Bug #3232
hairpin nat - shorewall syntax error with port-range port fwd and IPS
| Status: | CLOSED | Start date: | ||
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 100% | |
| Category: | nethserver-firewall-base | |||
| Target version: | v6.6 | |||
| Security class: | Resolution: | |||
| Affected version: | v6.6 | NEEDINFO: | No | 
Description
See issue #3200, the same fix is needed for hairpin nat.
An enhancement could merge the two templates.
Related issues
Associated revisions
Fix hairpin nat port fwd range with IPS. Refs #3232
Port forward: merge template fragments. Refs #3232
Fix hairpin nat port fwd range with IPS /2. Refs #3232
Fix hairpin nat port fwd range with IPS /3. Refs #3232
History
#1
     Updated by Filippo Carletti about 6 years ago
    Updated by Filippo Carletti about 6 years ago
    - Related to Bug #3200: shorewall syntax error with port-range port fwd and IPS added
#2
     Updated by Filippo Carletti about 6 years ago
    Updated by Filippo Carletti about 6 years ago
    - Status changed from NEW to TRIAGED
- % Done changed from 0 to 20
#3
     Updated by Filippo Carletti about 6 years ago
    Updated by Filippo Carletti about 6 years ago
    - Status changed from TRIAGED to ON_DEV
- Assignee set to Filippo Carletti
- Target version set to v6.6
- % Done changed from 20 to 30
#4
     Updated by Giacomo Sanchietti about 6 years ago
    Updated by Giacomo Sanchietti about 6 years ago
    - Assignee changed from Filippo Carletti to Giacomo Sanchietti
#5
     Updated by Giacomo Sanchietti about 6 years ago
    Updated by Giacomo Sanchietti about 6 years ago
    - Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#6
     Updated by Giacomo Sanchietti about 6 years ago
    Updated by Giacomo Sanchietti about 6 years ago
    - Status changed from MODIFIED to ON_QA
- Assignee deleted (Giacomo Sanchietti)
- % Done changed from 60 to 70
- nethserver-firewall-base-2.6.5-1.7.g4e4b34e.ns6.noarch.rpm
- Create some port forwards with and without IPS enabled
- Check all port forwards works fine
- From test case 1, enable hairpin nat
- Check all port forwards are enabled also from loc zone
You can use this command to compare generated rules before and after the update:
iptables -t nat -nL
#7
     Updated by Filippo Carletti about 6 years ago
    Updated by Filippo Carletti about 6 years ago
    - Status changed from ON_QA to TRIAGED
- % Done changed from 70 to 20
Port forward syntax with IPS enabled are wrong. A backslash is missing:
[root@ns65 ~]# diff 50pf /etc/e-smith/templates/etc/shorewall/rules/50pf 64c64 < $OUT.="NFQBY\t$_t$allow\t".$z[0]."\t$proto\t$dst$srcHost$oriDst\n"; --- > $OUT.="NFQBY\t$_\t$allow\t".$z[0]."\t$proto\t$dst$srcHost$oriDst\n";
#8
     Updated by Filippo Carletti almost 6 years ago
    Updated by Filippo Carletti almost 6 years ago
    - Status changed from TRIAGED to ON_DEV
- % Done changed from 20 to 30
#9
     Updated by Filippo Carletti almost 6 years ago
    Updated by Filippo Carletti almost 6 years ago
    - Assignee set to Filippo Carletti
#10
     Updated by Filippo Carletti almost 6 years ago
    Updated by Filippo Carletti almost 6 years ago
    - Status changed from ON_DEV to MODIFIED
- Assignee deleted (Filippo Carletti)
- % Done changed from 30 to 60
#11
     Updated by Filippo Carletti almost 6 years ago
    Updated by Filippo Carletti almost 6 years ago
    - nethserver-firewall-base-2.6.5-1.10.gc065620.ns6.noarch.rpm
- enable ips and create a port forward: shorewall check should display:Checking /etc/shorewall/action.NFQBY for chain NFQBY... ERROR: Unknown destination zone (tcp) /etc/shorewall/rules 
- update package, shorewall check should pass
#12
     Updated by Filippo Carletti almost 6 years ago
    Updated by Filippo Carletti almost 6 years ago
    - Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
#13
     Updated by Luca Gasparini almost 6 years ago
    Updated by Luca Gasparini almost 6 years ago
    - Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
update package.
enable IPS and create portf orward
shorewall configuration check verified:
?COMMENT test from net
DNAT-   net     192.168.1.100:8888      tcp     8888    -       -
NFQBY   net             loc     tcp     8888    -       -
#14
     Updated by Davide Principi almost 6 years ago
    Updated by Davide Principi almost 6 years ago
    - Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
In nethserver-updates/6.6
nethserver-firewall-base-2.7.0-1.ns6.noarch.rpm
#15
     Updated by Davide Principi almost 6 years ago
    Updated by Davide Principi almost 6 years ago
    HOTFIX release in nethserver/6.6
nethserver-firewall-base-2.7.0-2.ns6.noarch.rpm
* ven ago 28 2015 Davide Principi <davide.principi@nethesis.it> - 2.7.0-2 - (Hotfix) Fix hairpin nat port fwd range with IPS /3. - Bug #3232 [NethServer]
#16
     Updated by Filippo Carletti almost 6 years ago
    Updated by Filippo Carletti almost 6 years ago
    - Related to Bug #3248: hairpin nat intercepts outgoing traffic if port forward is on Any ip added