Hi,
i have a huge problem ;] I have redirected port 69 from NET (internet) IP
212.122.68.129 to the local network (masq) 192.168.0.3, that all queries
from internet goes to local network PC.
ACCEPT net masq tcp 69 -
DNAT net masq:192.168.0.3 tcp 69 -
everything works fine from the internet, but now I cannot access this port
from other local PC`s. i have to access it locally, when i try to access
through outgoing IP address, i fail.
exp: my pc > 192.168.0.5 (workstation)
the pc on which the port 69 works: 192.168.0.3 (workstation)
outgoing ip adress: 212.122.68.129 (server)
from 212.122.68.129:69 > 192.168.0.3:69 WORKS
from 192.168.0.5 > 192.168.0.3 WORKS
from 192.168.0.5 through 212.122.68.129 > 192.168.0.3:69 DOESN`T WORK
Please help me,
i really need this to work
Hopefully to hear from u soon,
Sarunas Uktveris
On Sat, 2004-11-27 at 20:56 +0000, kab@lan.icn.lt wrote:> Hi, > i have a huge problem ;] I have redirected port 69 from NET (internet) IP > 212.122.68.129 to the local network (masq) 192.168.0.3, that all queries > from internet goes to local network PC. > > ACCEPT net masq tcp 69 -The above rule does absolutely nothing (see FAQ #30). Get rid of it.> DNAT net masq:192.168.0.3 tcp 69 - > > everything works fine from the internet, but now I cannot access this port > from other local PC`s. i have to access it locally, when i try to access > through outgoing IP address, i fail. > exp: my pc > 192.168.0.5 (workstation) > the pc on which the port 69 works: 192.168.0.3 (workstation) > outgoing ip adress: 212.122.68.129 (server) > > from 212.122.68.129:69 > 192.168.0.3:69 WORKS > from 192.168.0.5 > 192.168.0.3 WORKS > from 192.168.0.5 through 212.122.68.129 > 192.168.0.3:69 DOESN`T WORKThe solution to this problem is described in detail in Shorewall FAQ #2 (just substitute port 69 for port 80). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sat, 2004-11-27 at 13:05 -0800, Tom Eastep wrote:> On Sat, 2004-11-27 at 20:56 +0000, kab@lan.icn.lt wrote: > > Hi, > > i have a huge problem ;] I have redirected port 69 from NET (internet) IP > > 212.122.68.129 to the local network (masq) 192.168.0.3, that all queries > > from internet goes to local network PC. > > > > ACCEPT net masq tcp 69 - > > The above rule does absolutely nothing (see FAQ #30). Get rid of it.I should rather say that the rule does nothing good. It allows clever people on the same (logical) segment as your external interface to access your server using the server''s internal IP address. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On 1/1/1970, "Tom Eastep" <teastep@shorewall.net> wrote:>On Sat, 2004-11-27 at 20:56 +0000, kab@lan.icn.lt wrote: >> Hi, >> i have a huge problem ;] I have redirected port 69 from NET (internet) IP >> 212.122.68.129 to the local network (masq) 192.168.0.3, that all queries >> from internet goes to local network PC. >> >> ACCEPT net masq tcp 69 - > >The above rule does absolutely nothing (see FAQ #30). Get rid of it. > >> DNAT net masq:192.168.0.3 tcp 69 - >> >> everything works fine from the internet, but now I cannot access this port >> from other local PC`s. i have to access it locally, when i try to access >> through outgoing IP address, i fail. >> exp: my pc > 192.168.0.5 (workstation) >> the pc on which the port 69 works: 192.168.0.3 (workstation) >> outgoing ip adress: 212.122.68.129 (server) >> >> from 212.122.68.129:69 > 192.168.0.3:69 WORKS >> from 192.168.0.5 > 192.168.0.3 WORKS >> from 192.168.0.5 through 212.122.68.129 > 192.168.0.3:69 DOESN`T WORK > >The solution to this problem is described in detail in Shorewall FAQ #2 >(just substitute port 69 for port 80). >------------------###############################------------------------- Hi again, I`ve done everything that was written on FaQ 2, It still doesn`t work :(( : could you look at my config, maybe it`s my fault. My config: ---------------------------------------------------------------------------- RULES FILE: ACCEPT net fw udp 53 - ACCEPT net fw tcp 80,443,53,22,20,21,25,109,110,143,139,2106,53696,44337,4899,113,6667,69,7000,7777,23255,8033,8000,10000,81,3000,55555,6669,6565,6566,7575,7576 - ACCEPT loc fw udp 53 - ACCEPT loc fw tcp 80,443,53,22,20,21,25,109,110,143,139,2106,53696,44337,4899,113,6667,69,7000,7777,23255,8033,8000,10000,81,3000,55555,6669,6565,6566,7575,7576 - #REDIRECT loc 81 tcp www - ACCEPT fw net tcp www #Soulseek#################################################################### DNAT net loc:192.168.0.5 tcp 2234,2235,2236,2237,2238,2239 - #Lineage 2################################################################### DNAT net loc:192.168.0.3 tcp 69,2106,7777,4899 - #Routeback 4 my pc########################################################### DNAT loc loc:192.168.0.5 tcp 69,2106,7777 - 212.122.68.129 #Emule ports################################################################# DNAT net loc:192.168.0.5 tcp 4662 ## ----------------------------------------------------------------------------- INterfaces: net eth0 detect loc eth1 detect routeback,maclist ----------------------------------------------------------------------------- Masq file: eth0 192.168.0.0/255.255.255.0 - - - eth1:192.168.0.5 eth1 192.168.0.1 tcp 69,2106,7777 ----------------------------------------------------------------------------- zones: net Net Internet zone loc Local Local ----------------------------------------------------------------------------- Policy: loc net ACCEPT fw net ACCEPT net all DROP info all all REJECT info ----------------------------------------------------------------------------- I`d be very greatfull for your help :) I really need this. Please help me :| Sarunas Uktveris
for all local/private net PCs, we cannot access a local server thru the server''s nated ip address. On Sun, 28 Nov 2004 11:34:27 +0000, kab@lan.icn.lt <kab@lan.icn.lt> wrote:> On 1/1/1970, "Tom Eastep" <teastep@shorewall.net> wrote: > > >On Sat, 2004-11-27 at 20:56 +0000, kab@lan.icn.lt wrote: > >> Hi, > >> i have a huge problem ;] I have redirected port 69 from NET (internet) IP > >> 212.122.68.129 to the local network (masq) 192.168.0.3, that all queries > >> from internet goes to local network PC. > >> > >> ACCEPT net masq tcp 69 - > > > >The above rule does absolutely nothing (see FAQ #30). Get rid of it. > > > >> DNAT net masq:192.168.0.3 tcp 69 - > >> > >> everything works fine from the internet, but now I cannot access this port > >> from other local PC`s. i have to access it locally, when i try to access > >> through outgoing IP address, i fail. > >> exp: my pc > 192.168.0.5 (workstation) > >> the pc on which the port 69 works: 192.168.0.3 (workstation) > >> outgoing ip adress: 212.122.68.129 (server) > >> > >> from 212.122.68.129:69 > 192.168.0.3:69 WORKS > >> from 192.168.0.5 > 192.168.0.3 WORKS > >> from 192.168.0.5 through 212.122.68.129 > 192.168.0.3:69 DOESN`T WORK > > > >The solution to this problem is described in detail in Shorewall FAQ #2 > >(just substitute port 69 for port 80). > > > ------------------###############################------------------------- > Hi again, > I`ve done everything that was written on FaQ 2, It still doesn`t work :(( > : > could you look at my config, maybe it`s my fault. My config: > > ---------------------------------------------------------------------------- > RULES FILE: > > ACCEPT net fw udp 53 - > ACCEPT net fw tcp 80,443,53,22,20,21,25,109,110,143,139,2106,53696,44337,4899,113,6667,69,7000,7777,23255,8033,8000,10000,81,3000,55555,6669,6565,6566,7575,7576 - > ACCEPT loc fw udp 53 - > ACCEPT loc fw tcp 80,443,53,22,20,21,25,109,110,143,139,2106,53696,44337,4899,113,6667,69,7000,7777,23255,8033,8000,10000,81,3000,55555,6669,6565,6566,7575,7576 - > #REDIRECT loc 81 tcp www - > ACCEPT fw net tcp www > #Soulseek#################################################################### > DNAT net loc:192.168.0.5 tcp 2234,2235,2236,2237,2238,2239 - > #Lineage > 2################################################################### > DNAT net loc:192.168.0.3 tcp 69,2106,7777,4899 - > #Routeback 4 my > pc########################################################### > DNAT loc loc:192.168.0.5 tcp 69,2106,7777 - 212.122.68.129 > #Emule > ports################################################################# > DNAT net loc:192.168.0.5 tcp 4662 > ## > ----------------------------------------------------------------------------- > INterfaces: > net eth0 detect > loc eth1 detect routeback,maclist > ----------------------------------------------------------------------------- > Masq file: > eth0 192.168.0.0/255.255.255.0 - - - > eth1:192.168.0.5 eth1 192.168.0.1 tcp 69,2106,7777 > ----------------------------------------------------------------------------- > zones: > net Net Internet zone > loc Local Local > ----------------------------------------------------------------------------- > Policy: > loc net ACCEPT > fw net ACCEPT > net all DROP info > all all REJECT info > ----------------------------------------------------------------------------- > > I`d be very greatfull for your help :) > I really need this. Please help me :| > > Sarunas Uktveris > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
On Sun, 2004-11-28 at 11:34 +0000, kab@lan.icn.lt wrote:> ------------------###############################------------------------- > Hi again, > I`ve done everything that was written on FaQ 2, It still doesn`t work :(( > : > could you look at my config, maybe it`s my fault. My config:Please forward the output of "shorewall status" AS AN ATTACHMENT as described at http://shorewall.net/support.htm Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sun, 2004-11-28 at 11:34 +0000, kab@lan.icn.lt wrote:> On 1/1/1970, "Tom Eastep" <teastep@shorewall.net> wrote: > > >On Sat, 2004-11-27 at 20:56 +0000, kab@lan.icn.lt wrote: > >> Hi, > >> i have a huge problem ;] I have redirected port 69 from NET (internet) IP > >> 212.122.68.129 to the local network (masq) 192.168.0.3, that all queries > >> from internet goes to local network PC. > >> > >> ACCEPT net masq tcp 69 - > > > >The above rule does absolutely nothing (see FAQ #30). Get rid of it. > > > >> DNAT net masq:192.168.0.3 tcp 69 - > >> > >> everything works fine from the internet, but now I cannot access this port > >> from other local PC`s. i have to access it locally, when i try to access > >> through outgoing IP address, i fail. > >> exp: my pc > 192.168.0.5 (workstation) > >> the pc on which the port 69 works: 192.168.0.3 (workstation) > >> outgoing ip adress: 212.122.68.129 (server) > >> > >> from 212.122.68.129:69 > 192.168.0.3:69 WORKS > >> from 192.168.0.5 > 192.168.0.3 WORKS > >> from 192.168.0.5 through 212.122.68.129 > 192.168.0.3:69 DOESN`T WORK > > > >The solution to this problem is described in detail in Shorewall FAQ #2 > >(just substitute port 69 for port 80). > > > ------------------###############################------------------------- > Hi again, > I`ve done everything that was written on FaQ 2, It still doesn`t work :(( > : > could you look at my config, maybe it`s my fault. My config: > > ---------------------------------------------------------------------------- > RULES FILE: > > ACCEPT net fw udp 53 - > ACCEPT net fw tcp 80,443,53,22,20,21,25,109,110,143,139,2106,53696,44337,4899,113,6667,69,7000,7777,23255,8033,8000,10000,81,3000,55555,6669,6565,6566,7575,7576 - > ACCEPT loc fw udp 53 - > ACCEPT loc fw tcp 80,443,53,22,20,21,25,109,110,143,139,2106,53696,44337,4899,113,6667,69,7000,7777,23255,8033,8000,10000,81,3000,55555,6669,6565,6566,7575,7576 - > #REDIRECT loc 81 tcp www - > ACCEPT fw net tcp www > #Soulseek#################################################################### > DNAT net loc:192.168.0.5 tcp 2234,2235,2236,2237,2238,2239 - > #Lineage > 2################################################################### > DNAT net loc:192.168.0.3 tcp 69,2106,7777,4899 - > #Routeback 4 my > pc########################################################### > DNAT loc loc:192.168.0.5 tcp 69,2106,7777 - 212.122.68.129In your external rule for port 69 etc., the internal IP address is 192.168.0.3 (which is also the IP address you quoted in your original post) but all of the changes that you made according to FAQ 2 are using IP address 192.168.0.5 for the server!! Which is correct? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On 1/1/1970, "Tom Eastep" <teastep@shorewall.net> wrote:>On Sun, 2004-11-28 at 11:34 +0000, kab@lan.icn.lt wrote: > >> ------------------###############################------------------------- >> Hi again, >> I`ve done everything that was written on FaQ 2, It still doesn`t work :(( >> : >> could you look at my config, maybe it`s my fault. My config: > >Please forward the output of "shorewall status" AS AN ATTACHMENT as >described at http://shorewall.net/support.htm >Shorewall------------------------------------------------------ version 2.0.9 Ap addr show:-------------------------------------------------- 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc cbq qlen 1000 link/ether 00:50:bf:5e:7f:56 brd ff:ff:ff:ff:ff:ff inet 212.122.68.129/26 brd 212.122.68.191 scope global eth0 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:40:95:30:36:9c brd ff:ff:ff:ff:ff:ff inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1 Ip route show:------------------------------------------------- 212.122.68.128/26 dev eth0 proto kernel scope link src 212.122.68.129 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.1 127.0.0.0/8 dev lo scope link default via 212.122.68.190 dev eth0 metric 1 --------------------------------------------------------------- thanks :)
On Mon, 2004-11-29 at 13:38 +0000, kab@lan.icn.lt wrote:> > thanks :)The netfilter configuration is correct, again assuming that the correct internal IP address is 192.168.0.5. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key