DNAT create wrong rule
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
shorewall (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
I've two networks - loc (local) and dmz.
I've in dmz network two http servers - 20.10.0.10 and 20.10.0.20
My rules from rules.loc
#1.
HTTP(ACCEPT) loc dmz:20.10.0.10
#2.
DNAT loc dmz:20.10.0.20:80 tcp 80
So, the first rule allow me direct access to http server (through routing) and with the second rule I can access the second server (20.10.0.20) through DNAT.
When I'll connect the first server(20.10.0.10) through http I get out on second server
Here my tcp dump
#######
sudo tcpdump -i ens192 tcp port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes
14:33:39.385354 IP 192.168.
14:33:39.385598 IP 20.10.0.20.http > 192.168.
14:33:39.385806 IP 192.168.
14:33:40.385326 IP 20.10.0.20.http > 192.168.
14:33:40.385832 IP 192.168.
14:34:04.980189 IP 192.168.
14:34:04.980465 IP 20.10.0.20.http > 192.168.
14:34:04.984546 IP 20.10.0.20.http > 192.168.
14:34:04.984715 IP 20.10.0.20.http > 192.168.
14:34:04.985061 IP 192.168.
14:34:04.985176 IP 192.168.
14:34:04.985364 IP 20.10.0.20.http > 192.168.
#######
Output iptables -L | grep 20.10.0.10
admin2@
ACCEPT tcp -- anywhere 20.10.0.10 tcp dpt:ssh ctorigdstport 8022
ACCEPT tcp -- anywhere 20.10.0.10 tcp dpt:http /* HTTP */
ACCEPT tcp -- anywhere 20.10.0.20 tcp dpt:http ctorigdstport 80
ACCEPT icmp -- anywhere 20.10.0.10 icmp echo-request /* Ping */
ACCEPT tcp -- anywhere 20.10.0.10 tcp dpt:ssh /* SSH */
But if I uncomment the DNAT rule its working as well
I think it is a bug?