Am Donnerstag, 1. Juli 2004 20:52 schrieb Tom Eastep:> Jan Kohnert wrote:
> > I have read the faq2 but still have problems:
> > I have created a dyndns account (jankoh.dyndns.org) and forward www
> > requests from our local router to my computer. This works for external
> > computers but not for internal (faq2).
> > I have setup the following rule:
> > ACCEPT	net	loc:192.168.0.254	tcp	www	-	all
>
> Are you running Shorewall 1.2? The above syntax hasn''t been
supported
> for a long time.
I just upgarded to shorewall 2.0.2f from backports.org. But still the same 
problem: From the outside all works fine, but not from the inside:
shorewall Output:
gateway:~# shorewall restart
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Restarting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Connection Tracking Match: Not available
Determining Zones...
   Zones: net loc
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
   Net Zone: ppp0:0.0.0.0/0
   Local Zone: eth1:192.168.0.0/24
Processing /etc/shorewall/init ...
Deleting user chains...
Creating Interface Chains...
Configuring Proxy ARP
Setting up NAT...
Setting up NETMAP...
Adding Common Rules
Adding rules for DHCP
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...
Pre-processing Actions...
   Pre-processing /usr/share/shorewall/action.DropSMB...
   Pre-processing /usr/share/shorewall/action.RejectSMB...
   Pre-processing /usr/share/shorewall/action.DropUPnP...
   Pre-processing /usr/share/shorewall/action.RejectAuth...
   Pre-processing /usr/share/shorewall/action.DropPing...
   Pre-processing /usr/share/shorewall/action.DropDNSrep...
   Pre-processing /usr/share/shorewall/action.AllowPing...
   Pre-processing /usr/share/shorewall/action.AllowFTP...
   Pre-processing /usr/share/shorewall/action.AllowDNS...
   Pre-processing /usr/share/shorewall/action.AllowSSH...
   Pre-processing /usr/share/shorewall/action.AllowWeb...
   Pre-processing /usr/share/shorewall/action.AllowSMB...
   Pre-processing /usr/share/shorewall/action.AllowAuth...
   Pre-processing /usr/share/shorewall/action.AllowSMTP...
   Pre-processing /usr/share/shorewall/action.AllowPOP3...
   Pre-processing /usr/share/shorewall/action.AllowIMAP...
   Pre-processing /usr/share/shorewall/action.AllowTelnet...
   Pre-processing /usr/share/shorewall/action.AllowVNC...
   Pre-processing /usr/share/shorewall/action.AllowVNCL...
   Pre-processing /usr/share/shorewall/action.AllowNTP...
   Pre-processing /usr/share/shorewall/action.AllowRdate...
   Pre-processing /usr/share/shorewall/action.AllowNNTP...
   Pre-processing /usr/share/shorewall/action.AllowTrcrt...
   Pre-processing /usr/share/shorewall/action.AllowSNMP...
   Pre-processing /usr/share/shorewall/action.AllowPCA...
   Pre-processing /usr/share/shorewall/action.Drop...
   Pre-processing /usr/share/shorewall/action.Reject...
Processing /etc/shorewall/rules...
   Rule "AllowSSH loc fw" added.
   Rule "AllowSSH fw loc" added.
   Rule "AllowPing net fw" added.
   Rule "ACCEPT net fw tcp 4662" added.
   Rule "ACCEPT net fw udp 12112" added.
   Rule "AllowSMB loc fw" added.
   Rule "AllowSMB fw loc" added.
   Rule "AllowDNS loc fw" added.
   Rule "AllowDNS fw net" added.
   Rule "ACCEPT fw loc tcp printer" added.
   Rule "DNAT net loc:192.168.0.254 tcp www" added.
   Rule "DNAT loc:192.168.0.0/24 loc:192.168.0.254:80 tcp www - 
217.228.66.253:192.168.0.254" added.
   Rule "DNAT net loc:192.168.0.254 tcp ftp" added.
   Rule "DNAT loc:192.168.0.0/24 loc:192.168.0.254:21 tcp ftp - 
217.228.66.253:192.168.0.254" added.
Processing Actions...
Processing /usr/share/shorewall/action.Drop...
   Rule "RejectAuth" added.
   Rule "dropBcast" added.
   Rule "DropSMB" added.
   Rule "DropUPnP" added.
   Rule "dropNonSyn" added.
   Rule "DropDNSrep" added.
Processing /usr/share/shorewall/action.Reject...
   Rule "RejectAuth" added.
   Rule "dropBcast" added.
   Rule "RejectSMB" added.
   Rule "DropUPnP" added.
   Rule "dropNonSyn" added.
   Rule "DropDNSrep" added.
Processing /usr/share/shorewall/action.AllowSSH...
   Rule "ACCEPT - - tcp 22" added.
Processing /usr/share/shorewall/action.AllowPing...
   Rule "ACCEPT - - icmp 8" added.
Processing /usr/share/shorewall/action.AllowSMB...
   Rule "ACCEPT - - udp 135,445" added.
   Rule "ACCEPT - - udp 137:139" added.
   Rule "ACCEPT - - udp 1024: 137" added.
   Rule "ACCEPT - - tcp 135,139,445" added.
Processing /usr/share/shorewall/action.AllowDNS...
   Rule "ACCEPT - - udp 53" added.
   Rule "ACCEPT - - tcp 53" added.
Processing /usr/share/shorewall/action.RejectAuth...
   Rule "REJECT - - tcp 113" added.
Processing /usr/share/shorewall/action.DropSMB...
   Rule "DROP - - udp 135" added.
   Rule "DROP - - udp 137:139" added.
   Rule "DROP - - udp 445" added.
   Rule "DROP - - tcp 135" added.
   Rule "DROP - - tcp 139" added.
   Rule "DROP - - tcp 445" added.
Processing /usr/share/shorewall/action.DropUPnP...
   Rule "DROP - - udp 1900" added.
Processing /usr/share/shorewall/action.DropDNSrep...
   Rule "DROP - - udp - 53" added.
Processing /usr/share/shorewall/action.RejectSMB...
   Rule "REJECT - - udp 135" added.
   Rule "REJECT - - udp 137:139" added.
   Rule "REJECT - - udp 445" added.
   Rule "REJECT - - tcp 135" added.
   Rule "REJECT - - tcp 139" added.
   Rule "REJECT - - tcp 445" added.
Processing /etc/shorewall/policy...
   Policy ACCEPT for fw to net using chain fw2net
   Policy ACCEPT for fw to loc using chain fw2loc
   Policy REJECT for net to fw using chain net2all
   Policy REJECT for net to loc using chain net2all
   Policy ACCEPT for loc to fw using chain loc2fw
   Policy ACCEPT for loc to net using chain loc2net
   Policy REJECT for loc to loc using chain all2all
Masqueraded Networks and Hosts:
   To 0.0.0.0/0 (all) from 192.168.0.0/24 through ppp0
Processing /etc/shorewall/tos...
   Rule "all all tcp - ssh 16" added.
   Rule "all all tcp ssh - 16" added.
   Rule "all all tcp - ftp 16" added.
   Rule "all all tcp ftp - 16" added.
   Rule "all all tcp ftp-data - 8" added.
   Rule "all all tcp - ftp-data 8" added.
Activating Rules...
Shorewall Restarted
gateway:~#
OK a little bit wide open, but it will be closed as soon as all works as 
expected.
The interfaces:
gateway:~# grep -v "^#" /etc/shorewall/interfaces
net     ppp0            detect          dhcp
loc     eth1            192.168.0.255   dhcp,detectnets,routeback
gateway:~#
And this is what I get from inside:
jankoh@kohni ~ $ nmap -P0 jankoh.dyndns.org
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-07-03 10:50 CEST
Interesting ports on pD9E442FD.dip.t-dialin.net (217.228.66.253):
(The 1646 ports scanned but not shown below are in state: closed)
PORT     STATE    SERVICE
9/tcp    open     discard
13/tcp   open     daytime
21/tcp   filtered ftp
22/tcp   open     ssh
25/tcp   open     smtp
37/tcp   open     time
80/tcp   filtered http
111/tcp  open     rpcbind
113/tcp  open     auth
139/tcp  open     netbios-ssn
515/tcp  open     printer
901/tcp  open     samba-swat
1024/tcp open     kdm
Nmap run completed -- 1 IP address (1 host up) scanned in 2.191 seconds
jankoh@kohni ~ $
I hope it helps to find my error. Thanks to all!!!
> -Tom
Best regards Jan
-- 
OpenPGP public key available:
http://home.arcor.de/jan.kohnert/gnupg_publickey.asc
Key-Fingerprint:
BA8E 11D1 FE7C 9353 7276 5375 486E 9BED 2B03 DF29