| Summary: | Creation of firewall rule with NAT enabled and destiation "networks|all" fails | ||
|---|---|---|---|
| Product: | IPFire | Reporter: | Timmothy Wilson <itsuperhack> |
| Component: | --- | Assignee: | Stefan Schantl <stefan.schantl> |
| Status: | CLOSED FIXED | QA Contact: | Michael Tremer <michael.tremer> |
| Severity: | Minor Usability | ||
| Priority: | Will affect an average number of users | CC: | matthias.fischer, michael.tremer, peter.mueller, stefan.schantl |
| Version: | 2 | Flags: | stefan.schantl:
needinfo+
|
| Hardware: | all | ||
| OS: | All | ||
| See Also: |
https://bugzilla.ipfire.org/show_bug.cgi?id=12653 https://bugzilla.ipfire.org/show_bug.cgi?id=12654 |
||
| Bug Depends on: | |||
| Bug Blocks: | 12278 | ||
|
Description
Timmothy Wilson
2016-08-24 14:01:09 UTC
This issue can be reproduced with Core Update 114. Thats a difficult one. Please correct me if i am wrong (and i am usually ;-) ) As IPFire has the ability to set an own DNS Server, there is a standard rule which allows traffic to port 53 per default. Any rule regarding port 53 would never be checked as the included rule matches. So i think it is not possible to set a redirect for port 53 in the usual firewall rules. To get the correct behaviour i think it is needed to set a rule in any PREROUTING chain. These chains are used BEFORE the firewall chains are checked. There is actually no way to set these chains via webinterface. To test it, someone could test a manual iptables rule in the script /etc/sysconfig/firewall.local something like iptables -t nat -A CUSTOMPREROUTING -p udp --dport 53 -j DNAT --to <dns-server-to-use>:53 And why isn't this possible in the GUI? What is your idea to implement this? MODIFIED means that a patch has been submitted. When the source has been *modified*: https://wiki.ipfire.org/devel/bugzilla/workflow I don't understand why the GUI isn't currently able to create this rule. What is blocking this? Hi, as far as I understand the WiKi, the problem is a GUI/DNAT problem. See the note for solution 1 in https://wiki.ipfire.org/configuration/firewall/dns Right now I'm testing the following rules in '/etc/sysconfig/firewall.local': ... iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp --dport 53 -j DNAT --to 192.168.100.254:53 iptables -t nat -A CUSTOMPREROUTING -i green0 -p tcp --dport 53 -j DNAT --to 192.168.100.254:53 iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp --dport 53 -j DNAT --to 192.168.101.254:53 iptables -t nat -A CUSTOMPREROUTING -i blue0 -p tcp --dport 53 -j DNAT --to 192.168.101.254:53 ... See same question in https://forum.ipfire.org/viewtopic.php?t=17058&f=27#p120855 These rules seem to work but I'm not REALLY sure and would like to get some feedback. Is this OK? Best, Matthias Yes, the firewall GUI is the problem here. This one is still not answered. Michael, please give a feedback. There are defaultrules in ipfire, which are always there and used BEFORE the firewallGUI rules are taken (FORWARD,INOUT and OUTPUT) The rule for using the internal DNS is fixed into IPFire isn't it? For this the easiest solution would be a REDIRECT rule. I've posted a fix to get redirect rules to work in a proper way to the mailing list. https://patchwork.ipfire.org/project/ipfire/patch/20210630184031.7726-1-stefan.schantl@ipfire.org/ Currently the feature still needs some attention, I'll keep this ticked up to date. The redirect feature has been release some time ago and works fine here. Is this bug still valid or can it be closed safely? Thanks in advance, -Stefan |