Differences

This shows you the differences between two versions of the page.

--- doc:appunti:linux:sa:iptables [2014/04/16 17:35] – [Usare iptables per mitigare o bloccare un DNS Amplification Attack] niccolo
+++ doc:appunti:linux:sa:iptables [2020/11/23 15:27] – [Shorewall and DNAT onto a local host] niccolo
@@ Line 40: / Line 40: @@
 A web server is reachable from the internet onto a local host (**192.168.1.5**) via a DNAT rule, local hosts want to use the public address (**130.151.100.69**) to reach the d-natted server. Traffic will be masqueraded by the firewall with its address (**192.168.1.254**) on the local LAN (**eth0**, **192.168.1.0/24**):
-In ''**/etc/shorewall/interfaces**'':
+In **/etc/shorewall/interfaces**:
 <code>
@@ Line 47: / Line 47: @@
 </code>
-In ''**/etc/shorewall/masq**'':
+For Shorewall 5 we nedd a line in **/etc/shorewall/snat**:
+<code>
+#ACTION               SOURCE           DEST               PROTO  PORT
+SNAT(192.168.1.254)   192.168.1.0/24   eth0:192.168.1.5   tcp    www
+</code>
+Shorewall 4 instead requires a line in **/etc/shorewall/masq**:
 <code>
@@ Line 54: / Line 61: @@
 </code>
-In ''**/etc/shorewall/rules**'':
+In **/etc/shorewall/rules**:
 <code>
@@ Line 60: / Line 67: @@
 #                                                   PORT    DEST.
 DNAT     loc     loc:192.168.1.5  tcp    www        -       130.151.100.69
+DNAT     net     loc:192.168.1.5  tcp    www        -       130.151.100.69
 </code>
+Port translating from outside to inside is handled only in **/etc/shorewall/rules**, as usual.
+===== Shorewall with router in local LAN =====
+Hosts in LAN#1 may access hosts in LAN#2 by just adding a static route to the **192.168.2.0/24 network** via the **192.168.1.10 gateway**, but it is very annoying to modify the routing table into several hosts.
+{{shorewall-router-in-lan.png?400|Shorewall with router in LAN}}
+You can instead make **two configurations** on the Shorewall firewall. First of all you add the static route into **/etc/network/interfaces**:
+<file>
+auto eth1
+iface eth1 inet static
+    address 192.168.1.1
+    netmask 255.255.255.0
+    up   /sbin/route add -net 192.168.2.0/24 gw 192.168.1.10 || true
+    down /sbin/route del -net 192.168.2.0/24 gw 192.168.1.10 || true
+</file>
+then you have to add the **routeback** option for the **eth1** interfaces in the **/etc/shorewall/interfaces** file:
+<file>
+loc    eth1    routeback
+</file>
 ===== Iptables schema =====
@@ Line 137: / Line 169: @@
 <code>
-iptables -I INPUT -p udp -m string --hex-string '|047A696E67047A6F6E6702636F027561|' \
+/sbin/iptables -I INPUT -p udp -m string --hex-string '|047A696E67047A6F6E6702636F027561|' \
-    --algo bm --from 40 --to 56 -j DROP
+    --algo bm --from 40 --to 56 -j DROP -m comment --comment "DROP DNS Q zing.zong.co.ua"
 </code>
@@ Line 157: / Line 189: @@
     start)
         iptables -I INPUT $options -j DROP
-        iptables -I INPUT $options -j LOG --log-level debug
+        #iptables -I INPUT $options -j LOG --log-level debug
         ;;
     stop)
         iptables -D INPUT $options -j DROP
-        iptables -D INPUT $options -j LOG --log-level debug
+        #iptables -D INPUT $options -j LOG --log-level debug
         ;;
     *)