[ILUG] Shorewall gurus: Connection redirect problem

Kenn Humborg kenn at bluetree.ie
Fri Sep 16 14:39:53 IST 2011 

I've got a shorewall 4.0.11 install.  I'm trying to setup
a "connection forwarder" so that a TCP connection from 
the outside to port 1234 on this box is bounced 
to port 5678 on another box, also on the outside.

I've done this on Shorewall 3.2.3, so I know it's possible.

First, we need a DNAT rule in /etc/shorewall/rules:

   DNAT  net  net:dest-ip-addr:5678  tcp  1234  -  my-ip-addr

Next we need an SNAT rule in /etc/shorewall/masq (eth0 is 
the external interface):

   eth0:dest-ip-addr  -  my-ip-addr  tcp  5678

In other words, if a connection comes in from the net for 
port 1234 on my external IP addr, DNAT it to dest-ip-addr
port 5678.  Then, on the way out, anything going to port 5678
on dest-ip-addr gets the source re-written to my IP addr.
That way the final destination sees the connection coming
from me, so replies come back to me for re-writing back to
the original source address.

Looking at iptables-save, the relevant rules have been created,
In the 'nat' table, we have the SNAT and DNAT rules:

   -A eth0_masq -d dest-ip-addr -p tcp 
      -m policy --dir out --pol none -m tcp 
      --dport 1234 -j SNAT --to-source my-ip-addr

   -A net_dnat -d my-ip-addr -p tcp 
      -m tcp --dport 1234 
      -j DNAT --to-destination dest-ip-addr:5678

In the 'filter' table, we have the rule to allow the outbound
traffic:

   -A net2net -d dest-ip-addr -p tcp 
      -m tcp --dport 5678 
      -m conntrack --ctorigdst my-ip-addr -j ACCEPT

However, shorewall is rejecting the connection, falling through
to my default "REJECT" policy.

Looking some more at iptables-save, there is nowhere that jumps
to the net2net chain at all:

   # iptables-save | grep net2net
   :net2net - [0:0]
   -A net2net -m state --state RELATED,ESTABLISHED -j ACCEPT
   -A net2net -d dest-ip-addr -p tcp 
      -m tcp --dport 5678 
      -m conntrack --ctorigdst my-ip-addr -j ACCEPT
   -A net2net -j ACCEPT

Nothing there does '-j net2net', so there is no way these rules
will ever be hit.

On my Shorewall 3.2.3 machine:

   # iptables-save | grep net2net
   :net2net - [0:0]
   -A net2net -m state --state RELATED,ESTABLISHED -j ACCEPT
   -A net2net -j ACCEPT
   -A net_frwd -o eth0 -j net2net

Why isn't Shorewall 4 creating a rule that leads to '-j net2net'
somewhere?

Am I missing something more subtle?

Thanks,
Kenn

More information about the ILUG mailing list