[Shorewall-users] port forward from local net to local machine

Tom Eastep teastep@shorewall.net
Fri, 26 Apr 2002 14:12:30 -0700 (Pacific Daylight Time)


On Fri, 26 Apr 2002, eric.taillon@mks.net wrote:

>
> I found how to do but the only problem is that all connection seems to come
> from the firewall itself.
> In our setup, we don't care about the ip of the source because  we are
> using user/password authentification.
>
> It's not exactly like FAQ #2 but this one gave me a hint... Thanks Tom!
>

<puts on teacher's hat>

Sure -- the reason that you couldn't connect is EXACTLY the same as the
reason that connections fail in the FAQ #2 case even if the two problems
look quite different. A connection request from a client (say 192.168.1.2)
addressed to some IP (call it 1.2.3.4) is sent to the firewall. The
firewall rewrites the destination address (let's assume it changes it to
192.168.1.5) and sends the request back to that server on the local net.
That server constructs a reply and sends it straight back to 192.168.1.2.
But 192.168.1.2 isn't expecting a reply from 192.168.1.5 (she sent her
request to 1.2.3.4) so the reply is tossed.

Using SNAT (as you are doing below) causes the firewall to rewrite both
the source and destination addresses in the initial request.  This in turn
forces the reply back through the firewall where the source address can be
changed to 1.2.3.4 and the destination address changed to 192.168.1.2
before the reply is sent on to the client.

</puts on teacher's hat>

> Here is what I did to make it work:
>
> local network: 192.168.0.0/24
> IP of proxy:   192.168.0.2
> IP of firewall:     192.168.0.1
>
> ACCEPT  loc:!192.168.0.2  loc:192.168.0.2:8002  tcp  http  -
> all:192.168.0.1
>

That's a nice way to do that! I think I should update the FAQ to use that
solution on FAQ #2.

-Tom
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net