Bug #3280
port forward not working with sNAT and multiWAN
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-firewall-base | |||
Target version: | v6.7 | |||
Security class: | Resolution: | |||
Affected version: | v6.6 | NEEDINFO: | No |
Description
Scenario:
- MultiWAN (es: eth2,eth3)
- alias ips on reds
- sNAT 1:1 configured for an ip of non-red zone
- Let assume that sNAT is beetwen the local ip 192.168.1.1 and the alias eth2:1
- port forward rule for the ip 192.168.1.1 set on any IP (not the alias)
- When connections from outside are made on the same red interface of the sNAT everything is working
- When connections from outside are made on the OTHER red interface port forwarding is not working
The packet come in from the other red interface, flow to the destination host, the host answer to the request correctly but the packets are sent in the wrong interface (always eth2) : the response has the right destination ip (the originating one from outside) but flow to the wrong interface
Associated revisions
rtrules: fix port forward with sNAT and MultiWAN. Refs #3280
History
#1 Updated by Davide Marini almost 6 years ago
The problem seems to be caused by rtrules:
0: from all lookup local 999: from all lookup main 1900: from 192.168.1.1 lookup itcpr 10000: from all fwmark 0x10000/0xf0000 lookup itcpr 10001: from all fwmark 0x20000/0xf0000 lookup itcsc . . . 32765: from all lookup balance 32767: from all lookup default
the rule
1900: from 192.168.1.1 lookup itcpr
has a too high priority and all the packets from 192.168.1.1 are sent to the alias interface even if the connection is from outside.
I would like that only new connections from local host 192.1681.1 are forced to the ethx interface of the alias, other connections should follow standard rules,
to have this behavior it should be enough to have a lower priority for snat rules.
0: from all lookup local 999: from all lookup main 10000: from all fwmark 0x10000/0xf0000 lookup itcpr 10001: from all fwmark 0x20000/0xf0000 lookup itcsc 11000: from 192.168.1.1 lookup itcpr . . . 32765: from all lookup balance 32767: from all lookup default
It can be done easily with this little change:
[root@nethserver ~]# diff -u 30nat.ori /etc/e-smith/templates/etc/shorewall/rtrules/30nat --- 30nat.ori 2015-10-07 16:44:48.039206391 +0200 +++ /etc/e-smith/templates/etc/shorewall/rtrules/30nat 2015-10-07 16:37:39.867472712 +0200 @@ -24,7 +24,7 @@ foreach $j (@providers) { my $provider_name = $j->{'name'}; if($j->{'interface'} eq $interface) { - $OUT .= "$internal_ip\t\t-\t\t\t$provider_name\t\t1900\n"; + $OUT .= "$internal_ip\t\t-\t\t\t$provider_name\t\t11000\n"; } } }
I already checked it and it seems to work fine without any drawback.
#2 Updated by Giacomo Sanchietti almost 6 years ago
- Category set to nethserver-firewall-base
- Status changed from NEW to TRIAGED
- Target version set to v6.7
- % Done changed from 0 to 20
#3 Updated by Giacomo Sanchietti almost 6 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#4 Updated by Giacomo Sanchietti almost 6 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
Proposed patch has been merged.
#5 Updated by Giacomo Sanchietti almost 6 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
- nethserver-firewall-base-2.8.0-1.3.gd02a1fe.ns6.noarch.rpm
- nethserver-firewall-base-ui-2.8.0-1.3.gd02a1fe.ns6.noarch.rpm
- Check the bug is not reproducible
#6 Updated by Giacomo Sanchietti over 5 years ago
- Assignee set to Giacomo Sanchietti
#7 Updated by Giacomo Sanchietti over 5 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 70 to 90
System and Package Version installed
Package Installed:
nethserver-firewall-base-ui-2.8.0-1.18.gfc25d0e.ns6.noarch
nethserver-firewall-base-2.8.0-1.18.gfc25d0e.ns6.noarch
Test Original Problem
IP rule placed in the wrong order
Install Updated Package
yum --enablerepo=nethserver-testing update nethserver-firewall-base*
Test Results after update
Natted host is 192.168.5.22.
[root@localhost ~]# ip ru 0: from all lookup local 999: from all lookup main 10000: from all fwmark 0x10000/0xf0000 lookup p1 10001: from all fwmark 0x20000/0xf0000 lookup p2 11000: from 192.168.5.22 lookup p1 20000: from 10.10.10.4 lookup p1 20000: from 10.2.3.2 lookup p1 20000: from 10.0.2.4 lookup p2 32765: from all lookup balance 32767: from all lookup default
Verified Or Reopen
Verified
#8 Updated by Giacomo Sanchietti over 5 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
- nethserver-firewall-base-ui-2.9.0-1.ns6.noarch.rpm
- nethserver-firewall-base-2.9.0-1.ns6.noarch.rpm