[Gulli] SHOREWALL - DNAT. problemuccio.
Andrea Fastame
a.fastame@daxo.it
Ven 25 Maggio 2007 09:15:16 CEST
Ciao ragazzi.
Ho un problema strano da risolvere su uno dei miei server.
Problema che riguarda racoon/ipsec (un tunnel IPSEC fra due server
remoti) e un port forwarding dietro uno shorewall...
Ora, la lettera originale che ho mandato alla lista ufficiale di
shorewall la copio/incollo qui, per *pura* pigrizia (non ve lo nego)
senza tradurla :) . Deduco che essendo informatici molto probabilmente
capirete comunque il mio inglese. Se comunque c'e' bisogno la traduco /
inoltro.
Teniamo presente che dalla lista ufficiale di Shorewall non ho ottenuto
granche' risposta... neanche lurkando in giro su Internet per un paio di
giorni buoni... Se qualcuno ha un'illuminazione, son qui in ascolto.
SEGUE testo originale mia mail :
Hi.
I have a Debian Etch (4.0) server with Shorewall 3.2.6 / iptables 1.3.6.
/etc/network/interfaces:
iface eth0 inet static
address 10.0.100.5
netmask 255.255.255.0
gateway 10.0.100.1
dns-nameservers 151.99.125.2
auto eth0
iface eth0:1 inet static
address 13.0.0.2
netmask 255.255.255.0
auto eth0:1
As you can see I have a single Network Card with 1 main 'real' IP (
10.0.100.5) and an alias (13.0.0.2) on the eth0:1 . This was done
because I had to setup racoon / ipsec-tools for a IPSEC VPN Tunnel and
the 13.0.0.x/24 class was forced from the other's side sysadmin.
Still, the tunnel works fine (i can ping a remote host 10.11.100.24
successfully). I had to setup a route manually to route all packets to
the 10.100.11.24 trhough the 13.0.0.2 interface (alias).
I read that (eventually) I should put some entry in the
/etc/shorewall/masq file. Still, I have not grasped what I should really
enter in that conf file. Any hint (if positive)?
Now, this is my problem: I would like to FORWARD all incoming conns on
10.0.100.5 (mi LAN ip) to TCP 3030 of the remote 10.100.11.24, hence,
through the IPSEC tunnel.
I have read the whole Shorewall FAQ but still no-luck.
Follows my routing table and shorewall confs (IP_FORWARDING is enabled
in shorewall.conf)
sys05:/etc/shorewall# route
Kernel IP routing table
Destination Gateway Genmask Flags
Metric Ref Use Iface
10.100.11.24 13.0.0.2 255.255.255.255 UGH 0
0 0 eth0
10.0.100.0 * 255.255.255.0 U
0 0 0 eth0
13.0.0.0 * 255.255.255.0 U
0 0 0 eth0
default 10.0.100.1 0.0.0.0
UG 0 0 0 eth0
/etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
fw firewall
net eth0 detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/zones
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
/etc/shorewall/policy
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
fw net ACCEPT
net fw DROP info
all all REJECT info
/etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL RATE USER/
# PORT(S) PORT(S)
DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
#DNAT net net:13.0.0.2 tcp 3030
ACCEPT net:10.0.100.0/24 fw icmp
ACCEPT net fw tcp http
ACCEPT net fw tcp 1723
ACCEPT net fw tcp isakmp
ACCEPT net fw udp 500
ACCEPT net:10.0.100.3 fw tcp ssh
DNAT net net:13.0.0.2 tcp 3030
Thank you
Andrea Fastame
DAXO - Italy
Maggiori informazioni sulla lista
Gulli