To be able to DNAT to the loopback interface on Linux one needs to activate route_localnet on the incoming interface, something like:
echo 1 > /proc/sys/net/ipv4/conf/INTERFACE_OF_LOC_ZONE/route_localnet or for it to be permanent, add: net.ipv4.conf.INTERFACE_OF_LOC_ZONE.route_localnet = 1 on /etc/sysctl.conf followed by running sysctl -p to apply (it will be applied in reboot also). After that you could create a loopback zone as mentioned and use a DNAT entry on shorewall rules file. Might need to change routefilter options on shorewall too. But there's a reason why this is disabled by default: it's to comply with the RFCs, for example: https://www.rfc-editor.org/rfc/rfc1812#section-5.3.7 "router SHOULD NOT forward, except over a loopback interface, any packet that has a source address on network 127" (this would apply for the response traffic in your case). I seem to recall that there are other RFCs that mention this restriction or are even more specific about it, it's a matter of taking some more time to search, but the point is that it's a very bad practice to workaround it even if in Linux you should be able to do so with the aforementioned options, e.g. you may open other holes later without realising. Are you *really* sure you can't have your service binding in the loc interface IP instead? It would greatly simplify your life, would just be a matter of creating a ACCEPT rule from loc to the $FW zone on the respective port, and wouldn't make it prone to strange bad stuff happening in the future or it just stop working after some update. On Sat, 1 Apr 2023, 23:49 Justin Pryzby, <pry...@telsasoft.com> wrote: > On Sat, Apr 01, 2023 at 11:00:17PM +0200, Olivier Sannier wrote: > > Le 01/04/2023 à 18꞉45, Justin Pryzby a écrit : > > > On Sat, Apr 01, 2023 at 06:10:50PM +0200, Olivier Sannier wrote: > > > > Hello, > > > > > > > > I am using Shorewall 5.2.8 on a server that has three interfaces, one > > > > internal, one DMZ and one connected to the Internet. > > > > On that server, there is a service that binds itself only on > localhost and > > > > that cannot be configured otherwise. > > > > As I would like to access it from the "loc" zone, I have tried > writing this > > > > REDIRECT rule: > > > > REDIRECT loc lo:1883 tcp 1883 - &loc > > > For redirect, you shouldn't specify an interface nor a zone. > > > > Ah thanks, I missed that, so now, my rule looks like this: > > REDIRECT loc 1883 tcp 1883 - &enp4s0 > > > > Which, to me, means that a connection coming on enp4s0 tcp port 1883 > should > > be forwarded to the service listening locally on port 1883 > > I checked with netstat and there is something listening on that port: > > tcp 0 0 127.0.0.1:1883 0.0.0.0:* LISTEN - > > > > Bound on 127.0.0.1 as I indicated in my original email > > > > However, when I connect from the loc zone to the address of enp4s0 > > (10.10.10.254 for that matter) on port 1883, I get a "connection error" > > message from telnet. > > Using Wireshark on the client computer, I see the SYN packet going out > and a > > few RST, ACK replies. > > You should run wireshark/tcpdump on the shorewall device, and specify > "-i lo" to see what's happening on that interface. > > It'd be useful to log the request, like REDIRECT:INFO:mqtt > That'll at least indicate whether the rule is being hit. > > > Now, as this is kind of a cross zone forward, I tried with a DNAT- rule > > written like this: > > DNAT- loc :127.0.0.1:1883 tcp 1883 - > &enp4s0 > > Why DNAT- and not DNAT ? > > It's not the cause of your immediate problem, but I don't know why you > wouldn't want an ACCEPT rule in the filter chain, which is elided when > you specify "-". > > > And while the rule is accepted, when I connect from the loc zone, I see > > those error messages in the system journal: > > IPv4: martian destination 127.0.0.1 from 10.10.10.140, dev enp4s0 > > I think the first test would be to disable routefilter on that > interface. And maybe instead use rpfilter/sfilter. > > https://shorewall.org/MultiISP.html#Martians > https://shorewall.org/manpages/shorewall-interfaces.html > > > If I use a simple DNAT rule, then I have to specify the zone, which I > want > > to be "lo" but that leads back to the original " Rules may not override a > > NONE policy" error. > > You can use DNAT (for which I think REDIRECT is just shorthand) but > specify $FW. > > Also (I don't think I've ever done this, and I have no reason to believe > it's what you want) but you can create a loopback zone. > https://shorewall.org/manpages/shorewall-zones.html > > -- > Justin > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
