shorewall-users April 2012 archive
Main Archive Page > Month Archives  > shorewall-users archives
shorewall-users: [Shorewall-users] Problem with nat on a multipl

[Shorewall-users] Problem with nat on a multiple isp configuration

From: Alessandro Faglia <alessandro.faglia_at_nospam>
Date: Wed Apr 11 2012 - 07:57:23 GMT
To: Shorewall Users <shorewall-users@lists.sourceforge.net>

Dear list.

I have a working Multiple ISP configuration running on a debian etch box
with shorewall version 3.2.6-2 (I'll upgrade soon, I promise!)

My two internet uplinks (eth4 and ppp0) belongs to the same "net" zone.
Everything is working fine but I have a problem with natting.

Behind the firewall I have some services I want to be accessible from
outside, eg the SMTP server, which is listening on port 25/tcp on an
internal server.

Interfaces are like this:
net eth4 detect dhcp,blacklist,tcpflags
net ppp0 detect dhcp,blacklist,tcpflags
lan1 eth1 detect arp_filter
lan2 eth2 detect arp_filter
road tun+

The problematic rule is this:
DNAT net lan1:<internal IP of my mail server> tcp 25

If I try to nmap the port on the first public IP (which is routed to ppp0)
from an external server I get
# nmap -p 25 <public IP #1>

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2012-04-11 09:40
CEST
Interesting ports on <public IP #1> :
PORT STATE SERVICE
25/tcp filtered smtp

Nmap finished: 1 IP address (1 host up) scanned in 6.887 seconds

On the firewall I can see (with tcpdump) packets coming thru ppp0
# tcpdump -i ppp0 dst port 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
09:40:42.913240 IP <sourceIP>.62519 > <public IP #1>.smtp: S
2099963655:2099963655(0) win 3072 <mss 1452>
09:40:43.016305 IP <sourceIP> .62520 > <public IP #1> .smtp: S
2100029190:2100029190(0) win 1024 <mss 1452>

If I try the same with the other public IP (which is routed to eth4) I get
# nmap -p 25 <public IP #2>

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2012-04-11 09:48
CEST
Interesting ports on <public IP #2> :
PORT STATE SERVICE
25/tcp open smtp

Nmap finished: 1 IP address (1 host up) scanned in 6.873 seconds

I really don't understand where is the fault. It doesn't seem to be a
routing problem so I'm asking your support. Please ask if you need
additional elements to diagnose.

Thanks.
Alessandro

------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users