Hi all, I am newbie trying to get away from iptables into the shorewall domain. As a start i am trying to change my iptable script to a shorewall one where i have got stuck. Can somebody please suggest where and how do i put the following iptable rules in shorewall: #Setup masquerading echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -I POSTROUTING -s 10.2.0.0/16 -d ! 10.2.0.0/16 -j MASQUERADE Thanks Rajil
Rajil Saraswat wrote:> Hi all, > I am newbie trying to get away from iptables into the shorewall domain. As > a start i am trying to change my iptable script to a shorewall one where i > have got stuck. > Can somebody please suggest where and how do i put the following iptable > rules in shorewall: > > #Setup masquerading > echo 1 > /proc/sys/net/ipv4/ip_forward > iptables -t nat -I POSTROUTING -s 10.2.0.0/16 -d ! 10.2.0.0/16 -j MASQUERADEThe first statement corresponds to setting the IP_FORWARDING option in shorewall.conf -- the second requires a simple entry in the /etc/shorewall/masq file (although you can''t reproduce that rule exactly, the effect will be the same). <external if name> 10.2.0.0/16 I suggest that you follow the appropriate Shorewall QuickStart Guide (probably the two-interface one) and get it working then adjust the rules to match what you are currently allowing. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Monday 21 June 2004 14:42, Tom Eastep wrote:> > The first statement corresponds to setting the IP_FORWARDING option in > shorewall.conf -- the second requires a simple entry in the > /etc/shorewall/masq file (although you can''t reproduce that rule > exactly, the effect will be the same). > > <external if name> 10.2.0.0/16 > > I suggest that you follow the appropriate Shorewall QuickStart Guide > (probably the two-interface one) and get it working then adjust the > rules to match what you are currently allowing. > > -TomThanks i will try that. --Rajil
> > The first statement corresponds to setting the IP_FORWARDING option in > shorewall.conf -- the second requires a simple entry in the > /etc/shorewall/masq file (although you can''t reproduce that rule > exactly, the effect will be the same). > > <external if name> 10.2.0.0/16 > > I suggest that you follow the appropriate Shorewall QuickStart Guide > (probably the two-interface one) and get it working then adjust the > rules to match what you are currently allowing. > > -TomOn a similar note, i was trying to setup gnomemeeting on an internal client. The iptable rules given at gnomemeeting site(http://www.gnomemeeting.org/index.php?rub=3&pos=0&faqpage=x266.html#AEN301) work absolutely fine for me. How can i convert them to shorewall equivalent? Here are the rules from that page: --------------------------------------------------------------------------------------- #!/bin/bash IPTABLES=/sbin/iptables # = where resides the iptables binary (see "type -p iptables") OUT_DEV=ppp0 # = your public Internet-Device IN_DEV=eth1 # = your internal Internet-Device IN_HOST=192.168.70.18 # = Host to which the incoming H323 is being forwarded TCP_PORT_RANGE=30000:30010 RTP_PORT_RANGE=5000:5007 TCP_LISTENING_PORT=1720 GK_PORT_RANGE=5010:5013 #TCP_PORT_RANGE - H245, if no tunneling is made #RTP_PORT_RANGE - RTP connections (2 audio, 2 video - RTP and RTCP) #TCP_LISTENING_PORT - H.323 port #GK_PORT_RANGE - if external GK is used # activate masquerading on public interface $IPTABLES -t nat -A POSTROUTING -o $OUT_DEV -j MASQUERADE # set incoming port forwarding... $IPTABLES -t nat -I PREROUTING 1 -i $OUT_DEV -p tcp --dport $TCP_PORT_RANGE -j DNAT --to-dest $IN_HOST $IPTABLES -t nat -I PREROUTING 1 -i $OUT_DEV -p udp --dport $RTP_PORT_RANGE -j DNAT --to-dest $IN_HOST $IPTABLES -I FORWARD 1 -p tcp -i $OUT_DEV --dport $TCP_PORT_RANGE -d $IN_HOST -j ACCEPT $IPTABLES -I FORWARD 1 -p udp -i $OUT_DEV --dport $RTP_PORT_RANGE -d $IN_HOST -j ACCEPT $IPTABLES -t nat -I PREROUTING 1 -i $OUT_DEV -p tcp --dport $TCP_LISTENING_PORT -j DNAT --to-dest $IN_HOST $IPTABLES -I FORWARD 1 -p tcp -i $OUT_DEV --dport $TCP_LISTENING_PORT -d $IN_HOST -j ACCEPT # add port forwarding for external GK $IPTABLES -t nat -I PREROUTING 1 -i $OUT_DEV -p udp --dport $GK_PORT_RANGE -j DNAT --to-dest $IN_HOST $IPTABLES -I FORWARD 1 -p udp -i $OUT_DEV --dport $GK_PORT_RANGE -d $IN_HOST -j ACCEPT $IPTABLES -I POSTROUTING 1 -t nat -o $IN_DEV -d $IN_HOST -p udp --dport $GK_PORT_RANGE -j ACCEPT ---------------------------------------------------------------------------------- Thanks a lot. --Rajil
Rajil Saraswat wrote:> > On a similar note, i was trying to setup gnomemeeting on an internal client. > The iptable rules given at gnomemeeting > site(http://www.gnomemeeting.org/index.php?rub=3&pos=0&faqpage=x266.html#AEN301) > work absolutely fine for me. How can i convert them to shorewall equivalent? >If you are going to use Shorewall you are going to have to learn how to configure it rather than asking us to translate every iptables rule that you find on the internet. If you look at the section preceding the one where you found the iptables commands (section 7.1.2. I don''t have an hardware router, or my hardware router doesn''t support H.323), you will find a description of the ports that need to be forwarded to the internal machine. Armed with that information and the two-interface QuickStart Guide (and FAQ #1 if you really need it), you can write your own rules. And you will then understand how to add similar rules in the future. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> Rajil Saraswat wrote: > > >> >> On a similar note, i was trying to setup gnomemeeting on an internal >> client. The iptable rules given at gnomemeeting >> site(http://www.gnomemeeting.org/index.php?rub=3&pos=0&faqpage=x266.html#AEN301) >> work absolutely fine for me. How can i convert them to shorewall >> equivalent? >> > > If you are going to use Shorewall you are going to have to learn how to > configure it rather than asking us to translate every iptables rule that > you find on the internet. If you look at the section preceding the one > where you found the iptables commands (section 7.1.2. I don''t have an > hardware router, or my hardware router doesn''t support H.323), you will > find a description of the ports that need to be forwarded to the > internal machine. Armed with that information and the two-interface > QuickStart Guide (and FAQ #1 if you really need it), you can write your > own rules. And you will then understand how to add similar rules in the > future.And hopefully you did the "Additional Recommended Reading" linked from the two-interface QuickStart Guide so that you know how port ranges are expressed in Shorewall (same as in iptables). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net