Jan 23 17:24:38 PST 2004 

Tom,

I added a rule to allow LDAP from loc->fw and routeback to loc interface
that took care of my issue.

In FAQ 2A, you are suggesting 
"Another good way to approach this problem is to switch from one-to-one NAT
to Proxy ARP."

If I switch to proxy ARP instead of one-to-one NAT, will I still be able to
control traffic to the server by adding specific rules in the
Shorewall/rules file.

Thanks

Sakthi

-----Original Message-----
From: Tom Eastep [mailto:teastep at shorewall.net] 
Sent: Friday, January 23, 2004 3:39 PM
To: sakthi at altair.com; shorewall-newbies at lists.shorewall.net
Subject: Re: [Shorewall-newbies] NAT issue


On Friday 23 January 2004 12:13 pm, Sakthivel Subramanian wrote:
> Hi,
>
> First of all I would like to thank Tom Eastep for this excellent 
> firewall.
>
> I am using Shorewall 1.4.8 on a 2.4.20-8 linux kernel with the basic 2 
> interface setup eth0 - Connected to a router which provides 
> internet/VPN access eth1 - Connected to the LAN
>
> Shorewall/interfaces
> net      eth0           192.168.1.255 blacklist,dropunclean,routefilter
> loc      eth1           10.10.1.255   routefilter
>
> In the current firewall setup, I have a Windows server inside the 
> firewall with an IP (10.10.1.10). I have a one-to-one NAT using the 
> Shorewall/nat file
> 192.168.1.10  eth0:10         10.10.1.10    No                      No
>
> Machines from our corporate network access the server using the 
> 192.168.1.10 IP via the router VPN tunnels and the traffic is 
> controlled by shorewall/rules without any problem.
>
> The problem I am facing is locally when my machine (10.10.1.4) tries 
> to access the server using the server's external IP (192.168.1.10). I 
> keep getting the following message from Shorewall.
> **************
> Jan 23 14:11:41 10.10.1.1 kernel: Shorewall:all2all:REJECT:IN=eth1 
> OUT= MAC=00:a0:cc:3f:68:f6:00:0b:db:ca:78:17:08:00 SRC=10.10.1.4 
> DST=192.168.1.10 LEN=245 TOS=0x00 PREC=0x00 TTL=128 ID=6734 PROTO=UDP 
> SPT=4502 DPT=389 LEN=225
> **************
>
> Shorewall is rejecting port 389 (LDAP) access to 192.168.1.10 from my 
> machine 10.10.1.4 based on all2all policy. Notice the empty output 
> interface. (OUT= ) If I try pinging 192.168.1.10 from my machine, I 
> get a respose back.
>
> My default policy is
> loc    net    ACCEPT
>
> I explicitly added the following rule but it didn't help.
> ACCEPT:info     loc                     net:192.168.1.10      tcp     389
> ACCEPT:info     loc                     net:192.168.1.10      udp     389
>
> I tried creating a new zone with 192.168.1.0/24 as host list and added 
> policy to allow all traffic to that zone and it didn't help either.
>

This is a variation on FAQ 2.

Your entry in /etc/shorewall/nat has "No" in the "ALL INTERFACES" column so 
requests to 192.168.1.10 coming in on eth1 do not get natted. Since you are 
accepting ping loc->fw but you aren't accepting LDAP loc->fw, the ping 
appears to work but LDAP fails.

Unfortunately is not sufficient to just put "Yes" in the ALL INTERFACES 
column. That would cause LDAP requests from 10.10.1.x to 192.168.1.10 to be 
rerouted to 10.10.1.4 but that system's replies will go straight back to the

10.10.1.x client who would discard them (because they would have the wrong 
source address).

The solution is therefore the same as in FAQ 2.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net

More information about the Shorewall-newbies mailing list