Shorewall users - Apr 2004 - Ip Forwarding

Help,

Ok here it goes.  Have two nic cards eth0 and ppp0 labeled net and masq
respectively. Running shorewall version 2.0.0b on
Mandrake linux 10.0.


Problem is in rules would like all traffic comming into eth0 on port
let''s say 5903 to be redirected to an internal
ip address which has web server running. 192.168.0.4:80
It does not seem to be working cannot get port 5903 to open let alone redirect
here is copy of rules table.

ACCEPT  fw net  tcp 53
ACCEPT  fw net  udp 53
ACCEPT  net fw  tcp 53
ACCEPT  net fw  udp 53
ACCEPT  fw net  tcp smtp
ACCEPT  net fw  tcp smtp 
ACCEPT  masq fw  tcp smtp
ACCEPT  fw masq  tcp smtp
#
# Accept SSH connections from the local network for administration
#
ACCEPT  masq fw  tcp 22
ACCEPT  fw net  tcp 3306
ACCEPT  net fw  tcp 3306
ACCEPT  fw masq  tcp 3306
ACCEPT  net masq  tcp 3306

#
ACCEPT  fw net  tcp 25
ACCEPT  net fw  tcp 25
ACCEPT  fw net  udp 25
ACCEPT  net fw  udp 25
ACCEPT  masq fw  tcp 25
ACCEPT  fw masq  tcp 25
ACCEPT  masq fw  udp 25
ACCEPT  fw masq  udp 25
ACCEPT  net masq  tcp 5901
ACCEPT  masq net  tcp 5901
DNAT  net masq:192.168.0.6:80 tcp 5903
# Make ping work
#
ACCEPT  fw   masq  icmp 8
ACCEPT  masq   fw  icmp 8
ACCEPT  fw   net  icmp 8
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Any help would be appreciated.

Ok, I did do everything in the faq''s.  The result is the packet is not
reaching the firewall.  For some reason it seems
that the linux server is not opening up the port/letting it listen for
inbound traffic.  I did a netstat -lc and it did not show the port
5903. With regards to the setup of shorewall, I did that manually. But, just
for the sake of it I thought that Mandrake maybe
referring to my local as masq, like it said in one of your previous mails,
so I changed all mine from loc to masq. I know port 5903 is not being
blocked by my isp, I tested that with vncserver and it worked fine.  It
seems the port is not opening up
I did a port scan from outside and it said the port was closed.

----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: "Mailing List for Shorewall Users"
<shorewall-users@lists.shorewall.net>
Sent: Wednesday, May 05, 2004 12:34 PM
Subject: Re: [Shorewall-users] Ip Forwarding

> pbielawski wrote:
> > Help,
> >
> > Ok here it goes.  Have two nic cards eth0 and ppp0 labeled net and
masq
respectively. Running shorewall version 2.0.0b on
> > Mandrake linux 10.0.
>
> Must be the Community version of 10.0?
>
> That''s certainly odd -- usually, ppp0 would be the
''net'' interface and
> ''eth0'' would be the ''loc'' (or
''masq'' interface if you let Mandrake
> configure your system for you).
> >
> >
> > Problem is in rules would like all traffic comming into eth0 on port
let''s say 5903 to be redirected to an internal
> > ip address which has web server running. 192.168.0.4:80
> > It does not seem to be working cannot get port 5903 to open let alone
redirect
>
> So you have followed the Port Forwarding troubleshooting steps detailed
> in FAQs 1a and 1b? If so, what were the results? If not, please begin
there.
>
>
> > DNAT  net masq:192.168.0.6:80 tcp 5903
>
> That rule will redirect TCP traffic from the ''net'' zone
with destination
> port 5903 to a server in the ''masq'' zone with IP address
192.168.0.6 and
> listening on port 80. So the rule itself appears correct if I understand
> what you are trying to do.
>
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

ok, with regards to FAQ 1a
a) I am testing from outside firewall
b) default gateway is set to 192.168.0.1 (internal ip of linux box)
c) isp is not blocking
d) Changed all loc to masq

1b) results below

Shorewall-2.0.0b NAT

Counters reset Wed May  5 14:38:46 EDT 2004

Chain PREROUTING (policy ACCEPT 1139 packets, 49207 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 net_dnat   all  --  eth0   *       0.0.0.0/0
0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 5 packets, 314 bytes)
 pkts bytes target     prot opt in     out     source
destination
    1    63 ppp0_masq  all  --  *      ppp0    0.0.0.0/0
0.0.0.0/0

Chain OUTPUT (policy ACCEPT 5 packets, 314 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain net_dnat (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0
10.0.0.10           tcp dpt:5903 to:192.168.0.6:80

Chain ppp0_masq (1 references)
 pkts bytes target     prot opt in     out     source
destination
    1    63 MASQUERADE  all  --  *      *       192.168.0.0/24
0.0.0.0/0

----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: "Mailing List for Shorewall Users"
<shorewall-users@lists.shorewall.net>
Sent: Wednesday, May 05, 2004 1:32 PM
Subject: Re: [Shorewall-users] Ip Forwarding

> pbielawski wrote:
>
> > Ok, I did do everything in the faq''s.  The result is the
packet is not
> > reaching the firewall.
>
> So the packet and byte count in the DNAT rule for port 5903 in the
> net_dnat chain is or is not incrementing when you try to connect?
>
>   For some reason it seems
> > that the linux server is not opening up the port/letting it listen for
> > inbound traffic.  I did a netstat -lc and it did not show the port
> > 5903.
>
> You clearly don''t understand how port forwarding works -- the
firewall
> does not listen on the original destination port! It rather rewrites the
> destination IP address and/or destination port number then reroutes the
> modified packet.
>
> > With regards to the setup of shorewall, I did that manually. But, just
> > for the sake of it I thought that Mandrake maybe
> > referring to my local as masq, like it said in one of your previous
mails,
> > so I changed all mine from loc to masq.
>
> Groan.......
>
> I know port 5903 is not being
> > blocked by my isp, I tested that with vncserver and it worked fine. 
It
> > seems the port is not opening up
> > I did a port scan from outside and it said the port was closed.
> >
>
> Again, please report the *exact* results you are seeing when you follow
> the steps in FAQ 1a and FAQ 1b.
>
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

> One more thing -- you didn''t clarify the ppp0/eth0 question. I
trust
> that your ppp0 device is actually associated with the
''net'' zone.
eth0 - net
ppp0 -masq

>
> Please confirm,
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

You were right, but eth0 was actually hardware connection from the web
What I did was by mistake  had eth0 as net ppp0 as masq, when it should have
been
ppp0 net eth1 masq.

Thank You very much

----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: "Mailing List for Shorewall Users"
<shorewall-users@lists.shorewall.net>
Sent: Wednesday, May 05, 2004 2:58 PM
Subject: Re: [Shorewall-users] Ip Forwarding

> pbielawski wrote:
>
> >>One more thing -- you didn''t clarify the ppp0/eth0
question. I trust
> >>that your ppp0 device is actually associated with the
''net'' zone.
> >
> > eth0 - net
> > ppp0 -masq
> >
>
> Then you have them backwards! Note that you are currently masquerading
> OUT of ppp0:
>
>  > Chain POSTROUTING (policy ACCEPT 5 packets, 314 bytes)
>  >  pkts bytes target     prot opt in     out     source
>  > destination
>  >    1    63 ppp0_masq  all  --  *      ppp0    0.0.0.0/0
>  > 0.0.0.0/0
>
> Also, that rule should really be restricted to traffic originating in
> the local network.
>
> I suggest that you start again:
>
> a) Reinstall Shorewall.
> b) Download the two-interface sample from the Shorewall site.
> c) Follow the instructions at http://shorewall.net/two-interface.htm
>
> And ppp0 will be your ''net'' interface and eth0 will be
your ''loc''
interface.
>
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

pbielawski wrote:
> Help,
> 
> Ok here it goes.  Have two nic cards eth0 and ppp0 labeled net and masq
respectively. Running shorewall version 2.0.0b on
> Mandrake linux 10.0.
Must be the Community version of 10.0?

That''s certainly odd -- usually, ppp0 would be the
''net'' interface and
''eth0'' would be the ''loc'' (or
''masq'' interface if you let Mandrake
configure your system for you).
> 
> 
> Problem is in rules would like all traffic comming into eth0 on port
let''s say 5903 to be redirected to an internal
> ip address which has web server running. 192.168.0.4:80
> It does not seem to be working cannot get port 5903 to open let alone
redirect
So you have followed the Port Forwarding troubleshooting steps detailed 
in FAQs 1a and 1b? If so, what were the results? If not, please begin there.

> DNAT  net masq:192.168.0.6:80 tcp 5903
That rule will redirect TCP traffic from the ''net'' zone with
destination
port 5903 to a server in the ''masq'' zone with IP address
192.168.0.6 and
listening on port 80. So the rule itself appears correct if I understand 
what you are trying to do.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

pbielawski wrote:
> Ok, I did do everything in the faq''s.  The result is the packet is
not
> reaching the firewall. 
So the packet and byte count in the DNAT rule for port 5903 in the 
net_dnat chain is or is not incrementing when you try to connect?

  For some reason it seems
> that the linux server is not opening up the port/letting it listen for
> inbound traffic.  I did a netstat -lc and it did not show the port
> 5903.
You clearly don''t understand how port forwarding works -- the firewall 
does not listen on the original destination port! It rather rewrites the 
destination IP address and/or destination port number then reroutes the 
modified packet.
> With regards to the setup of shorewall, I did that manually. But, just
> for the sake of it I thought that Mandrake maybe
> referring to my local as masq, like it said in one of your previous mails,
> so I changed all mine from loc to masq.
Groan.......

I know port 5903 is not being
> blocked by my isp, I tested that with vncserver and it worked fine.  It
> seems the port is not opening up
> I did a port scan from outside and it said the port was closed.
> 
Again, please report the *exact* results you are seeing when you follow 
the steps in FAQ 1a and FAQ 1b.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

One more thing -- you didn''t clarify the ppp0/eth0 question. I trust 
that your ppp0 device is actually associated with the ''net''
zone.

Please confirm,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

pbielawski wrote:
>>One more thing -- you didn''t clarify the ppp0/eth0 question. I
trust
>>that your ppp0 device is actually associated with the
''net'' zone.
> 
> eth0 - net
> ppp0 -masq
> 
Then you have them backwards! Note that you are currently masquerading 
OUT of ppp0:

 > Chain POSTROUTING (policy ACCEPT 5 packets, 314 bytes)
 >  pkts bytes target     prot opt in     out     source
 > destination
 >    1    63 ppp0_masq  all  --  *      ppp0    0.0.0.0/0
 > 0.0.0.0/0

Also, that rule should really be restricted to traffic originating in 
the local network.

I suggest that you start again:

a) Reinstall Shorewall.
b) Download the two-interface sample from the Shorewall site.
c) Follow the instructions at http://shorewall.net/two-interface.htm

And ppp0 will be your ''net'' interface and eth0 will be your
''loc'' interface.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net