Port Forward don't work properly

v7
firewall

(Aleksandr) #1

NethServer release 7.4.1708 (Final)
Hi all!
I have a problem with the firewall and port forward.
Green zone has several ip(192.168.255.1 192.168.5.1 192.168.0.1)
There are few different subnets after 192.168.255.2 (i have routes 192.168.11.0/24 via 192.168.255.2 and so on)

I have rules for port forward
DNAT tcp – anywhere myserver.local tcp dpt:30000 to:192.168.0.8:1000
This rule works fine.

And there is another rule
DNAT tcp – anywhere myserver.local tcp dpt:31000 to:192.168.11.254:1000
This rule doesn’t work.

My investigation leads me to the next:
When I create port forward for subnet 0.1, then nethserver creates two rules in iptables.
First is DNAT.
Second is in chain net2loc
example
ACCEPT tcp – anywhere 192.168.0.8 ctorigdst myserver.local tcp dpt:1000 ctorigdstport 30000

And when i create port forward for subnet 11.0
First is DNAT.
And second is in chain net2net.

So when i tryed to connect to 11.254, then shorewall writes
Feb 5 12:33:09 myserver kernel: Shorewall:net2loc:DROP:IN=ens224 OUT=ens161 MAC=00:50:56:ad:79:07:00:0a:42:d6:6a:00:08:00 SRC=110.170.65.83 DST=192.168.11.254 LEN=60 TOS=0x00 PREC=0x00 TTL=43 ID=49598 DF PROTO=TCP SPT=34282 DPT=1000 WINDOW=65535 RES=0x00 SYN URGP=0

So nethserver goes to chain net2loc > didn’t find second rule(that is in different chain) > and drop packet.
Now i added rules in chain net2loc manually, but this is not right
How to resolve this problem?


(Michael Träumner) #2

@davidep Is it a bug?