Shorewall users - May 2005 - Port forwarding on Shorewall box behind NAT ADSL router

Hi,

Before I go any further, I''m no networking expert, and the sheer volume
of documentation on the Shorewall website makes my brain hurt..

Some time ago I moved from an area with cable internet to an ADSL only
area.  While on cable, I''d set up an old P3 box running Gentoo as a
firewall/gateway/file server, running shorewall (currently v2.2.3) and
dnsmasq.  I''d configured shorewall''s DNAT port forwarding
capability so
e.g. bittorrent clients running on my workstation box got full access,
and it worked really nicely through the cable modem, which I guess was
just a ''dumb'' ethernet port.

However, since moving to ADSL, I got a BT (telco here in the UK) Voyager
205 ADSL router which also does DNAT as part of the contract.  I wasn''t
wanting to change routing through the Gentoo box as it worked well and
took me a while to get set up, so figured I''d just leave it as-is and
treat the ADSL router like the cable modem.

I found a good FAQ on the web on how to configure the port forwarding
side on the router, and followed it (caveat - I''ve since installed
Windows 2000 dual-boot on the Gentoo/shorewall box, and port forwarding
to bittorrent clients running on Win2k works fine, so it looks like I
got the ADSL router port forwarding aspect configured correctly).

However, my ''old'' setup I used when running cable
doesn''t work any more,
that is, port forwarding doesn''t work (the gentoo/shorewall box still
performs perfectly well as a dhcp server/gateway for the rest of my
network).  Bittorrent clients running on my workstation behind the
shorewall box never get full access (i.e. remote connections never get
established).

The relevant section in my rules file looks like this-

DNAT            net     loc:192.168.0.3         tcp    
6969,7070,6881:6899 #BT
DNAT            net     loc:192.168.0.3         udp    
6969,7070,6881:6899 #BT

I did have some ''ACCEPT'' rules as well for the various ports
but it
seems upon reading the shorewall documentation that using DNAT
automatically sets up an ACCEPT rule for the relevant ports, so I have
commented those out in the meantime.

Is there any additional configuration in shorewall I need to make to get
port forwarding (from a port-forwarded NAT router as it were) to work
here?  Is it even possible?

The rest of my shorewall config files are pretty much as per the two
interface example tarball I got from the site.  I can post additional
info if required.

It''s been about 6 months since I moved to ADSL and this hasn''t
worked
since day 1, so I thought it was about time I asked for some help!

Thanks,

Jonathan

Jonathan Heaney wrote:
> The relevant section in my rules file looks like this-
>
> DNAT            net     loc:192.168.0.3         tcp
> 6969,7070,6881:6899 #BT
> DNAT            net     loc:192.168.0.3         udp
> 6969,7070,6881:6899 #BT
That should be all you need.
> 
> It''s been about 6 months since I moved to ADSL and this
hasn''t worked
> since day 1, so I thought it was about time I asked for some help!
> 
I would start by following the DNAT diagnostic procedures outlined in
FAQs #1a and 1b.

If you can''t determine the problem then please submit a complete report
as described at http://shorewall.net/support.htm#Guidelines

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Thanks for the quick response
>I would start by following the DNAT diagnostic procedures outlined in
>FAQs #1a and 1b.
>  
>
My client boxes are configured OK.  Literally, I transported my PC''s
from one house with cable to another with ADSL and it stopped working
without me changing any configuration.

Running shorewall show nat gives ouput like this-

pkts bytes target     prot opt in     out     source              
destination
17   840 DNAT       tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0         tcp dpts:6881:6899 to:192.168.0.3

9   765 DNAT       udp  --  *      *       0.0.0.0/0           
0.0.0.0/0         udp dpts:6881:6899 to:192.168.0.3

Does this look reasonable?

Unfortunately I don''t have access to an external host to try and
connect
from outside my firewall.

One thing I have noticed running dmesg | less was a lot of lines like this-

Shorewall:rfc1918:DROP:IN=eth0 OUT=eth1 SRC=62.166.58.86 DST=192.168.0.3
LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=28297 DF PROTO=TCP SPT=49920
DPT=6882 WINDOW=8192 RES=0x00 SYN URGP=0

Which looks suspiciously like shorewall is dropping packets destined for
port 6882 on my workstation (192.168.0.3), which is currently running
the bittornado client.
>If you can''t determine the problem then please submit a complete
report
>as described at http://shorewall.net/support.htm#Guidelines
>  
>
I can do that in another mail if still required.  I also noticed when I
ran part of the test-

shorewall status > /tmp/status.txt
RTNETLINK answers: Invalid argument
Dump terminated

Although the status.txt file was created and looked
''plausible'' (not
taking into account my ignorance).

Cheers,

Jonathan

On Friday 06 May 2005 08:49 am, Jonathan Heaney wrote:
> However, my ''old'' setup I used when running cable
doesn''t work any more,
> that is, port forwarding doesn''t work (the gentoo/shorewall box
still
> performs perfectly well as a dhcp server/gateway for the rest of my
> network).  Bittorrent clients running on my workstation behind the
> shorewall box never get full access (i.e. remote connections never get
> established).
>
> The relevant section in my rules file looks like this-
>
> DNAT            net     loc:192.168.0.3         tcp    
> 6969,7070,6881:6899 #BT
> DNAT            net     loc:192.168.0.3         udp    
> 6969,7070,6881:6899 #BT
>
> I did have some ''ACCEPT'' rules as well for the various
ports but it
> seems upon reading the shorewall documentation that using DNAT
> automatically sets up an ACCEPT rule for the relevant ports, so I have
> commented those out in the meantime.
Is there any other service that DOES work? Or is it only bittorrent that 
fails? It it all fails, is it possible you have rfc1918 blockage on your
internet side Nic, (which is likely being given a private ip by the adsl 
router)?

-- 
John Andersen - NORCOM
http://www.norcomsoftware.com/

On Friday 06 May 2005 09:58 am, Jonathan Heaney wrote:
> Shorewall:rfc1918:DROP
AH HAH!!!
Just as i suspected....

-- 
John Andersen - NORCOM
http://www.norcomsoftware.com/

Jonathan Heaney wrote:
> Thanks for the quick response
> 
>>I would start by following the DNAT diagnostic procedures outlined in
>>FAQs #1a and 1b.
>> 
>>
> My client boxes are configured OK.  Literally, I transported my
PC''s
> from one house with cable to another with ADSL and it stopped working
> without me changing any configuration.
> 
> Running shorewall show nat gives ouput like this-
> 
> pkts bytes target     prot opt in     out     source              
> destination
> 17   840 DNAT       tcp  --  *      *       0.0.0.0/0           
> 0.0.0.0/0         tcp dpts:6881:6899 to:192.168.0.3
> 
> 9   765 DNAT       udp  --  *      *       0.0.0.0/0           
> 0.0.0.0/0         udp dpts:6881:6899 to:192.168.0.3
> 
> Does this look reasonable?
> 
> Unfortunately I don''t have access to an external host to try and
connect
> from outside my firewall.
> 
> One thing I have noticed running dmesg | less was a lot of lines like this-
> 
> Shorewall:rfc1918:DROP:IN=eth0 OUT=eth1 SRC=62.166.58.86 DST=192.168.0.3
> LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=28297 DF PROTO=TCP SPT=49920
> DPT=6882 WINDOW=8192 RES=0x00 SYN URGP=0
> 
> Which looks suspiciously like shorewall is dropping packets destined for
> port 6882 on my workstation (192.168.0.3), which is currently running
> the bittornado client.
When you moved your Shorewall box behind the ADSL router, its external
IP address was changed to one in the ranges reserved by RFC 1918. You
must therefore remove the ''norfc1918'' option from the external
interface''s entry in /etc/shorewall/interfaces.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

>Shorewall:rfc1918:DROP:IN=eth0 OUT=eth1 SRC=62.166.58.86 DST=192.168.0.3
LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=28297 DF

Your ADSL router is using RFC1918 addresses to talk to your router and you
have NORFC1918 specified in your interfaces file on your "external"
interface.

- Bob Coffman

2005/5/6, Jonathan Heaney
<jonathan.heaney@btinternet.com>:
> Thanks for the quick response
> 
> >I would start by following the DNAT diagnostic procedures outlined in
> >FAQs #1a and 1b.
> >
> >
> My client boxes are configured OK.  Literally, I transported my
PC''s
> from one house with cable to another with ADSL and it stopped working
> without me changing any configuration.
> 
> Running shorewall show nat gives ouput like this-
> 
> pkts bytes target     prot opt in     out     source
> destination
> 17   840 DNAT       tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0         tcp dpts:6881:6899 to:192.168.0.3
> 
> 9   765 DNAT       udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0         udp dpts:6881:6899 to:192.168.0.3
> 
> Does this look reasonable?
> 
> Unfortunately I don''t have access to an external host to try and
connect
> from outside my firewall.
> 
> One thing I have noticed running dmesg | less was a lot of lines like this-
> 
> Shorewall:rfc1918:DROP:IN=eth0 OUT=eth1 SRC=62.166.58.86 DST=192.168.0.3
> LEN=44 TOS=0x00 PREC=0x00 TTL=48 ID=28297 DF PROTO=TCP SPT=49920
> DPT=6882 WINDOW=8192 RES=0x00 SYN URGP=0
you have the norfc1918 option configured..pleas post your "interfaces"
file
> Which looks suspiciously like shorewall is dropping packets destined for
> port 6882 on my workstation (192.168.0.3), which is currently running
> the bittornado client.
> 
> >If you can''t determine the problem then please submit a
complete report
> >as described at http://shorewall.net/support.htm#Guidelines
> >
> >
> I can do that in another mail if still required.  I also noticed when I
> ran part of the test-
> 
> shorewall status > /tmp/status.txt
> RTNETLINK answers: Invalid argument
> Dump terminated
something is wrong here 
> Although the status.txt file was created and looked
''plausible'' (not
> taking into account my ignorance).
>

Does /var/log/messages give any relevant info when you do BT?

On 05/06/2005 11:49:25 AM, Jonathan Heaney wrote:
> Hi,
> 
> Before I go any further, I''m no networking expert, and the sheer
> volume
> of documentation on the Shorewall website makes my brain hurt..
> 
> Some time ago I moved from an area with cable internet to an ADSL  
> only
> area.  While on cable, I''d set up an old P3 box running Gentoo as
a
> firewall/gateway/file server, running shorewall (currently v2.2.3)  
> and
> dnsmasq.  I''d configured shorewall''s DNAT port forwarding
capability
> so
> e.g. bittorrent clients running on my workstation box got full  
> access,
> and it worked really nicely through the cable modem, which I guess  
> was
> just a ''dumb'' ethernet port.
> 
> However, since moving to ADSL, I got a BT (telco here in the UK)
> Voyager
> 205 ADSL router which also does DNAT as part of the contract.  I
> wasn''t
> wanting to change routing through the Gentoo box as it worked well  
> and
> took me a while to get set up, so figured I''d just leave it as-is
and
> treat the ADSL router like the cable modem.
> 
> I found a good FAQ on the web on how to configure the port forwarding
> side on the router, and followed it (caveat - I''ve since installed
> Windows 2000 dual-boot on the Gentoo/shorewall box, and port
> forwarding
> to bittorrent clients running on Win2k works fine, so it looks like I
> got the ADSL router port forwarding aspect configured correctly).
> 
> However, my ''old'' setup I used when running cable
doesn''t work any
> more,
> that is, port forwarding doesn''t work (the gentoo/shorewall box
still
> performs perfectly well as a dhcp server/gateway for the rest of my
> network).  Bittorrent clients running on my workstation behind the
> shorewall box never get full access (i.e. remote connections never  
> get
> established).
> 
> The relevant section in my rules file looks like this-
> 
> DNAT            net     loc:192.168.0.3         tcp
> 6969,7070,6881:6899 #BT
> DNAT            net     loc:192.168.0.3         udp
> 6969,7070,6881:6899 #BT
> 
> I did have some ''ACCEPT'' rules as well for the various
ports but it
> seems upon reading the shorewall documentation that using DNAT
> automatically sets up an ACCEPT rule for the relevant ports, so I  
> have
> commented those out in the meantime.
> 
> Is there any additional configuration in shorewall I need to make to
> get
> port forwarding (from a port-forwarded NAT router as it were) to work
> here?  Is it even possible?
> 
> The rest of my shorewall config files are pretty much as per the two
> interface example tarball I got from the site.  I can post additional
> info if required.
> 
> It''s been about 6 months since I moved to ADSL and this
hasn''t worked
> since day 1, so I thought it was about time I asked for some help!
> 
> Thanks,
> 
> Jonathan
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:  
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 
>