Hi - I''m running Mandrake 9.1, running shorewall 1.3.14 to do ipmasquerading with eth0 connected to my cable modem, and eth1 to my hub. I''m trying to open up port 4662 to TCP for eMule. I added the following line to the rules file: DNAT net masq:eth1 tcp 4662 I get the following error: Error: DNAT rules require a server address. What am I doing wrong here? Thanks for any help. -Ed __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com
Edward Chen wrote:> Hi - I''m running Mandrake 9.1, running shorewall > 1.3.14 to do ipmasquerading with eth0 connected to my > cable modem, and eth1 to my hub. > > I''m trying to open up port 4662 to TCP for eMule. > > I added the following line to the rules file: > > DNAT net masq:eth1 tcp 4662 > > I get the following error: > > Error: DNAT rules require a server address. > > What am I doing wrong here? Thanks for any help.The above error message is actually quite descriptive in what your doing wrong. Checkout FAQ #1 to learn how to properly specify a DNAT rule in shorewall. http://shorewall.net/FAQ.htm#faq1 Steve Cowles
Hi,> Steve Cowles wrote: >>Edward Chen wrote: >> Hi - I''m running Mandrake 9.1, running shorewall >> 1.3.14 to do ipmasquerading with eth0 connected to >my >> cable modem, and eth1 to my hub. >> >> I''m trying to open up port 4662 to TCP for eMule. >> >> I added the following line to the rules file: >> >> DNAT net masq:eth1 tcp 4662 >> >> I get the following error: >> >> Error: DNAT rules require a server address. >> >> What am I doing wrong here? Thanks for any help. > >The above error message is actually quite descriptive >in what your doing >wrong. Checkout FAQ #1 to learn how to properly >specify a DNAT rule in >shorewall. > >http://shorewall.net/FAQ.htm#faq1 > > Steve Cowles1. I actually did try it originally using: masq:192.168.1.1-192.168.1.255 which didn''t work either, and appears to be OK according to the documentation. 2. From the documentation - I read:>If the source is not ''all'' then the source may be >further restricted by adding a colon (":") followed >by a comma-separated list of qualifiers. Qualifiers >are may include: An interface name - refers to any connection requests >arriving on the specified interface (example loc:eth4).and>DEST - Describes the destination host(s) to which the >rule applies. May take most of the forms described >above for SOURCE plus the following two additional forms:and>Restrictions: > >MAC addresses may not be specified. >In DNAT rules, only IP addresses may be given -- DNS >names are not permitted. >You may not specify both an IP address and an >interface name in the DEST columnSo - why is masq:eth1 not acceptable? Am I misinterpreting the 2nd restriction above? I interpret it as no DNS. The 3rd restriction seems to imply that using an interface IS OK, but not with an IP address. Thanks. -Ed
> > 1. I actually did try it originally using: > > masq:192.168.1.1-192.168.1.255 > > which didn''t work either, and appears to be OK according to the > documentation. >> > So - why is masq:eth1 not acceptable? Am I misinterpreting the 2nd > restriction above? I interpret it as no DNS. The 3rd restriction seems > to imply that using an interface IS OK, but not with an IP address. >Edward -- it is clear from your posts that you don''t understand what Port Forwarding/DNAT does and when it can be used. I suggest that you look at http://www.shorewall.net/two-interface.htm -- that will give you the basics of running Shorewall on a setup like yours and explains why DNAT rules are necessary and how to set them up. Just be sure to note that Mandrake names the local zone differently from the documentation. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sun, 2003-07-20 at 07:29, Edward Chen wrote:> > 1. I actually did try it originally using: > > masq:192.168.1.1-192.168.1.255 > > which didn''t work either, and appears to be OK according to the > documentation. >The documentation fails to point out that the syntax that you used is only available in version 1.4.5 and later. I''ll correct that. In any event, unless you have 255 computers in your local network and you don''t case which one gets the connection the above rule doesn''t do what you want. Also, it is likely that 192.168.1.255 is the broadcast address for your local network so you would never include it as the target of a DNAT rule. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi - On 20 Jul 2003, Tom Eastep wrote:> On Sun, 2003-07-20 at 07:29, Edward Chen wrote: > > > > > 1. I actually did try it originally using: > > > > masq:192.168.1.1-192.168.1.255 > > > > which didn''t work either, and appears to be OK according to the > > documentation. > > > > The documentation fails to point out that the syntax that you used is > only available in version 1.4.5 and later. I''ll correct that. > > In any event, unless you have 255 computers in your local network and > you don''t case which one gets the connection the above rule doesn''t do > what you want. Also, it is likely that 192.168.1.255 is the broadcast > address for your local network so you would never include it as the > target of a DNAT rule.I am running a DHCP server. What rule would you recommend for a range of IP addresses? I don''t see anything in the documentation you pointed out which I find useful. Thanks. -Ed
> > I am running a DHCP server. What rule would you recommend for a range of > IP addresses? I don''t see anything in the documentation you pointed out > which I find useful.What are you trying to accomplish, Ed? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On 20 Jul 2003, Tom Eastep wrote:> > > > > I am running a DHCP server. What rule would you recommend for a range of > > IP addresses? I don''t see anything in the documentation you pointed out > > which I find useful. > > What are you trying to accomplish, Ed?I''d like to allow any machine which connect to my router to run eMule properly by opening up port 4662 to tcp, for example. In principle, I wouldn''t know the IP address beforehand. Am I just totally missing something here conceptually? I do allow that I''m an amateur at this. It seems that the documentation in the matter is really tailored toward allowing this for a single destination IP address. The lack of documentation + your incredulity seem to imply that this is an abhorent idea for a range of IP addresses. -Ed
On Sun, 2003-07-20 at 08:15, Edward Chen wrote:> > What are you trying to accomplish, Ed? > > I''d like to allow any machine which connect to my router to run eMule > properly by opening up port 4662 to tcp, for example. In principle, I > wouldn''t know the IP address beforehand.I still don''t get what you are saying. I connect to your router''s external IP address on port 4662 -- then what do you want to have happen? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sun, 2003-07-20 at 07:58, Tom Eastep wrote:> > The documentation fails to point out that the syntax that you used is > only available in version 1.4.5 and later. I''ll correct that. >Er -- make that 1.4.6 and later -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On 20 Jul 2003, Tom Eastep wrote:> On Sun, 2003-07-20 at 08:15, Edward Chen wrote: > > > > What are you trying to accomplish, Ed? > > > > I''d like to allow any machine which connect to my router to run eMule > > properly by opening up port 4662 to tcp, for example. In principle, I > > wouldn''t know the IP address beforehand. > > I still don''t get what you are saying. I connect to your router''s > external IP address on port 4662 -- then what do you want to have > happen?I assume that the router forwards the connection to port 4662 of some machine in my local system, depending on which particular machine is running the eMule program. Another way of saying this: Let''s say I had three lines in my rules file: DNAT net loc:192.168.1.5 udp 7777 DNAT net loc:192.168.1.6 udp 7777 DNAT net loc:192.168.1.7 udp 7777 Wouldn''t this essentially do what I''m describing above? -Ed
On Sun, 2003-07-20 at 08:31, Tom Eastep wrote:> On Sun, 2003-07-20 at 08:15, Edward Chen wrote: > > > > What are you trying to accomplish, Ed? > > > > I''d like to allow any machine which connect to my router to run eMule > > properly by opening up port 4662 to tcp, for example. In principle, I > > wouldn''t know the IP address beforehand. > > I still don''t get what you are saying. I connect to your router''s > external IP address on port 4662 -- then what do you want to have > happen?Is your problem that the machine in your local network that you want to forward the port to gets its IP address assigned by DHCP so that you don''t know its address ahead of time? If so, that''s easy to fix -- set up your DHCP server to allowas assign that system the same IP address. All of my local systems get their IP addresses via DHCP and they always get the same address. Here''s the relevant portion of my dhcpd.conf file: group { option subnet-mask 255.255.255.0; option broadcast-address 192.168.1.255; option routers 192.168.1.254; option ntp-servers 192.168.1.254; option domain-name-servers 192.168.1.193; option netbios-name-servers 192.168.1.254; option domain-name "shorewall.net"; option netbios-dd-server 192.168.1.254; option netbios-node-type 8; option netbios-scope ""; subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.11 192.168.1.20; } host shuksan { hardware ethernet 00:E0:29:8D:75:12; fixed-address 192.168.1.6; } host ursa.shorewall.net { hardware ethernet 00:A0:CC:DB:31:c4; fixed-address 192.168.1.5; } host eastept1 { hardware ethernet 00:02:b3:38:0c:e2; fixed-address 192.168.1.7; } host tarry { hardware ethernet 00:10:B5:EC:FD:0B; fixed-address 192.168.1.4; } host wookie.shorewall.net { hardware ethernet 00:a0:cc:63:66:89; fixed-address 192.168.1.3; } host testws.shorewall.net { hardware ethernet 00:50:56:40:40:D2; fixed-address 192.168.1.6; } host printer.shorewall.net { hardware ethernet 00:30:6e:2e:ec:aa; fixed-address 192.168.1.10; } } -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sun, 2003-07-20 at 08:47, Edward Chen wrote:> > Let''s say I had three lines in my rules file: > > DNAT net loc:192.168.1.5 udp 7777 > DNAT net loc:192.168.1.6 udp 7777 > DNAT net loc:192.168.1.7 udp 7777 > > Wouldn''t this essentially do what I''m describing above?No -- there is no way that a packet filter like Netfilter can somehow receive devine inspiration as to which one of your local computers is running emule; see my other post regarding DHCP. In Shorewall 1.4.6, you can use this rule: DNAT net loc:192.168.1.5-7 udp 7777 but that assumes that all three addresses are always available and that connections can be assigned in a round-robin fashion between them -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sun, 2003-07-20 at 08:51, Tom Eastep wrote:> > No -- there is no way that a packet filter like Netfilter can somehow > receive devine inspiration as to which one of your local computers is > running emuleDoh -- make that "... divine inspiration ..." -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On 20 Jul 2003, Tom Eastep wrote:> On Sun, 2003-07-20 at 08:47, Edward Chen wrote: > > > > > Let''s say I had three lines in my rules file: > > > > DNAT net loc:192.168.1.5 udp 7777 > > DNAT net loc:192.168.1.6 udp 7777 > > DNAT net loc:192.168.1.7 udp 7777 > > > > Wouldn''t this essentially do what I''m describing above? > > No -- there is no way that a packet filter like Netfilter can somehow > receive devine inspiration as to which one of your local computers is > running emule; see my other post regarding DHCP. > > In Shorewall 1.4.6, you can use this rule: > > DNAT net loc:192.168.1.5-7 udp 7777 > > but that assumes that all three addresses are always available and that > connections can be assigned in a round-robin fashion between them > > -TomThanks - that clears things up. But, I can do a ping or traceroute from any one of my internal network machines to some address outside my network. I assume that this is via some default port which is open. Can''t I set up my eMule port in the same way? You''re saying that this can''t be done via DNAT. -Ed
On Sun, 2003-07-20 at 09:00, Edward Chen wrote:> But, I can do a ping or traceroute from any one of my internal > network machines to some address outside my network. I assume that this > is via some default port which is open.No -- Netfilter sets up a connection tracking entry when the first outbound packet is sent so that it can associate the return packets with the proper local client. This is completely dynamic but it assumes that the first packet sent in the connection will be loc->net.> Can''t I set up my eMule port in > the same way? You''re saying that this can''t be done via DNAT.That''s correct. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
> But, I can do a ping or traceroute from any one of my internal > network machines to some address outside my network. I assume that this > is via some default port which is open. Can''t I set up my eMule port in > the same way? You''re saying that this can''t be done via DNAT.Well, this is an outgoing connection. The DNAT rule for your eMule is an *incomming* connection. There is no way for the firewall logic to actually know, which of the internal machines is currently running the eMule client. I suggest, you are using a dedicated machine that runs eMule. Then you can simply define a DNAT rule, that forwards incoming connections to port 4662 to this machine. Use the DHCP setup as Tom described earlier, to assign this machine a fixed IP. karsten -- Hi, I''m a signature virus. Copy me into your ~/.signature to help me spread!