[Shorewall-users] Firewalled vservers not DNATing

[Nolan D. <no...@th...>]

Hello. If there is an answer to this somewhere in the FAQ or  
documentation then do let me know, but I've yet to find it. :)

My home network consists of one physical server running a firewall  
and hosting two vservers (http://www.linux-vserver.org/). I'd like to  
host various services on these servers and treat them like real  
firewalled servers, but while traffic leaves them just fine, it is  
impossible to use DNAT to forward ports to them.

I've followed the two-interface quickstart guide, and I have  
everything working but this. That is, the traffic I want leaving the  
firewall leaves, and the traffic I want blocked is blocked. I'm  
SNATing several desktops and wireless clients behind the firewall  
just fine. Additionally, I can initiate outbound connections from my  
vservers just fine, and they function quite nicely, other than not  
being reachable via any DNAT rules I try patterned off of those in  
the quickstart guide.

I followed the instructions in the FAQ concerning clearing the number  
of DNATed packets and running "shorewall show nat". Sure enough,  
packets are reaching the server, and the FAQ indicates that my  
gateway is set incorrectly on the vserver. I've posted a similar  
query to the vserver list, and here are some excerpts of the reply I  
received:

---



as the guests reside on the firewall, they will not
'forward' packets to the host, instead they will, as
the networking _is_ on the host, simply use the host
routing to send and/or receive packets ...

now, that means two things, one which you seem to have
mastered already, namely SNAT-ing the outgoing traffic
to the public IP, nevertheless I'll mention it here
again so that we know what we are talking about:

basically a rule like this (no idea how to do that
with shorewall) allows your guests to reach the big
world ...

iptables -t nat -I POSTROUTING -s 192.168.0.2 -j SNAT --to 123.45.67.89

you can spice that up with outgoing interface and/or
use a special chain for all guests, or just repeat it
for every guest ...

now for incoming traffic, you have to do a similar
trick to 'map' the public IP (which will be reached
from the outside) to your guests ...

note: this is _not_ required for packets reaching
the machine on the 192.168.0.x network as they will
already use the proper interface and address

something like

iptables -t nat -I PREROUTING -i eth0 -d 123.45.67.89 \
	-p tcp --dport 2222 -j DNAT --to 192.168.0.2:22

should allow you to reach the first guest's sshd
(assumed it doesn't clash with the host's sshd)
from the outside .. of course, the previous SNAT
rule is required to get the replies back ...

---

As the snippet mentions, I seem to have accomplished the first part  
in shorewallese. How would I go about implementing the second rule,  
the one to DNAT the inbound SSH connection if the DNAT rules in the  
documentation aren't up to the task? Or is this something that  
shorewall isn't made to accomplish, as the networking for the  
vservers is all happening on the host system?

I've distilled what I am trying to do down to one simple  
(hopefully :) task. My external interface eth0 in zone net is at  
66.93.216.223. I'd like to forward any SSH connections to  
66.93.216.223 to 192.168.0.3. 0.3 is a vserver running sshd and  
hosting a number of useful shell apps but no servers. The DNAT rule  
examples in the documentation cannot accomplish this because I cannot  
set a gateway in the vserver. Is there any way to accomplish this  
with shorewall?

If not, is there another virtualization solution that would work  
better? I, unfortunately, can't obtain any additional physical  
servers at the moment, but still wish the benefits of multiple,  
separate virtual spaces.

Statistics:

# shorewall version
3.0.4
# ip addr
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet 127.0.0.1/8 scope host lo
     inet6 ::1/128 scope host
        valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
     link/ether 00:c0:9f:0e:5a:25 brd ff:ff:ff:ff:ff:ff
     inet 66.93.216.223/24 brd 66.93.216.255 scope global eth0
     inet 192.168.0.3/24 brd 192.168.0.255 scope global eth0
     inet 192.168.0.2/24 brd 192.168.0.255 scope global secondary eth0
     inet6 fe80::2c0:9fff:fe0e:5a25/64 scope link
        valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
     link/ether 00:c0:9f:0e:5a:24 brd ff:ff:ff:ff:ff:ff
     inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1
     inet6 fe80::2c0:9fff:fe0e:5a24/64 scope link
        valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noop
     link/sit 0.0.0.0 brd 0.0.0.0
# ip route
66.93.216.0/24 dev eth0  proto kernel  scope link  src 66.93.216.223
192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.1
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.3
default via 66.93.216.1 dev eth0

Please let me know if there is any additional information I can  
provide. I've been googling and asking about this for some time now,  
and am not quite sure where to go from here. Thanks a bunch.