Bug #3232

hairpin nat - shorewall syntax error with port-range port fwd and IPS

Added by Filippo Carletti about 6 years ago. Updated almost 6 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-firewall-base
Target version:v6.6
Security class: Resolution:
Affected version:v6.6 NEEDINFO:No

Description

See issue #3200, the same fix is needed for hairpin nat.

An enhancement could merge the two templates.


Related issues

Related to NethServer 6 - Bug #3200: shorewall syntax error with port-range port fwd and IPS CLOSED
Related to NethServer 6 - Bug #3248: hairpin nat intercepts outgoing traffic if port forward i... CLOSED

Associated revisions

Revision b93dd987
Added by Filippo Carletti about 6 years ago

Fix hairpin nat port fwd range with IPS. Refs #3232

Revision 4e4b34eb
Added by Giacomo Sanchietti about 6 years ago

Port forward: merge template fragments. Refs #3232

Revision c065620f
Added by Filippo Carletti almost 6 years ago

Fix hairpin nat port fwd range with IPS /2. Refs #3232

Revision 6ac15aeb
Added by Filippo Carletti almost 6 years ago

Fix hairpin nat port fwd range with IPS /3. Refs #3232

History

#1 Updated by Filippo Carletti about 6 years ago

  • Related to Bug #3200: shorewall syntax error with port-range port fwd and IPS added

#2 Updated by Filippo Carletti about 6 years ago

  • Status changed from NEW to TRIAGED
  • % Done changed from 0 to 20

#3 Updated by Filippo Carletti about 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Filippo Carletti
  • Target version set to v6.6
  • % Done changed from 20 to 30

#4 Updated by Giacomo Sanchietti about 6 years ago

  • Assignee changed from Filippo Carletti to Giacomo Sanchietti

#5 Updated by Giacomo Sanchietti about 6 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#6 Updated by Giacomo Sanchietti about 6 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Package in nethserver-testing:
  • nethserver-firewall-base-2.6.5-1.7.g4e4b34e.ns6.noarch.rpm
Test case 1
  • Create some port forwards with and without IPS enabled
  • Check all port forwards works fine
Test case 2
  • From test case 1, enable hairpin nat
  • Check all port forwards are enabled also from loc zone

You can use this command to compare generated rules before and after the update:

iptables -t nat -nL

#7 Updated by Filippo Carletti about 6 years ago

  • Status changed from ON_QA to TRIAGED
  • % Done changed from 70 to 20

Port forward syntax with IPS enabled are wrong. A backslash is missing:

[root@ns65 ~]# diff 50pf /etc/e-smith/templates/etc/shorewall/rules/50pf
64c64
<                 $OUT.="NFQBY\t$_t$allow\t".$z[0]."\t$proto\t$dst$srcHost$oriDst\n";
---
>                 $OUT.="NFQBY\t$_\t$allow\t".$z[0]."\t$proto\t$dst$srcHost$oriDst\n";

#8 Updated by Filippo Carletti almost 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • % Done changed from 20 to 30

#9 Updated by Filippo Carletti almost 6 years ago

  • Assignee set to Filippo Carletti

#10 Updated by Filippo Carletti almost 6 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Filippo Carletti)
  • % Done changed from 30 to 60

#11 Updated by Filippo Carletti almost 6 years ago

Package in nethserver-testing:
  • nethserver-firewall-base-2.6.5-1.10.gc065620.ns6.noarch.rpm
Test case:
  • enable ips and create a port forward: shorewall check should display:
    Checking /etc/shorewall/action.NFQBY for chain NFQBY...
       ERROR: Unknown destination zone (tcp) /etc/shorewall/rules 
    
  • update package, shorewall check should pass

#12 Updated by Filippo Carletti almost 6 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

#13 Updated by Luca Gasparini almost 6 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

update package.
enable IPS and create portf orward
shorewall configuration check verified:

?COMMENT test from net
DNAT- net 192.168.1.100:8888 tcp 8888 - -
NFQBY net loc tcp 8888 - -

#14 Updated by Davide Principi almost 6 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates/6.6
nethserver-firewall-base-2.7.0-1.ns6.noarch.rpm

#15 Updated by Davide Principi almost 6 years ago

HOTFIX release in nethserver/6.6
nethserver-firewall-base-2.7.0-2.ns6.noarch.rpm

* ven ago 28 2015 Davide Principi <davide.principi@nethesis.it> - 2.7.0-2
- (Hotfix) Fix hairpin nat port fwd range with IPS /3. - Bug #3232 [NethServer]

#16 Updated by Filippo Carletti almost 6 years ago

  • Related to Bug #3248: hairpin nat intercepts outgoing traffic if port forward is on Any ip added

Also available in: Atom PDF