Hi, Sorry, not an experienced shorewall user, this is my first basic setup. This starts to drive me crazy. I wanted to use DNAT to forward port 33890 to an internal machine (windows) port 3389. To reach my workstation when I''m not home. In my rules : DNAT:debug net loc:192.168.0.11:3389 tcp 33890 - pub.lic.ip.add #SECTION BLACKLIST #well known port scans DROP net all tcp 21,22,23,25,80,81,110,143,210,443,512,1000,1080,1433,1434,222,3128,3306,3389,4899,5021,5900,8000,8010,8080,8081,8088,8089,809 DROP net all udp 3389 DROP net all udp 5060 Zones : fw firewall net ipv4 loc ipv4 policy: net all DROP info $FW all ACCEPT loc $FW ACCEPT # THE FOLLOWING POLICY MUST BE LAST all all REJECT info shorewall.conf IP_FORWARDING=Keep and the kernel also knows : root@mordor:~# cat /proc/sys/net/ipv4/ip_forward 1 The message in syslog... Shorewall:net_dnat:DNAT:IN=eth0 OUTMAC=00:0c:29:2d:ca:d6:11:23:06:17:f8:40:48:00 SRC=myfriendsip DST=mypubip LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=27043 DF PROTO=TCP SPT=33484 DPT=33890 WINDOW=8192 RES=0x00 SYN URGP=0 Could anyone point me to the right direction/help a bit to make it work? Or do I miss something? Thank you in advance, Gabor ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Gábor Majoros wrote:> Hi, > > Sorry, not an experienced shorewall user, this is my first basic setup. > This starts to drive me crazy. > I wanted to use DNAT to forward port 33890 to an internal machine > (windows) port 3389. To reach my workstation when I''m not home. > > In my rules : > DNAT:debug net loc:192.168.0.11:3389 <http://192.168.0.11:3389> > tcp 33890 - pub.lic.ip.add > > #SECTION BLACKLIST > #well known port scans > DROP net all tcp > 21,22,23,25,80,81,110,143,210,443,512,1000,1080,1433,1434,222,3128,3306,3389,4899,5021,5900,8000,8010,8080,8081,8088,8089,809 > DROP net all udp 3389 > DROP net all udp 5060 > > Zones : > fw firewall > net ipv4 > loc ipv4 > > policy: > net all DROP info > $FW all ACCEPT > loc $FW ACCEPT > # THE FOLLOWING POLICY MUST BE LAST > all all REJECT info > > shorewall.conf > IP_FORWARDING=Keep > > and the kernel also knows : > > root@mordor:~# cat /proc/sys/net/ipv4/ip_forward > 1 > > The message in syslog... > > Shorewall:net_dnat:DNAT:IN=eth0 OUT> MAC=00:0c:29:2d:ca:d6:11:23:06:17:f8:40:48:00 > SRC=myfriendsip DST=mypubip LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=27043 > DF PROTO=TCP SPT=33484 DPT=33890 WINDOW=8192 RES=0x00 SYN URGP=0 > > Could anyone point me to the right direction/help a bit to make it work? > Or do I miss something? > > Thank you in advance,Have you followed the DNAT troubleshooting procedure outlined in Shorewall FAQs 1a and 1b? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Hi Tom, Apologies for bothering... Previously a very few FAQ was working for me (no offense for anyone) thus tried the list. Your FAQ is excelent. This case masq did the trick as the SW box is not my dgw. Have a pleasant day. Regards, On 5 September 2012 17:58, Tom Eastep <teastep@shorewall.net> wrote:> Gábor Majoros wrote: > > Hi, > > > > Sorry, not an experienced shorewall user, this is my first basic setup. > > This starts to drive me crazy. > > I wanted to use DNAT to forward port 33890 to an internal machine > > (windows) port 3389. To reach my workstation when I''m not home. > > > > In my rules : > > DNAT:debug net loc:192.168.0.11:3389 <http://192.168.0.11:3389> > > tcp 33890 - pub.lic.ip.add > > > > #SECTION BLACKLIST > > #well known port scans > > DROP net all tcp > > > 21,22,23,25,80,81,110,143,210,443,512,1000,1080,1433,1434,222,3128,3306,3389,4899,5021,5900,8000,8010,8080,8081,8088,8089,809 > > DROP net all udp 3389 > > DROP net all udp 5060 > > > > Zones : > > fw firewall > > net ipv4 > > loc ipv4 > > > > policy: > > net all DROP info > > $FW all ACCEPT > > loc $FW ACCEPT > > # THE FOLLOWING POLICY MUST BE LAST > > all all REJECT info > > > > shorewall.conf > > IP_FORWARDING=Keep > > > > and the kernel also knows : > > > > root@mordor:~# cat /proc/sys/net/ipv4/ip_forward > > 1 > > > > The message in syslog... > > > > Shorewall:net_dnat:DNAT:IN=eth0 OUT> > MAC=00:0c:29:2d:ca:d6:11:23:06:17:f8:40:48:00 > > SRC=myfriendsip DST=mypubip LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=27043 > > DF PROTO=TCP SPT=33484 DPT=33890 WINDOW=8192 RES=0x00 SYN URGP=0 > > > > Could anyone point me to the right direction/help a bit to make it work? > > Or do I miss something? > > > > Thank you in advance, > > Have you followed the DNAT troubleshooting procedure outlined in > Shorewall FAQs 1a and 1b? > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today''s security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/