Ubuntu
shorewall package

DNAT create wrong rule

Bug #1663248 reported by de1m
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
shorewall (Ubuntu)
New
Undecided
Unassigned

Bug Description

I've two networks - loc (local) and dmz.

I've in dmz network two http servers - 20.10.0.10 and 20.10.0.20

My rules from rules.loc

#1.
HTTP(ACCEPT) loc dmz:20.10.0.10
#2.
DNAT loc dmz:20.10.0.20:80 tcp 80

So, the first rule allow me direct access to http server (through routing) and with the second rule I can access the second server (20.10.0.20) through DNAT.

When I'll connect the first server(20.10.0.10) through http I get out on second server
Here my tcp dump
###################################################################################
sudo tcpdump -i ens192 tcp port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes
14:33:39.385354 IP 192.168.40.216.39006 > 20.10.0.20.http: Flags [S], seq 3278146055, win 29200, options [mss 1460,sackOK,TS val 23936978 ecr 0,nop,wscale 7], length 0
14:33:39.385598 IP 20.10.0.20.http > 192.168.40.216.39006: Flags [S.], seq 2565341747, ack 3278146056, win 14480, options [mss 1460,sackOK,TS val 99695832 ecr 23936978,nop,wscale 7], length 0
14:33:39.385806 IP 192.168.40.216.39006 > 20.10.0.20.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 23936979 ecr 99695832], length 0
14:33:40.385326 IP 20.10.0.20.http > 192.168.40.216.39006: Flags [S.], seq 2565341747, ack 3278146056, win 14480, options [mss 1460,sackOK,TS val 99696832 ecr 23936979,nop,wscale 7], length 0
14:33:40.385832 IP 192.168.40.216.39006 > 20.10.0.20.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 23937229 ecr 99695832], length 0
14:34:04.980189 IP 192.168.40.216.39006 > 20.10.0.20.http: Flags [P.], seq 1:18, ack 1, win 229, options [nop,nop,TS val 23943377 ecr 99695832], length 17: HTTP: GET /index.html
14:34:04.980465 IP 20.10.0.20.http > 192.168.40.216.39006: Flags [.], ack 18, win 114, options [nop,nop,TS val 99721425 ecr 23943377], length 0
14:34:04.984546 IP 20.10.0.20.http > 192.168.40.216.39006: Flags [P.], seq 1:287, ack 18, win 114, options [nop,nop,TS val 99721429 ecr 23943377], length 286: HTTP
14:34:04.984715 IP 20.10.0.20.http > 192.168.40.216.39006: Flags [F.], seq 287, ack 18, win 114, options [nop,nop,TS val 99721429 ecr 23943377], length 0
14:34:04.985061 IP 192.168.40.216.39006 > 20.10.0.20.http: Flags [.], ack 287, win 237, options [nop,nop,TS val 23943378 ecr 99721429], length 0
14:34:04.985176 IP 192.168.40.216.39006 > 20.10.0.20.http: Flags [F.], seq 18, ack 288, win 237, options [nop,nop,TS val 23943378 ecr 99721429], length 0
14:34:04.985364 IP 20.10.0.20.http > 192.168.40.216.39006: Flags [.], ack 19, win 114, options [nop,nop,TS val 99721430 ecr 23943378], length 0
###################################################################################

Output iptables -L | grep 20.10.0.10
admin2@fw1:/etc/shorewall$ sudo iptables -L | grep 0.10
ACCEPT tcp -- anywhere 20.10.0.10 tcp dpt:ssh ctorigdstport 8022
ACCEPT tcp -- anywhere 20.10.0.10 tcp dpt:http /* HTTP */
ACCEPT tcp -- anywhere 20.10.0.20 tcp dpt:http ctorigdstport 80
ACCEPT icmp -- anywhere 20.10.0.10 icmp echo-request /* Ping */
ACCEPT tcp -- anywhere 20.10.0.10 tcp dpt:ssh /* SSH */

But if I uncomment the DNAT rule its working as well

I think it is a bug?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.