[Firewall] Other NAT rules fail when source specific rule is added

Alex Aune lists at aewne.net
Thu Feb 6 12:57:02 CET 2014

On 20.09.2013 14:03, Alex Aune wrote:
> Hi everyone,
> I had some downtime at work the other day so decided to try and work
> around the firewall here to give myself shell access at home using
> port 443. I already have a webserver running on 443 so I had a go with
> setting up a source specific NAT rule.
> Now, as soon as I added> (to
> NAT_FORWARD_TCP) my more general rule of 80,443> no longer
> works. If I run "telnet aewne.net 443" I am greeted by the OpenSSH
> server, even when traffic is not originating from the same IP
> address/subnet in the rule.
> However, if I add a source/subnet declaration (0/0~80,443>
> it works like it should.
> Is this a known issue?
> I'm using 2.0.1d (-r2 version of the Gentoo ebuild) with coreutils 
> 8.21.
> Regards,
> Alex

Ok, I've had some time to play a bit more with this...

Firstly, it seems that I forgot to mention a few things in my setup.
One is that I'm using the NAT loopback plugin to hairpin requests to my 
external DNS name originating from the LAN. While I'm on the subject, 
hairpinning is kind of lazy. Are there any other ways to solve this?
Second is that it's only if I'm trying to connect to my internal web 
server using my external DNS name (aewne.net) that I'm greeted by the 
SSH server. So, for external requests to port 443 this is working 
correctly, as well as traffic from the specific source I set up in the 
config is working. However, not from LAN -> gateway -> Host on LAN.

I also found out that this:
> However, if I add a source/subnet declaration (0/0~80,443>
Is bogus. Adding 0/0 didn't seem to help much after all.

Looking at the output of iptables -nvL -t nat it is apparent that the 
source specific rule is way up above the more general rule, meaning, at 
least in theory, that the specific rule should only trigger on incoming 
traffic from that address.

So, I'm having a hard time tracking down the culprit here. Anyone got 
any ideas?


More information about the Firewall mailing list