Bug #3280

port forward not working with sNAT and multiWAN

Added by Davide Marini almost 6 years ago. Updated over 5 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-firewall-base
Target version:v6.7
Security class: Resolution:
Affected version:v6.6 NEEDINFO:No

Description

Scenario:

  • MultiWAN (es: eth2,eth3)
  • alias ips on reds
  • sNAT 1:1 configured for an ip of non-red zone
  • Let assume that sNAT is beetwen the local ip 192.168.1.1 and the alias eth2:1
  • port forward rule for the ip 192.168.1.1 set on any IP (not the alias)
Port Forward check:
  • When connections from outside are made on the same red interface of the sNAT everything is working
  • When connections from outside are made on the OTHER red interface port forwarding is not working

The packet come in from the other red interface, flow to the destination host, the host answer to the request correctly but the packets are sent in the wrong interface (always eth2) : the response has the right destination ip (the originating one from outside) but flow to the wrong interface

Associated revisions

Revision d02a1fe1
Added by Giacomo Sanchietti almost 6 years ago

rtrules: fix port forward with sNAT and MultiWAN. Refs #3280

History

#1 Updated by Davide Marini almost 6 years ago

The problem seems to be caused by rtrules:

0: from all lookup local 
999: from all lookup main 
1900: from 192.168.1.1 lookup itcpr 
10000: from all fwmark 0x10000/0xf0000 lookup itcpr 
10001: from all fwmark 0x20000/0xf0000 lookup itcsc 
.
.
.
32765: from all lookup balance 
32767: from all lookup default 

the rule

1900: from 192.168.1.1 lookup itcpr

has a too high priority and all the packets from 192.168.1.1 are sent to the alias interface even if the connection is from outside.

I would like that only new connections from local host 192.1681.1 are forced to the ethx interface of the alias, other connections should follow standard rules,
to have this behavior it should be enough to have a lower priority for snat rules.

0: from all lookup local 
999: from all lookup main 
10000: from all fwmark 0x10000/0xf0000 lookup itcpr 
10001: from all fwmark 0x20000/0xf0000 lookup itcsc 
11000: from 192.168.1.1 lookup itcpr 
.
.
.
32765: from all lookup balance 
32767: from all lookup default 

It can be done easily with this little change:

[root@nethserver ~]# diff -u 30nat.ori  /etc/e-smith/templates/etc/shorewall/rtrules/30nat 
--- 30nat.ori   2015-10-07 16:44:48.039206391 +0200
+++ /etc/e-smith/templates/etc/shorewall/rtrules/30nat  2015-10-07 16:37:39.867472712 +0200
@@ -24,7 +24,7 @@
             foreach $j (@providers) {
                 my $provider_name = $j->{'name'};
                 if($j->{'interface'} eq $interface) {
-                    $OUT .= "$internal_ip\t\t-\t\t\t$provider_name\t\t1900\n";
+                    $OUT .= "$internal_ip\t\t-\t\t\t$provider_name\t\t11000\n";
                 }
             }
         }

I already checked it and it seems to work fine without any drawback.

#2 Updated by Giacomo Sanchietti almost 6 years ago

  • Category set to nethserver-firewall-base
  • Status changed from NEW to TRIAGED
  • Target version set to v6.7
  • % Done changed from 0 to 20

#3 Updated by Giacomo Sanchietti almost 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#4 Updated by Giacomo Sanchietti almost 6 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

Proposed patch has been merged.

#5 Updated by Giacomo Sanchietti almost 6 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Packages in nethserver-testing:
  • nethserver-firewall-base-2.8.0-1.3.gd02a1fe.ns6.noarch.rpm
  • nethserver-firewall-base-ui-2.8.0-1.3.gd02a1fe.ns6.noarch.rpm
Test case
  • Check the bug is not reproducible

#6 Updated by Giacomo Sanchietti over 5 years ago

  • Assignee set to Giacomo Sanchietti

#7 Updated by Giacomo Sanchietti over 5 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 70 to 90

System and Package Version installed

Package Installed:
nethserver-firewall-base-ui-2.8.0-1.18.gfc25d0e.ns6.noarch
nethserver-firewall-base-2.8.0-1.18.gfc25d0e.ns6.noarch

Test Original Problem
IP rule placed in the wrong order

Install Updated Package

yum --enablerepo=nethserver-testing update nethserver-firewall-base*

Test Results after update
Natted host is 192.168.5.22.

[root@localhost ~]# ip ru
0:    from all lookup local 
999:    from all lookup main 
10000:    from all fwmark 0x10000/0xf0000 lookup p1 
10001:    from all fwmark 0x20000/0xf0000 lookup p2 
11000:    from 192.168.5.22 lookup p1 
20000:    from 10.10.10.4 lookup p1 
20000:    from 10.2.3.2 lookup p1 
20000:    from 10.0.2.4 lookup p2 
32765:    from all lookup balance 
32767:    from all lookup default 

Verified Or Reopen
Verified

#8 Updated by Giacomo Sanchietti over 5 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
Released in nethserver-updates:
  • nethserver-firewall-base-ui-2.9.0-1.ns6.noarch.rpm
  • nethserver-firewall-base-2.9.0-1.ns6.noarch.rpm

Also available in: Atom PDF