Rob Hicks wrote:
> The test lab firewall has two NICS. One (eth0) has two ip addresses,
> eth0 10.161.101.40 and eth0:0 10.161.10.49. The other one, eth1 is
> on a private network, 10.20.30.0.
> I want to use DNAT to allow test engineers to ssh into the machines in
> the web farm. [...]
> ACCEPT net $FW tcp 22
> DNAT net dmz:10.20.30.21:22 tcp
> My problem is with the DNAT entry. If I enable it, when someone uses ssh
> to log into the firewall (the first rule), somehow the request is
> forwarded to the dmz:10.20.30.21 machine. If I comment out the DNAT
> rule, logging into the firewall using ssh works.
The firewall has two external ip addresses, so if you don't want to use
non-standard ssh ports you can only address two ssh servers: One on each ip
address. In neither of the two ssh rules above the column "ORIGINAL DEST" is
specified, so they will both handle ssh connections to both your external
addresses. Shorewall honors the last rule by default.
You can choose one of these two solutions instead:
1) Let your users use the firewall machine as a "jump host".
2) DNAT non-standard ports for ssh connections to the dmz machines like this:
DNAT net loc:10.20.30.21:22 tcp 30021
DNAT net loc:10.20.30.22:22 tcp 30022
... and so on.
Each solution has it's pros and cons, so you will have to decide for yourself
what to do.