We have the following situation: We''re running an application for wireless handheld terminals in our office network. Now we''ve got a couple of terminals on remote locations with internet access (via GPRS - uses dhcp). These terminals will have to make a connection to the application in our network (the PC has IP 10.0.161.38), specifically to port 5001. So what we''ve tried to do is to forward all incoming connections from the internet on port 5001 to the application in our LAN. The shorewall rule would be: /etc/shorewall/rules: DNAT net loc:10.0.161.38 tcp 5001 - all DNAT net loc:10.0.161.38 udp 5001 - all We also masquerade outgoing traffic from 10.0.161.38 to the Internet. /etc/shorewall/masq: eth0 10.0.161.38/32 So far everything works. But now the application needs to send an answer to the terminals. Naturally it sends its answer to the firewall as the source address has been rewritten by shorewall. The application however requires us to not rewrite the source address and bails out if we do. Is there a way to tell shorewall not to rewrite the source address but still forward all incoming packages on port 5001 to 10.0.161.38 on our LAN ? Any help is much appreciated. Jörgen Busink
On Wednesday 11 February 2004 07:36 am, Jörgen Busink wrote:> We have the following situation: > > We''re running an application for wireless handheld terminals in our > office network. Now we''ve got a couple of terminals on remote locations > with internet access (via GPRS - uses dhcp). These terminals will have > to make a connection to the application in our network (the PC has IP > 10.0.161.38), specifically to port 5001. So what we''ve tried to do is to > forward all incoming connections from the internet on port 5001 to the > application in our LAN. The shorewall rule would be: > > /etc/shorewall/rules: > DNAT net loc:10.0.161.38 tcp 5001 - all > DNAT net loc:10.0.161.38 udp 5001 - all > > We also masquerade outgoing traffic from 10.0.161.38 to the Internet. > > /etc/shorewall/masq: > eth0 10.0.161.38/32 > > So far everything works. But now the application needs to send an answer > to the terminals. Naturally it sends its answer to the firewall as the > source address has been rewritten by shorewall. The application however > requires us to not rewrite the source address and bails out if we do. Is > there a way to tell shorewall not to rewrite the source address but > still forward all incoming packages on port 5001 to 10.0.161.38 on our > LAN ?Shorewall does not rewrite the source address when it does DNAT! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Wednesday 11 February 2004 07:38 am, Tom Eastep wrote:> On Wednesday 11 February 2004 07:36 am, Jörgen Busink wrote: > > We have the following situation: > > > > We''re running an application for wireless handheld terminals in our > > office network. Now we''ve got a couple of terminals on remote locations > > with internet access (via GPRS - uses dhcp). These terminals will have > > to make a connection to the application in our network (the PC has IP > > 10.0.161.38), specifically to port 5001. So what we''ve tried to do is to > > forward all incoming connections from the internet on port 5001 to the > > application in our LAN. The shorewall rule would be: > > > > /etc/shorewall/rules: > > DNAT net loc:10.0.161.38 tcp 5001 - all > > DNAT net loc:10.0.161.38 udp 5001 - all > > > > We also masquerade outgoing traffic from 10.0.161.38 to the Internet. > > > > /etc/shorewall/masq: > > eth0 10.0.161.38/32 > > > > So far everything works. But now the application needs to send an answer > > to the terminals. Naturally it sends its answer to the firewall as the > > source address has been rewritten by shorewall. The application however > > requires us to not rewrite the source address and bails out if we do. Is > > there a way to tell shorewall not to rewrite the source address but > > still forward all incoming packages on port 5001 to 10.0.161.38 on our > > LAN ? > > Shorewall does not rewrite the source address when it does DNAT! >That is to say that Shorewall does not rewrite the source address unless you ask it to: DNAT net loc:10.0.151.38 tcp 501 - all:<source address> -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Wed, 2004-02-11 at 16:42, Tom Eastep wrote:> On Wednesday 11 February 2004 07:38 am, Tom Eastep wrote: > > On Wednesday 11 February 2004 07:36 am, Jörgen Busink wrote: > > > We have the following situation: > > > > > > We''re running an application for wireless handheld terminals in our > > > office network. Now we''ve got a couple of terminals on remote locations > > > with internet access (via GPRS - uses dhcp). These terminals will have > > > to make a connection to the application in our network (the PC has IP > > > 10.0.161.38), specifically to port 5001. So what we''ve tried to do is to > > > forward all incoming connections from the internet on port 5001 to the > > > application in our LAN. The shorewall rule would be: > > > > > > /etc/shorewall/rules: > > > DNAT net loc:10.0.161.38 tcp 5001 - all > > > DNAT net loc:10.0.161.38 udp 5001 - all > > > > > > We also masquerade outgoing traffic from 10.0.161.38 to the Internet. > > > > > > /etc/shorewall/masq: > > > eth0 10.0.161.38/32 > > > > > > So far everything works. But now the application needs to send an answer > > > to the terminals. Naturally it sends its answer to the firewall as the > > > source address has been rewritten by shorewall. The application however > > > requires us to not rewrite the source address and bails out if we do. Is > > > there a way to tell shorewall not to rewrite the source address but > > > still forward all incoming packages on port 5001 to 10.0.161.38 on our > > > LAN ? > > > > Shorewall does not rewrite the source address when it does DNAT! > > > > That is to say that Shorewall does not rewrite the source address unless you > ask it to: > > DNAT net loc:10.0.151.38 tcp 501 - all:<source address> > > -TomThanks for the lightning fast response :) Strange however, I sniffed on the 10.0.161.38 machine and the source addresses of all packages were rewritten. I guess there''s some other rule somewhere that I missed. I''ll try again with a fresh install. Thanks for your help.
On Wed, 2004-02-11 at 16:53, Tom Eastep wrote:> On Wednesday 11 February 2004 07:50 am, Jörgen Busink wrote: > > > Thanks for the lightning fast response :) > > Strange however, I sniffed on the 10.0.161.38 machine and the source > > addresses of all packages were rewritten. I guess there''s some other > > rule somewhere that I missed. I''ll try again with a fresh install. > > Before you do that -- please forward the output of "shorewall show nat" -- > from that we may be able to tell why it is happening. > > -TomShorewall-1.4.10 NAT at trinity.matrix.net - Wed Feb 11 16:59:55 CET 2004 Counters reset Wed Feb 11 16:59:38 CET 2004 Chain PREROUTING (policy ACCEPT 1361K packets, 174M bytes) pkts bytes target prot opt in out source destination 1 49 net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 8296 packets, 377K bytes) pkts bytes target prot opt in out source destination 0 0 eth1_masq all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 9294 packets, 449K bytes) pkts bytes target prot opt in out source destination Chain eth1_masq (1 references) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * * 10.0.0.0/16 0.0.0.0/0 Chain net_dnat (1 references) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5001 to:10.0.161.38 0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5001 to:10.0.161.38
On Wednesday 11 February 2004 08:08 am, Jörgen Busink wrote:> On Wed, 2004-02-11 at 16:53, Tom Eastep wrote: > > On Wednesday 11 February 2004 07:50 am, Jörgen Busink wrote: > > > Thanks for the lightning fast response :) > > > Strange however, I sniffed on the 10.0.161.38 machine and the source > > > addresses of all packages were rewritten. I guess there''s some other > > > rule somewhere that I missed. I''ll try again with a fresh install. > > > > Before you do that -- please forward the output of "shorewall show nat" > > -- from that we may be able to tell why it is happening. > > > > -Tom > > Shorewall-1.4.10 NAT at trinity.matrix.net - Wed Feb 11 16:59:55 CET 2004 > > Counters reset Wed Feb 11 16:59:38 CET 2004 > > Chain PREROUTING (policy ACCEPT 1361K packets, 174M bytes) > pkts bytes target prot opt in out source > destination 1 49 net_dnat all -- eth0 * 0.0.0.0/0 > 0.0.0.0/0 > > Chain POSTROUTING (policy ACCEPT 8296 packets, 377K bytes) > pkts bytes target prot opt in out source > destination 0 0 eth1_masq all -- * eth1 0.0.0.0/0 > 0.0.0.0/0 > > Chain OUTPUT (policy ACCEPT 9294 packets, 449K bytes) > pkts bytes target prot opt in out source > destination > > Chain eth1_masq (1 references) > pkts bytes target prot opt in out source > destination 0 0 MASQUERADE all -- * * 10.0.0.0/16 > 0.0.0.0/0 > > Chain net_dnat (1 references) > pkts bytes target prot opt in out source > destination 0 0 DNAT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:5001 to:10.0.161.38 0 0 DNAT udp -- > * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5001 > to:10.0.161.38The fact that ''net_dnat'' is associated with packets arriving on eth0 makes me believe that eth0 is your ''net'' interface. That makes the MASQUERADE entry on eth1 look wrong. I think that you have /etc/shorewall/masq as: eth1 10.0.0.0/16 where what you wanted was eth1 10.0.0.0/16 (or something similar -- did you really want an entire class B?). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Wednesday 11 February 2004 08:32 am, Tom Eastep wrote:> > The fact that ''net_dnat'' is associated with packets arriving on eth0 makes > me believe that eth0 is your ''net'' interface. > > That makes the MASQUERADE entry on eth1 look wrong. I think that you have > /etc/shorewall/masq as: > > eth1 10.0.0.0/16 > > where what you wanted was > > eth1 10.0.0.0/16 (or something similar -- did you really want an entire > class B?). >AAARRRGGGHHHH -- I meant to type: eth0 10.0.0.0/16 ---- -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Wed, 2004-02-11 at 17:33, Tom Eastep wrote:> On Wednesday 11 February 2004 08:32 am, Tom Eastep wrote: > > > > > The fact that ''net_dnat'' is associated with packets arriving on eth0 makes > > me believe that eth0 is your ''net'' interface. > > > > That makes the MASQUERADE entry on eth1 look wrong. I think that you have > > /etc/shorewall/masq as: > > > > eth1 10.0.0.0/16 > > > > where what you wanted was > > > > eth1 10.0.0.0/16 (or something similar -- did you really want an entire > > class B?). > > > > AAARRRGGGHHHH -- I meant to type: > > eth0 10.0.0.0/16 > ---- > > -TomMe AAARGH too. You''re right. I mixed up the interfaces in masq! Stupid me. about the B class net: it''s just a test net, so I thought why not masq everything through. I might have detected my mistake earlier if I hadn''t done so. Thanks so much for your help, you''ve saved my day. Best regards, Jörgen