Discussion:
[Shorewall-users] open command
Nerijus Baliunas
2017-03-23 17:24:52 UTC
Permalink
Hello,

I have in rules file:
DNAT net loc:10.10.10.12 tcp 443

I want to temporarily open 443 on firewall itself so that connections to tcp port 443
from outside would go to fw, not 10.10.10.12.

I run command:
# shorewall open all 81.x.x.x tcp 443
Firewall dynamically opened for connections from all to 81.x.x.x tcp port 443

81.x.x.x is my external interface IP addr.

But if I open https://81.x.x.x from outside I still am forwarded to 10.10.10.12.

Regards,
Nerijus
Simon Hobson
2017-03-23 20:39:35 UTC
Permalink
Post by Nerijus Baliunas
DNAT net loc:10.10.10.12 tcp 443
I want to temporarily open 443 on firewall itself so that connections to tcp port 443
from outside would go to fw, not 10.10.10.12.
# shorewall open all 81.x.x.x tcp 443
Firewall dynamically opened for connections from all to 81.x.x.x tcp port 443
81.x.x.x is my external interface IP addr.
But if I open https://81.x.x.x from outside I still am forwarded to 10.10.10.12.
According to the diagram at http://www.shorewall.org/NetfilterOverview.html the NAT rules are processed before the input filter. So the rule created by the open command will have no effect as the packet will not make it that far - it's been through the nat table first.
Nerijus Baliunas
2017-03-23 20:58:11 UTC
Permalink
Post by Simon Hobson
According to the diagram at http://www.shorewall.org/NetfilterOverview.html the NAT rules are processed before the input filter. So the rule created by the open command will have no effect as the packet will not make it that far - it's been through the nat table first.
OK, so how do I get the 443 port to firewall to take precedence over NAT?

Regards,
Nerijus
Nerijus Baliunas
2017-03-23 21:49:49 UTC
Permalink
Post by Simon Hobson
Post by Nerijus Baliunas
DNAT net loc:10.10.10.12 tcp 443
I want to temporarily open 443 on firewall itself so that connections to tcp port 443
from outside would go to fw, not 10.10.10.12.
# shorewall open all 81.x.x.x tcp 443
Firewall dynamically opened for connections from all to 81.x.x.x tcp port 443
81.x.x.x is my external interface IP addr.
But if I open https://81.x.x.x from outside I still am forwarded to 10.10.10.12.
According to the diagram at http://www.shorewall.org/NetfilterOverview.html the NAT rules are processed before the input filter. So the rule created by the open command will have no effect as the packet will not make it that far - it's been through the nat table first.
So I decided to remove "DNAT net loc:10.10.10.12 tcp 443" rule
so that it does not interfere, but, if I run
shorewall open all 10.10.10.12 tcp 443
it does not work - 443 port is not DNAT'ed to 10.10.10.12.

Could it be done with iptables perhaps? iptables -I INPUT 1 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
does not work as I want (if the above DNAT rule is present) - https connection is forwarded to 10.10.10.12.

Regards,
Nerijus
Nerijus Baliunas
2017-03-24 11:42:58 UTC
Permalink
Hello,

I left the rule DNAT net loc:10.10.10.12 tcp 443 in shorewall/rules, but I do:
iptables -D net-loc -p tcp -d 10.10.10.12 --dport 443 -j ACCEPT
so that the rule is deleted before trying to open 443 port on fw itself. I test
with a browser, and I am no longer forwarded to 10.10.10.12.

Then I run shorewall open all 81.x.x.x tcp 443:
Firewall dynamically opened for connections from all to 81.x.x.x tcp port 443

iptables -L -n shows a new rule in chain dynamic:
Chain dynamic (10 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 81.x.x.x tcp dpt:443

But the browser timeouts, does not connect to apache running on fw.

Regards,
Nerijus
Nerijus Baliunas
2017-03-24 12:11:21 UTC
Permalink
I even tried a simper method.
shorewall/rules:
ACCEPT net fw tcp 443
DNAT net loc:10.10.10.12 tcp 443

DNAT takes the precedence, so the browser from outside opens 10.10.10.12.
Then I run iptables -D net-loc -p tcp -d 10.10.10.12 --dport 443 -j ACCEPT
it deletes above DNAT rule, but the broser cannot connect to fw port 443.
Then I run shorewall open all 81.x.x.x tcp 443, but the browser still cannot connect.
Why?
Post by Nerijus Baliunas
Hello,
iptables -D net-loc -p tcp -d 10.10.10.12 --dport 443 -j ACCEPT
so that the rule is deleted before trying to open 443 port on fw itself. I test
with a browser, and I am no longer forwarded to 10.10.10.12.
Firewall dynamically opened for connections from all to 81.x.x.x tcp port 443
Chain dynamic (10 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 81.x.x.x tcp dpt:443
But the browser timeouts, does not connect to apache running on fw.
Regards,
Nerijus
Tom Eastep
2017-03-24 14:47:00 UTC
Permalink
I even tried a simper method. shorewall/rules: ACCEPT net fw
tcp 443 DNAT net loc:10.10.10.12 tcp 443
DNAT takes the precedence, so the browser from outside opens
10.10.10.12. Then I run iptables -D net-loc -p tcp -d 10.10.10.12
--dport 443 -j ACCEPT it deletes above DNAT rule, but the broser
cannot connect to fw port 443. Then I run shorewall open all
81.x.x.x tcp 443, but the browser still cannot connect. Why?
You are not deleting the DNAT rule; you are deleting the ACCEPT rule.
When you include a DNAT rule in /etc/shorewall/rules, two iptables
rules are created; the DNAT rule in the nat table and an ACCEPT rule
in the filter table.

To solve you issue, I suggest that you place '!direct' in the SWITCH
column of the your DNAT rule. That way, you can turn it off by setting
the 'direct' switch. Then the open command will work.

- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.net \________________________________________________
Nerijus Baliunas
2017-03-24 15:08:21 UTC
Permalink
Post by Tom Eastep
To solve you issue, I suggest that you place '!direct' in the SWITCH
column of the your DNAT rule. That way, you can turn it off by setting
the 'direct' switch. Then the open command will work.
I tried, but got:
ERROR: A non-empty SWITCH column requires Condition Match in your kernel and iptables /etc/shorewall/rules (line 58)

It is a CentOS 6 system, probably it does not have Condition Match?

Regards,
Nerijus
Tom Eastep
2017-03-24 15:19:49 UTC
Permalink
On Fri, 24 Mar 2017 07:47:00 -0700 Tom Eastep
Post by Tom Eastep
To solve you issue, I suggest that you place '!direct' in the
SWITCH column of the your DNAT rule. That way, you can turn it
off by setting the 'direct' switch. Then the open command will
work.
I tried, but got: ERROR: A non-empty SWITCH column requires
Condition Match in your kernel and iptables /etc/shorewall/rules
(line 58)
It is a CentOS 6 system, probably it does not have Condition
Match?
Most likely. Might be in the iptables-addons package if that is
available for CentOS 6.

- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.net \________________________________________________
Nerijus Baliunas
2017-03-24 15:36:03 UTC
Permalink
Post by Tom Eastep
I tried, but got: ERROR: A non-empty SWITCH column requires
Condition Match in your kernel and iptables /etc/shorewall/rules
(line 58)
It is a CentOS 6 system, probably it does not have Condition
Match?
Most likely. Might be in the iptables-addons package if that is
available for CentOS 6.
shorewall dump|grep Cond
Condition Match (CONDITION_MATCH): Not available

So the only option for me is to use 2 different shorewall configs and restart firewall?
Tom Eastep
2017-03-24 15:51:12 UTC
Permalink
On Fri, 24 Mar 2017 08:19:49 -0700 Tom Eastep
Post by Tom Eastep
I tried, but got: ERROR: A non-empty SWITCH column requires
Condition Match in your kernel and iptables
/etc/shorewall/rules (line 58)
It is a CentOS 6 system, probably it does not have Condition
Match?
Most likely. Might be in the iptables-addons package if that is
available for CentOS 6.
shorewall dump|grep Cond Condition Match (CONDITION_MATCH): Not
available
So the only option for me is to use 2 different shorewall configs and restart firewall?
You could also insert an ACCEPT rule in the nat table in front of the
DNAT rule for port 443.

iptables -t nat -I ethX_dnat -p tcp --dport 443 -j ACCEPT

where ethX is your Internet interface.


Then, an open will work. When you want to switch back, simply delete
the rule.

- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.net \________________________________________________
Nerijus Baliunas
2017-03-24 16:11:57 UTC
Permalink
Post by Tom Eastep
You could also insert an ACCEPT rule in the nat table in front of the
DNAT rule for port 443.
iptables -t nat -I ethX_dnat -p tcp --dport 443 -j ACCEPT
where ethX is your Internet interface.
iptables -t nat -I em1_dnat -p tcp --dport 443 -j ACCEPT
iptables: No chain/target/match by that name.

Regards,
Nerijus
Tom Eastep
2017-03-24 16:48:47 UTC
Permalink
On Fri, 24 Mar 2017 08:51:12 -0700 Tom Eastep
Post by Tom Eastep
You could also insert an ACCEPT rule in the nat table in front of
the DNAT rule for port 443.
iptables -t nat -I ethX_dnat -p tcp --dport 443 -j ACCEPT
where ethX is your Internet interface.
No chain/target/match by that name.
You'll have to look at the nat table then and find the rule:

shorewall show nat

- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.net \________________________________________________
Nerijus Baliunas
2017-03-24 17:19:25 UTC
Permalink
Post by Tom Eastep
On Fri, 24 Mar 2017 08:51:12 -0700 Tom Eastep
Post by Tom Eastep
You could also insert an ACCEPT rule in the nat table in front of
the DNAT rule for port 443.
iptables -t nat -I ethX_dnat -p tcp --dport 443 -j ACCEPT
where ethX is your Internet interface.
No chain/target/match by that name.
shorewall show nat
Thank you, iptables -t nat -I net_dnat -p tcp --dport 443 -j ACCEPT
helped. But only if the rule "ACCEPT net fw tcp 443" exists.

Regards,
Nerijus
Tom Eastep
2017-03-24 18:18:57 UTC
Permalink
On Fri, 24 Mar 2017 09:48:47 -0700 Tom Eastep
Post by Tom Eastep
On Fri, 24 Mar 2017 08:51:12 -0700 Tom Eastep
Post by Tom Eastep
You could also insert an ACCEPT rule in the nat table in
front of the DNAT rule for port 443.
iptables -t nat -I ethX_dnat -p tcp --dport 443 -j ACCEPT
where ethX is your Internet interface.
iptables -t nat -I em1_dnat -p tcp --dport 443 -j ACCEPT
iptables: No chain/target/match by that name.
shorewall show nat
Thank you, iptables -t nat -I net_dnat -p tcp --dport 443 -j
ACCEPT helped. But only if the rule "ACCEPT net fw tcp 443"
exists.
'open' will add an equivalent rule.

- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.net \________________________________________________
Simon Matter
2017-03-24 15:53:33 UTC
Permalink
Post by Nerijus Baliunas
Post by Tom Eastep
I tried, but got: ERROR: A non-empty SWITCH column requires
Condition Match in your kernel and iptables /etc/shorewall/rules
(line 58)
It is a CentOS 6 system, probably it does not have Condition
Match?
Most likely. Might be in the iptables-addons package if that is
available for CentOS 6.
shorewall dump|grep Cond
Condition Match (CONDITION_MATCH): Not available
I have never tried but maybe it's available in the centos plus kernel?

Regards,
Simon
Matt Darfeuille
2017-03-24 15:54:51 UTC
Permalink
Post by Nerijus Baliunas
Post by Tom Eastep
I tried, but got: ERROR: A non-empty SWITCH column requires
Condition Match in your kernel and iptables /etc/shorewall/rules
(line 58)
It is a CentOS 6 system, probably it does not have Condition
Match?
Most likely. Might be in the iptables-addons package if that is
available for CentOS 6.
shorewall dump|grep Cond
Condition Match (CONDITION_MATCH): Not available
So the only option for me is to use 2 different shorewall configs and restart firewall?
You could try:
http://shorewall.org/configuration_file_basics.htm#Conditional

-Matt
--
Matt Darfeuille
Loading...