Hola and thanks for any help in advance I installed mandrake 9 a few days ago and wanted to set up some additional rules to shorewall, bu i failed :) What i want to do is basicly route any incomming udp and tcp packets on port 4665 to a workstation behind the router. router with mandrake 9, eth0 (192.168.0.1) internal net, eth1(10.0.0.0) connected to dsl modem and gets a dynamic ip workstations 192.168.0.10 / .11 / .... I read the readme and examples and added #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST DNAT net loc:192.168.0.10:4665 tcp 4665 DNAT net loc:192.168.0.10:4665 udp 4665 this to my /etc/shorewall/rules evrythign else is default right now. I am sure I missed something somewhere or messed somethign up in those 2 lines :) I will add the info that i should add recording to the page below. Thanks in advance again. -Nec shorewall version: 1.37c kernel: 2.4.19-16mdk ip addr show: 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:60:08:cb:a5:19 brd ff:ff:ff:ff:ff:ff inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:01:03:42:da:6b brd ff:ff:ff:ff:ff:ff inet 10.0.0.10/24 brd 10.0.0.255 scope global eth1 5: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 3 link/ppp inet 217.225.24.150 peer 217.5.98.30/32 scope global ppp0 ip route show 217.5.98.30 dev ppp0 proto kernel scope link src 217.225.24.150 10.0.0.0/24 dev eth1 scope link 192.168.0.0/24 dev eth0 scope link 127.0.0.0/8 dev lo scope link default via 217.5.98.30 dev ppp0 shorewall show log ( lots of those :) ) Jan 9 00:24:41 net2all:DROP:IN=ppp0 OUT=eth0 SRC=80.200.230.75 DST=192.168.0.10 LEN=139 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=4528 DPT=4665 LEN=119 Jan 9 00:24:44 net2all:DROP:IN=ppp0 OUT=eth0 SRC=24.185.67.165 DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=109 ID=32948 PROTO=UDP SPT=8548 DPT=4665 LEN=27 Jan 9 00:24:48 net2all:DROP:IN=ppp0 OUT=eth0 SRC=213.153.50.253 DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=118 ID=52379 PROTO=UDP SPT=3461 DPT=4665 LEN=27 Jan 9 00:24:56 net2all:DROP:IN=ppp0 OUT=eth0 SRC=81.224.25.150 DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=115 ID=26788 PROTO=UDP SPT=10636 DPT=4665 LEN=27
JMM Moi-Meme Maitre du Monde
2003-Jan-08 15:44 UTC
[Shorewall-users] prerouting newbie question/mistake :)
On Thu, Jan 09, 2003 at 12:35:37AM +0100, Necarus wrote:> > Hola and thanks for any help in advance > I installed mandrake 9 a few days ago and wanted to set up some > additional rules to shorewall, bu i failed :) > > What i want to do is basicly route any incomming udp and tcp packets on > port 4665 to a workstation behind the router. > > router with mandrake 9, eth0 (192.168.0.1) internal net, eth1(10.0.0.0) > connected to dsl modem and gets a dynamic ip > > workstations 192.168.0.10 / .11 / .... > > I read the readme and examples and added > > #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL > # PORT PORT(S) DEST > DNAT net loc:192.168.0.10:4665 tcp 4665 > DNAT net loc:192.168.0.10:4665 udp 4665 >Why do you want to specify twice the port ? (once by qualifying the IP address - which, itself, is only a qualifier of the zone, and once in the proper column) Looking at my own configuration (yep Donkey is fun to play with when you know up to what limit should it use bandwith, you should try: extr DNAT net loc:192.168.0.10 udp 4665 DNAT net loc:192.168.0.10 tcp 4665 Regards J6M
On Thu, 9 Jan 2003 00:43:50 +0100 JMM Moi-Meme Maitre du Monde <j6m@cvni.net> wrote:> On Thu, Jan 09, 2003 at 12:35:37AM +0100, Necarus wrote: > > > > Hola and thanks for any help in advance > > I installed mandrake 9 a few days ago and wanted to set up some > > additional rules to shorewall, bu i failed :) > > > > What i want to do is basicly route any incomming udp and tcp packets on > > port 4665 to a workstation behind the router. > > > > router with mandrake 9, eth0 (192.168.0.1) internal net, eth1(10.0.0.0) > > connected to dsl modem and gets a dynamic ip > > > > workstations 192.168.0.10 / .11 / .... > > > > I read the readme and examples and added > > > > #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL > > # PORT PORT(S) DEST > > DNAT net loc:192.168.0.10:4665 tcp 4665 > > DNAT net loc:192.168.0.10:4665 udp 4665 > > > > Why do you want to specify twice the port ? (once by qualifying the > IP address - which, itself, is only a qualifier of the zone, and once in > the proper column) > > Looking at my own configuration (yep Donkey is fun to play with when you > know up to what limit should it use bandwith, you should try: > extr > > DNAT net loc:192.168.0.10 udp 4665 > DNAT net loc:192.168.0.10 tcp 4665 > > > Regards > J6MChanged it and still get Jan 9 00:55:33 net2all:DROP:IN=ppp0 OUT=eth0 SRC=134.106.162.82 DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=12914 DPT=4665 LEN=27 Jan 9 00:55:33 net2all:DROP:IN=ppp0 OUT=eth0 SRC=134.106.162.82 DST=192.168.0.10 LEN=51 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=12914 DPT=4665 LEN=31 Jan 9 00:55:34 net2all:DROP:IN=ppp0 OUT=eth0 SRC=195.146.233.103 DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=114 ID=12830 PROTO=UDP SPT=12977 DPT=4665 LEN=27 Jan 9 00:55:34 net2all:DROP:IN=ppp0 OUT=eth0 SRC=195.146.233.103 DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=114 ID=12842 PROTO=UDP SPT=12977 DPT=4665 LEN=27 lots of those in my log. It is overnet and not edonkey btw :) And it is still marked as firewalled. Thanks for the quick repsonce though. --Nec
John S. Andersen
2003-Jan-08 16:04 UTC
[Shorewall-users] prerouting newbie question/mistake :)
On 9 Jan 2003 at 0:35, Necarus wrote: > #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL> # PORT PORT(S)DEST> DNAT net loc:192.168.0.10:4665 tcp 4665 > DNAT net loc:192.168.0.10:4665 udp 4665 > > this to my /etc/shorewall/rules > evrythign else is default right now.The above looks correct, and follows examples I have in my rules.> > 2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdiscpfifo_fast qlen 100> link/ether 00:60:08:cb:a5:19 brd ff:ff:ff:ff:ff:ff > inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0 > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen100> link/ether 00:01:03:42:da:6b brd ff:ff:ff:ff:ff:ff > inet 10.0.0.10/24 brd 10.0.0.255 scope global eth1 > 5: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fastqlen 3> link/ppp > inet 217.225.24.150 peer 217.5.98.30/32 scope global ppp0Where is your Shorewall Interfaces file? > shorewall show log ( lots of those :) )> Jan 9 00:24:41 net2all:DROP:IN=ppp0 OUT=eth0 SRC=80.200.230.75DST=192.168.0.10 LEN=139 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=4528 DPT=4665 LEN=119 These arrived on your ppp0 dial-up. Without looking at your shorewall/interfaces I can''t be sure that interface is what is assigned to net. If the rest is default as you say, the net zone might be assigned to eth0. ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386_______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/
On Wed, 08 Jan 2003 15:04:39 -0900 "John S. Andersen" <jsa@norcomix.dyndns.org> wrote:> On 9 Jan 2003 at 0:35, Necarus wrote: > > > #ACTION SOURCE DEST PROTO DEST SOURCE > ORIGINAL > > # PORT PORT(S) > DEST > > DNAT net loc:192.168.0.10:4665 tcp 4665 > > DNAT net loc:192.168.0.10:4665 udp 4665 > > > > this to my /etc/shorewall/rules > > evrythign else is default right now. > > > The above looks correct, and follows examples I have in my rules. > > > > > > 2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc > pfifo_fast qlen 100 > > link/ether 00:60:08:cb:a5:19 brd ff:ff:ff:ff:ff:ff > > inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0 > > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen > 100 > > link/ether 00:01:03:42:da:6b brd ff:ff:ff:ff:ff:ff > > inet 10.0.0.10/24 brd 10.0.0.255 scope global eth1 > > 5: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast > qlen 3 > > link/ppp > > inet 217.225.24.150 peer 217.5.98.30/32 scope global ppp0 > > Where is your Shorewall Interfaces file? > > > shorewall show log ( lots of those :) ) > > Jan 9 00:24:41 net2all:DROP:IN=ppp0 OUT=eth0 SRC=80.200.230.75 > DST=192.168.0.10 LEN=139 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP > SPT=4528 DPT=4665 LEN=119 > > These arrived on your ppp0 dial-up. > Without looking at your shorewall/interfaces I can''t be sure that > interface is what is assigned to net. > If the rest is default as you say, the net zone might be assigned > to eth0. > > ______________________________________ > John Andersen > NORCOM / Juneau, Alaska > http://www.screenio.com/ > (907) 790-3386_______________________________________ > John S. Andersen > NORCOM mailto:JAndersen@norcomsoftware.com > Juneau, Alaska > http://www.screenio.com/ >My interfaces file would look like this: #ZONE INTERFACE BROADCAST OPTIONS net ppp0 detect masq eth0 detect loc eth1 detect #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE -Nec
On Wed, 2003-01-08 at 15:58, Necarus wrote:> Changed it and still get > > Jan 9 00:55:33 net2all:DROP:IN=ppp0 OUT=eth0 SRC=134.106.162.82 DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=12914 DPT=4665 LEN=27 > Jan 9 00:55:33 net2all:DROP:IN=ppp0 OUT=eth0 SRC=134.106.162.82 DST=192.168.0.10 LEN=51 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=12914 DPT=4665 LEN=31 > Jan 9 00:55:34 net2all:DROP:IN=ppp0 OUT=eth0 SRC=195.146.233.103 DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=114 ID=12830 PROTO=UDP SPT=12977 DPT=4665 LEN=27 > Jan 9 00:55:34 net2all:DROP:IN=ppp0 OUT=eth0 SRC=195.146.233.103 DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=114 ID=12842 PROTO=UDP SPT=12977 DPT=4665 LEN=27 > > lots of those in my log. It is overnet and not edonkey btw :) And it is > still marked as firewalled. > > Thanks for the quick repsonce though.Necarus, Interesting. Have you read FAQs 1-2? They may help. http://www.shorewall.net/FAQ.htm -- Mike Noyes <mhnoyes @ users.sourceforge.net> http://sourceforge.net/users/mhnoyes/ http://leaf-project.org/ http://sitedocs.sf.net/ http://ffl.sf.net/
JMM Moi-Meme Maitre du Monde
2003-Jan-08 16:24 UTC
[Shorewall-users] prerouting newbie question/mistake :)
On Thu, Jan 09, 2003 at 01:08:06AM +0100, Necarus wrote:> > On Wed, 08 Jan 2003 15:04:39 -0900 > "John S. Andersen" <jsa@norcomix.dyndns.org> wrote: > > > > My interfaces file would look like this: > #ZONE INTERFACE BROADCAST OPTIONS > net ppp0 detect > masq eth0 detect > loc eth1 detect > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > -NecI was just thinking about the same thing as John and was looking at my interfaces file : net ppp0 detect norfc1918,routefilter,dropunclean loc eth1 detect routestopped dmz eth2 detect routestopped (If you try something like this, be sure to have in /etc/rc.d/rcX.d the S??xxxxx dialing script executed prior to Sxxshorewall, as, because of routefilter, ppp0 must be up and runningi. Idem if you have a cron job checking up if your dialing connection is still active or needs to be restarted) - I run Shorewall 1.3.7 on SuSE Linux 8.0 with an ADSL connection
John S. Andersen
2003-Jan-08 16:36 UTC
[Shorewall-users] prerouting newbie question/mistake :)
On 9 Jan 2003 at 1:08, Necarus wrote: > My interfaces file would look like this:> #ZONE INTERFACE BROADCAST OPTIONS > net ppp0 detect > masq eth0 detect > loc eth1 detect > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > -Nec >Ok, that looks fine, although I would have thought one or more of those interfaces would have dhcp on it as well as routefilter and maybe routestopped. What I don''t understand is why that stuff is arriving on ppp0 when you said your outside connection is on eth1 Quoting... eth0 (192.168.0.1) internal net, eth1(10.0.0.0) connected to dsl modem and gets a dynamic ip ------ Nevertheless, eth1 does not host 192.168., It has 10.0.0 on it. So your rulle should point to either a different ip or a different zone (masq has 192.168 subnet). Is that an internal router or your path to the outside?? ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386_______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/
All day long I get a steady flow of these packets from 208.138.130.16 (port 53) to some high numbered port (40275). They get dropped, but what the heck are they? Anyone have a clue? Jan 8 15:50:48 norcomix kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00 SRC=208.138.130.16 DST=24.237.22.45 LEN=53 TOS=0x00 PREC=0x00 TTL=251 ID=8288 DF PROTO=UDP SPT=53 DPT=40275 LEN=33 I don''t get so many as to be a DOS, but they look like some sort of probe. ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386_______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/
cheers(); Sorry, don''t have the older posts, so I reply to this one...> On 9 Jan 2003 at 1:08, Necarus wrote: > > My interfaces file would look like this: > > #ZONE INTERFACE BROADCAST OPTIONS > > net ppp0 detect > > masq eth0 detect > > loc eth1 detect > > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVENecarus, as you are obviously German and your domain hosted by Schlund, I assume you have an DSL Modem attached over Ethernet. Right? You really have 3 (!) NICs in your router? That would assume, ppp0 is really eth3... I have set up routers with Mandrake 9.0 like you, too. The pre-configuration from Mandrake seems to be really bad to me. I would suggest to remove Mandrake Shorewall RPMs and get an RPM from shorewall.net. If you don''t have 3 NICs, I can tell you what to do to get your firewall running. .karsten -- Hi, I''m a signature virus. Copy me into your ~/.signature to help me spread!
Wee.. karsten gonne help me to set upa brand new fw with the new packets. I hope everythign will work then. Thanks alot to you and to all others who tried to help ) -Nec PS: We will do it in private mails, since we both are german and its easier to talk in th native language, at least for me :) On 09 Jan 2003 02:14:57 +0100 kb <kb@bluehash.de> wrote:> cheers(); > > Sorry, don''t have the older posts, so I reply to this one... > > > > On 9 Jan 2003 at 1:08, Necarus wrote: > > > My interfaces file would look like this: > > > #ZONE INTERFACE BROADCAST OPTIONS > > > net ppp0 detect > > > masq eth0 detect > > > loc eth1 detect > > > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > Necarus, as you are obviously German and your domain hosted by Schlund, > I assume you have an DSL Modem attached over Ethernet. Right? > > You really have 3 (!) NICs in your router? That would assume, ppp0 is > really eth3... > > I have set up routers with Mandrake 9.0 like you, too. The > pre-configuration from Mandrake seems to be really bad to me. > > I would suggest to remove Mandrake Shorewall RPMs and get an RPM from > shorewall.net. > > > If you don''t have 3 NICs, I can tell you what to do to get your firewall > running. > > .karsten > > > -- > Hi, I''m a signature virus. Copy me into your ~/.signature to help me spread!
Kenneth Grande, Driftsjef aspIT AS
2003-Jan-09 00:17 UTC
SV: [Shorewall-users] prerouting newbie question/mistake :)
This is the manual way to do this: 80.86.12.18 - public 192.168.0.1 - private First I add a rule in my rules file like this: ACCEPT net loc:192.168.0.1 udp 514 Then I manually enter this iptables rule and press enter: iptables -A PREROUTING -t nat -i eth0 -p udp -d 80.86.12.18 --dport 514 -j DNAT --to 192.168.0.1:514 Remember to add the iptables rule AFTER you have edited your rules file and restarted shorewall (cause shorewall clears all rules in ip tables.) This works for me every time.. Best Regards, Kenneth. -----Opprinnelig melding----- Fra: shorewall-users-bounces@shorewall.net [mailto:shorewall-users-bounces@shorewall.net] P? vegne av Necarus Sendt: 9. januar 2003 00:58 Til: JMM Moi-Meme Maitre du Monde Kopi: shorewall-users@shorewall.net Emne: Re: [Shorewall-users] prerouting newbie question/mistake :) On Thu, 9 Jan 2003 00:43:50 +0100 JMM Moi-Meme Maitre du Monde <j6m@cvni.net> wrote:> On Thu, Jan 09, 2003 at 12:35:37AM +0100, Necarus wrote: > > > > Hola and thanks for any help in advance > > I installed mandrake 9 a few days ago and wanted to set up some > > additional rules to shorewall, bu i failed :) > > > > What i want to do is basicly route any incomming udp and tcp packetson> > port 4665 to a workstation behind the router. > > > > router with mandrake 9, eth0 (192.168.0.1) internal net,eth1(10.0.0.0)> > connected to dsl modem and gets a dynamic ip > > > > workstations 192.168.0.10 / .11 / .... > > > > I read the readme and examples and added > > > > #ACTION SOURCE DEST PROTO DEST SOURCEORIGINAL> > # PORT PORT(S)DEST> > DNAT net loc:192.168.0.10:4665 tcp 4665 > > DNAT net loc:192.168.0.10:4665 udp 4665 > > > > Why do you want to specify twice the port ? (once by qualifying the > IP address - which, itself, is only a qualifier of the zone, and oncein> the proper column) > > Looking at my own configuration (yep Donkey is fun to play with whenyou> know up to what limit should it use bandwith, you should try: > extr > > DNAT net loc:192.168.0.10 udp 4665 > DNAT net loc:192.168.0.10 tcp 4665 > > > Regards > J6MChanged it and still get Jan 9 00:55:33 net2all:DROP:IN=ppp0 OUT=eth0 SRC=134.106.162.82 DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=12914 DPT=4665 LEN=27 Jan 9 00:55:33 net2all:DROP:IN=ppp0 OUT=eth0 SRC=134.106.162.82 DST=192.168.0.10 LEN=51 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=12914 DPT=4665 LEN=31 Jan 9 00:55:34 net2all:DROP:IN=ppp0 OUT=eth0 SRC=195.146.233.103 DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=114 ID=12830 PROTO=UDP SPT=12977 DPT=4665 LEN=27 Jan 9 00:55:34 net2all:DROP:IN=ppp0 OUT=eth0 SRC=195.146.233.103 DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=114 ID=12842 PROTO=UDP SPT=12977 DPT=4665 LEN=27 lots of those in my log. It is overnet and not edonkey btw :) And it is still marked as firewalled. Thanks for the quick repsonce though. --Nec _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://mail.shorewall.net/mailman/listinfo/shorewall-users
I had a problem once where my address was close to that of a DNS server. Well, someone typed the wrong digit and was trying to use my as a DNS server. It looks like one of your systems though: UDP SRC=208.138.130.16:53 DST=24.237.22.45:40275 Where port 40275 is a dynamic port created on the host system when doing a query to a DNS server. Try sniffing the connection with snort or tcpdump: ''snort -dev port 53'' and see which machine is making the query. Of course, CGI.NET comes to mind...hint hint... ;-) On Wed, 08 Jan 2003 16:01:47 -0900 "John S. Andersen" <jsa@norcomix.dyndns.org> opened up to us and said:> > All day long I get a steady flow of these packets from 208.138.130.16 > (port 53) to some high numbered port (40275). They get dropped, but > what the heck are they? Anyone have a clue? > > Jan 8 15:50:48 norcomix kernel: Shorewall:net2all:DROP:IN=eth0 OUT> MAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00 SRC=208.138.130.16 > DST=24.237.22.45 LEN=53 TOS=0x00 PREC=0x00 TTL=251 ID=8288 DF > PROTO=UDP SPT=53 DPT=40275 LEN=33 > > I don''t get so many as to be a DOS, but they look like some sort of > probe. > > ______________________________________ > John Andersen > NORCOM / Juneau, Alaska > http://www.screenio.com/ > (907) 790-3386_______________________________________ > John S. Andersen > NORCOM mailto:JAndersen@norcomsoftware.com > Juneau, Alaska > http://www.screenio.com/ > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://mail.shorewall.net/mailman/listinfo/shorewall-users-- Paul Slinski System Administrator Global IQX http://www.globaliqx.com/ pauls@globaliqx.com
Pascal DeMilly
2003-Jan-09 08:17 UTC
SV: [Shorewall-users] prerouting newbie question/mistake :)
Why not simply write DNAT net:80.86.12.18 loc:192.168.0.1:514 514 or even DNAT net:80.86.12.18 loc:192.168.0.1 514 HTH Pascal On Thu, 2003-01-09 at 00:16, Kenneth Grande, Driftsjef aspIT AS wrote:> This is the manual way to do this: > > > 80.86.12.18 - public > 192.168.0.1 - private > > First I add a rule in my rules file like this: > > ACCEPT net loc:192.168.0.1 udp 514 > > Then I manually enter this iptables rule and press enter: > > iptables -A PREROUTING -t nat -i eth0 -p udp -d 80.86.12.18 --dport 514 > -j DNAT --to 192.168.0.1:514 > > > Remember to add the iptables rule AFTER you have edited your rules file > and restarted shorewall (cause shorewall clears all rules in ip tables.) > > This works for me every time.. > > > Best Regards, > > Kenneth. > > -----Opprinnelig melding----- > Fra: shorewall-users-bounces@shorewall.net > [mailto:shorewall-users-bounces@shorewall.net] P? vegne av Necarus > Sendt: 9. januar 2003 00:58 > Til: JMM Moi-Meme Maitre du Monde > Kopi: shorewall-users@shorewall.net > Emne: Re: [Shorewall-users] prerouting newbie question/mistake :) > > > On Thu, 9 Jan 2003 00:43:50 +0100 > JMM Moi-Meme Maitre du Monde <j6m@cvni.net> wrote: > > > On Thu, Jan 09, 2003 at 12:35:37AM +0100, Necarus wrote: > > > > > > Hola and thanks for any help in advance > > > I installed mandrake 9 a few days ago and wanted to set up some > > > additional rules to shorewall, bu i failed :) > > > > > > What i want to do is basicly route any incomming udp and tcp packets > on > > > port 4665 to a workstation behind the router. > > > > > > router with mandrake 9, eth0 (192.168.0.1) internal net, > eth1(10.0.0.0) > > > connected to dsl modem and gets a dynamic ip > > > > > > workstations 192.168.0.10 / .11 / .... > > > > > > I read the readme and examples and added > > > > > > #ACTION SOURCE DEST PROTO DEST SOURCE > ORIGINAL > > > # PORT PORT(S) > DEST > > > DNAT net loc:192.168.0.10:4665 tcp 4665 > > > DNAT net loc:192.168.0.10:4665 udp 4665 > > > > > > > Why do you want to specify twice the port ? (once by qualifying the > > IP address - which, itself, is only a qualifier of the zone, and once > in > > the proper column) > > > > Looking at my own configuration (yep Donkey is fun to play with when > you > > know up to what limit should it use bandwith, you should try: > > extr > > > > DNAT net loc:192.168.0.10 udp 4665 > > DNAT net loc:192.168.0.10 tcp 4665 > > > > > > Regards > > J6M > Changed it and still get > > Jan 9 00:55:33 net2all:DROP:IN=ppp0 OUT=eth0 SRC=134.106.162.82 > DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP > SPT=12914 DPT=4665 LEN=27 > Jan 9 00:55:33 net2all:DROP:IN=ppp0 OUT=eth0 SRC=134.106.162.82 > DST=192.168.0.10 LEN=51 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP > SPT=12914 DPT=4665 LEN=31 > Jan 9 00:55:34 net2all:DROP:IN=ppp0 OUT=eth0 SRC=195.146.233.103 > DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=114 ID=12830 PROTO=UDP > SPT=12977 DPT=4665 LEN=27 > Jan 9 00:55:34 net2all:DROP:IN=ppp0 OUT=eth0 SRC=195.146.233.103 > DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=114 ID=12842 PROTO=UDP > SPT=12977 DPT=4665 LEN=27 > > lots of those in my log. It is overnet and not edonkey btw :) And it is > still marked as firewalled. > > Thanks for the quick repsonce though. > > --Nec > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://mail.shorewall.net/mailman/listinfo/shorewall-users > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://mail.shorewall.net/mailman/listinfo/shorewall-users-- Pascal DeMilly <mailing-lists@newgenesys.com>
Pascal DeMilly
2003-Jan-09 08:19 UTC
SV: [Shorewall-users] prerouting newbie question/mistake :)
Why not simply write DNAT net:80.86.12.18 loc:192.168.0.1:514 514 or even DNAT net:80.86.12.18 loc:192.168.0.1 514 HTH Pascal On Thu, 2003-01-09 at 00:16, Kenneth Grande, Driftsjef aspIT AS wrote:> This is the manual way to do this: > > > 80.86.12.18 - public > 192.168.0.1 - private > > First I add a rule in my rules file like this: > > ACCEPT net loc:192.168.0.1 udp 514 > > Then I manually enter this iptables rule and press enter: > > iptables -A PREROUTING -t nat -i eth0 -p udp -d 80.86.12.18 --dport 514 > -j DNAT --to 192.168.0.1:514 > > > Remember to add the iptables rule AFTER you have edited your rules file > and restarted shorewall (cause shorewall clears all rules in ip tables.) > > This works for me every time.. > > > Best Regards, > > Kenneth. > > -----Opprinnelig melding----- > Fra: shorewall-users-bounces@shorewall.net > [mailto:shorewall-users-bounces@shorewall.net] P? vegne av Necarus > Sendt: 9. januar 2003 00:58 > Til: JMM Moi-Meme Maitre du Monde > Kopi: shorewall-users@shorewall.net > Emne: Re: [Shorewall-users] prerouting newbie question/mistake :) > > > On Thu, 9 Jan 2003 00:43:50 +0100 > JMM Moi-Meme Maitre du Monde <j6m@cvni.net> wrote: > > > On Thu, Jan 09, 2003 at 12:35:37AM +0100, Necarus wrote: > > > > > > Hola and thanks for any help in advance > > > I installed mandrake 9 a few days ago and wanted to set up some > > > additional rules to shorewall, bu i failed :) > > > > > > What i want to do is basicly route any incomming udp and tcp packets > on > > > port 4665 to a workstation behind the router. > > > > > > router with mandrake 9, eth0 (192.168.0.1) internal net, > eth1(10.0.0.0) > > > connected to dsl modem and gets a dynamic ip > > > > > > workstations 192.168.0.10 / .11 / .... > > > > > > I read the readme and examples and added > > > > > > #ACTION SOURCE DEST PROTO DEST SOURCE > ORIGINAL > > > # PORT PORT(S) > DEST > > > DNAT net loc:192.168.0.10:4665 tcp 4665 > > > DNAT net loc:192.168.0.10:4665 udp 4665 > > > > > > > Why do you want to specify twice the port ? (once by qualifying the > > IP address - which, itself, is only a qualifier of the zone, and once > in > > the proper column) > > > > Looking at my own configuration (yep Donkey is fun to play with when > you > > know up to what limit should it use bandwith, you should try: > > extr > > > > DNAT net loc:192.168.0.10 udp 4665 > > DNAT net loc:192.168.0.10 tcp 4665 > > > > > > Regards > > J6M > Changed it and still get > > Jan 9 00:55:33 net2all:DROP:IN=ppp0 OUT=eth0 SRC=134.106.162.82 > DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP > SPT=12914 DPT=4665 LEN=27 > Jan 9 00:55:33 net2all:DROP:IN=ppp0 OUT=eth0 SRC=134.106.162.82 > DST=192.168.0.10 LEN=51 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP > SPT=12914 DPT=4665 LEN=31 > Jan 9 00:55:34 net2all:DROP:IN=ppp0 OUT=eth0 SRC=195.146.233.103 > DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=114 ID=12830 PROTO=UDP > SPT=12977 DPT=4665 LEN=27 > Jan 9 00:55:34 net2all:DROP:IN=ppp0 OUT=eth0 SRC=195.146.233.103 > DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=114 ID=12842 PROTO=UDP > SPT=12977 DPT=4665 LEN=27 > > lots of those in my log. It is overnet and not edonkey btw :) And it is > still marked as firewalled. > > Thanks for the quick repsonce though. > > --Nec > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://mail.shorewall.net/mailman/listinfo/shorewall-users > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://mail.shorewall.net/mailman/listinfo/shorewall-users-- Pascal DeMilly <mailing-lists@newgenesys.com> -- Pascal DeMilly <list.shorewall@newgenesys.com>