Shorewall users - Jan 2003 - prerouting newbie question/mistake :)

Hola and thanks for any help in advance

I installed mandrake 9 a few days ago and wanted to set up some
additional rules to shorewall, bu i failed :)

What i want to do is basicly route any incomming udp and tcp packets on
port 4665 to a workstation behind the router.

router with mandrake 9, eth0 (192.168.0.1) internal net, eth1(10.0.0.0)
connected to dsl modem and gets a dynamic ip

workstations 192.168.0.10 / .11 / ....

I read the readme and examples and added 

#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL
#                                               PORT    PORT(S)    DEST 
DNAT    net     loc:192.168.0.10:4665   tcp     4665
DNAT    net     loc:192.168.0.10:4665   udp     4665    

this to my /etc/shorewall/rules
evrythign else is default right now.

I am sure I missed something somewhere or messed somethign up in those 2
lines :)

I will add the info that i should add recording to the page below.

Thanks in advance again.

-Nec 



shorewall version: 1.37c

kernel: 2.4.19-16mdk

ip addr show:
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen
100
    link/ether 00:60:08:cb:a5:19 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:01:03:42:da:6b brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.10/24 brd 10.0.0.255 scope global eth1
5: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 3
    link/ppp 
    inet 217.225.24.150 peer 217.5.98.30/32 scope global ppp0

ip route show
217.5.98.30 dev ppp0  proto kernel  scope link  src 217.225.24.150 
10.0.0.0/24 dev eth1  scope link 
192.168.0.0/24 dev eth0  scope link 
127.0.0.0/8 dev lo  scope link 
default via 217.5.98.30 dev ppp0 

shorewall show log ( lots of those :) )
Jan  9 00:24:41 net2all:DROP:IN=ppp0 OUT=eth0 SRC=80.200.230.75 DST=192.168.0.10
LEN=139 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=4528 DPT=4665 LEN=119
Jan  9 00:24:44 net2all:DROP:IN=ppp0 OUT=eth0 SRC=24.185.67.165 DST=192.168.0.10
LEN=47 TOS=0x00 PREC=0x00 TTL=109 ID=32948 PROTO=UDP SPT=8548 DPT=4665 LEN=27
Jan  9 00:24:48 net2all:DROP:IN=ppp0 OUT=eth0 SRC=213.153.50.253
DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=118 ID=52379 PROTO=UDP SPT=3461
DPT=4665 LEN=27
Jan  9 00:24:56 net2all:DROP:IN=ppp0 OUT=eth0 SRC=81.224.25.150 DST=192.168.0.10
LEN=47 TOS=0x00 PREC=0x00 TTL=115 ID=26788 PROTO=UDP SPT=10636 DPT=4665 LEN=27

On Thu, Jan 09, 2003 at 12:35:37AM +0100, Necarus wrote:
> 
> Hola and thanks for any help in advance
> I installed mandrake 9 a few days ago and wanted to set up some
> additional rules to shorewall, bu i failed :)
> 
> What i want to do is basicly route any incomming udp and tcp packets on
> port 4665 to a workstation behind the router.
> 
> router with mandrake 9, eth0 (192.168.0.1) internal net, eth1(10.0.0.0)
> connected to dsl modem and gets a dynamic ip
> 
> workstations 192.168.0.10 / .11 / ....
> 
> I read the readme and examples and added 
> 
> #ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL
> #                                               PORT    PORT(S)    DEST 
> DNAT    net     loc:192.168.0.10:4665   tcp     4665
> DNAT    net     loc:192.168.0.10:4665   udp     4665    
> 
Why do you want to specify twice the port ? (once by qualifying the
IP address - which, itself, is only a qualifier of the zone, and once in
the proper column)

Looking at my own configuration (yep Donkey is fun to play with when you
know up to what limit should it use bandwith, you should try:
extr

DNAT   net     loc:192.168.0.10 udp     4665
DNAT   net     loc:192.168.0.10 tcp     4665


Regards
J6M

On Thu, 9 Jan 2003 00:43:50 +0100
JMM Moi-Meme Maitre du Monde <j6m@cvni.net> wrote:
> On Thu, Jan 09, 2003 at 12:35:37AM +0100, Necarus wrote:
> > 
> > Hola and thanks for any help in advance
> > I installed mandrake 9 a few days ago and wanted to set up some
> > additional rules to shorewall, bu i failed :)
> > 
> > What i want to do is basicly route any incomming udp and tcp packets
on
> > port 4665 to a workstation behind the router.
> > 
> > router with mandrake 9, eth0 (192.168.0.1) internal net,
eth1(10.0.0.0)
> > connected to dsl modem and gets a dynamic ip
> > 
> > workstations 192.168.0.10 / .11 / ....
> > 
> > I read the readme and examples and added 
> > 
> > #ACTION  SOURCE         DEST            PROTO   DEST    SOURCE    
ORIGINAL
> > #                                               PORT    PORT(S)   
DEST
> > DNAT    net     loc:192.168.0.10:4665   tcp     4665
> > DNAT    net     loc:192.168.0.10:4665   udp     4665    
> > 
> 
> Why do you want to specify twice the port ? (once by qualifying the
> IP address - which, itself, is only a qualifier of the zone, and once in
> the proper column)
> 
> Looking at my own configuration (yep Donkey is fun to play with when you
> know up to what limit should it use bandwith, you should try:
> extr
> 
> DNAT   net     loc:192.168.0.10 udp     4665
> DNAT   net     loc:192.168.0.10 tcp     4665
> 
> 
> Regards
> J6M
Changed it and still get

Jan  9 00:55:33 net2all:DROP:IN=ppp0 OUT=eth0 SRC=134.106.162.82
DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=12914
DPT=4665 LEN=27
Jan  9 00:55:33 net2all:DROP:IN=ppp0 OUT=eth0 SRC=134.106.162.82
DST=192.168.0.10 LEN=51 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=12914
DPT=4665 LEN=31
Jan  9 00:55:34 net2all:DROP:IN=ppp0 OUT=eth0 SRC=195.146.233.103
DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=114 ID=12830 PROTO=UDP SPT=12977
DPT=4665 LEN=27
Jan  9 00:55:34 net2all:DROP:IN=ppp0 OUT=eth0 SRC=195.146.233.103
DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=114 ID=12842 PROTO=UDP SPT=12977
DPT=4665 LEN=27

lots of those in my log. It is overnet and not edonkey btw :) And it is
still marked as firewalled.

Thanks for the quick repsonce though.

--Nec

On 9 Jan 2003 at 0:35, Necarus wrote:

 > #ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     
ORIGINAL
> #                                               PORT    PORT(S)    
DEST 
> DNAT    net     loc:192.168.0.10:4665   tcp     4665
> DNAT    net     loc:192.168.0.10:4665   udp     4665    
> 
> this to my /etc/shorewall/rules
> evrythign else is default right now.

The above looks correct, and follows examples I have in my rules.


> > 2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc 
pfifo_fast qlen 100
>     link/ether 00:60:08:cb:a5:19 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 
100
>     link/ether 00:01:03:42:da:6b brd ff:ff:ff:ff:ff:ff
>     inet 10.0.0.10/24 brd 10.0.0.255 scope global eth1
> 5: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast 
qlen 3
>     link/ppp 
>     inet 217.225.24.150 peer 217.5.98.30/32 scope global ppp0
Where is your Shorewall Interfaces file?

 > shorewall show log ( lots of those :) )
> Jan  9 00:24:41 net2all:DROP:IN=ppp0 OUT=eth0 SRC=80.200.230.75 
DST=192.168.0.10 LEN=139 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP 
SPT=4528 DPT=4665 LEN=119 

These arrived on your ppp0 dial-up. 
Without looking at your shorewall/interfaces I can''t be sure that 
interface is what is assigned to net.  
If the rest is default as you say, the net zone might be assigned
to eth0.

______________________________________
John Andersen
NORCOM / Juneau, Alaska
http://www.screenio.com/
(907) 790-3386_______________________________________
John S. Andersen
NORCOM  mailto:JAndersen@norcomsoftware.com
Juneau, Alaska
http://www.screenio.com/

On Wed, 08 Jan 2003 15:04:39 -0900
"John S. Andersen" <jsa@norcomix.dyndns.org> wrote:
> On 9 Jan 2003 at 0:35, Necarus wrote:
> 
>  > #ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     
> ORIGINAL
> > #                                               PORT    PORT(S)    
> DEST 
> > DNAT    net     loc:192.168.0.10:4665   tcp     4665
> > DNAT    net     loc:192.168.0.10:4665   udp     4665    
> > 
> > this to my /etc/shorewall/rules
> > evrythign else is default right now.
> 
> 
> The above looks correct, and follows examples I have in my rules.
> 
> 
> 
> > > 2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc 
> pfifo_fast qlen 100
> >     link/ether 00:60:08:cb:a5:19 brd ff:ff:ff:ff:ff:ff
> >     inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
> > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
> 100
> >     link/ether 00:01:03:42:da:6b brd ff:ff:ff:ff:ff:ff
> >     inet 10.0.0.10/24 brd 10.0.0.255 scope global eth1
> > 5: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc
pfifo_fast
> qlen 3
> >     link/ppp 
> >     inet 217.225.24.150 peer 217.5.98.30/32 scope global ppp0
> 
> Where is your Shorewall Interfaces file?
> 
>  > shorewall show log ( lots of those :) )
> > Jan  9 00:24:41 net2all:DROP:IN=ppp0 OUT=eth0 SRC=80.200.230.75 
> DST=192.168.0.10 LEN=139 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP 
> SPT=4528 DPT=4665 LEN=119 
> 
> These arrived on your ppp0 dial-up. 
> Without looking at your shorewall/interfaces I can''t be sure that 
> interface is what is assigned to net.  
> If the rest is default as you say, the net zone might be assigned
> to eth0.
> 
> ______________________________________
> John Andersen
> NORCOM / Juneau, Alaska
> http://www.screenio.com/
> (907) 790-3386_______________________________________
> John S. Andersen
> NORCOM  mailto:JAndersen@norcomsoftware.com
> Juneau, Alaska
> http://www.screenio.com/
> 
My interfaces file would look like this:
#ZONE    INTERFACE      BROADCAST       OPTIONS
net     ppp0    detect
masq    eth0    detect
loc     eth1    detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

-Nec

On Wed, 2003-01-08 at 15:58, Necarus wrote:
> Changed it and still get
> 
> Jan  9 00:55:33 net2all:DROP:IN=ppp0 OUT=eth0 SRC=134.106.162.82
DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=12914
DPT=4665 LEN=27
> Jan  9 00:55:33 net2all:DROP:IN=ppp0 OUT=eth0 SRC=134.106.162.82
DST=192.168.0.10 LEN=51 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=12914
DPT=4665 LEN=31
> Jan  9 00:55:34 net2all:DROP:IN=ppp0 OUT=eth0 SRC=195.146.233.103
DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=114 ID=12830 PROTO=UDP SPT=12977
DPT=4665 LEN=27
> Jan  9 00:55:34 net2all:DROP:IN=ppp0 OUT=eth0 SRC=195.146.233.103
DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=114 ID=12842 PROTO=UDP SPT=12977
DPT=4665 LEN=27
> 
> lots of those in my log. It is overnet and not edonkey btw :) And it is
> still marked as firewalled.
> 
> Thanks for the quick repsonce though.
Necarus,
Interesting. Have you read FAQs 1-2? They may help.

http://www.shorewall.net/FAQ.htm

-- 
Mike Noyes <mhnoyes @ users.sourceforge.net>
http://sourceforge.net/users/mhnoyes/
http://leaf-project.org/  http://sitedocs.sf.net/  http://ffl.sf.net/

On Thu, Jan 09, 2003 at 01:08:06AM +0100, Necarus wrote:
> 
> On Wed, 08 Jan 2003 15:04:39 -0900
> "John S. Andersen" <jsa@norcomix.dyndns.org> wrote:
> > 
> 
> My interfaces file would look like this:
> #ZONE    INTERFACE      BROADCAST       OPTIONS
> net     ppp0    detect
> masq    eth0    detect
> loc     eth1    detect
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> 
> -Nec
I was just thinking about the same thing as John and was looking at my
interfaces file :

net     ppp0            detect          norfc1918,routefilter,dropunclean
loc     eth1            detect          routestopped
dmz     eth2            detect          routestopped

(If you try something like this, be sure to have in /etc/rc.d/rcX.d the S??xxxxx
dialing script executed prior to Sxxshorewall, as, because of routefilter, ppp0
must be up and runningi. Idem if you have a cron job checking up if your dialing
connection is still active or needs to be restarted)

- I run Shorewall 1.3.7 on SuSE Linux 8.0 with an ADSL connection

On 9 Jan 2003 at 1:08, Necarus wrote:

 > My interfaces file would look like this:
> #ZONE    INTERFACE      BROADCAST       OPTIONS
> net     ppp0    detect
> masq    eth0    detect
> loc     eth1    detect
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> 
> -Nec
> 
Ok, that looks fine, although I would have thought one or more of
those interfaces would have dhcp on it as well as routefilter
 and maybe routestopped.

What I don''t understand is why that stuff is arriving on ppp0 when 
you said  your outside connection is on eth1 
Quoting...
    eth0 (192.168.0.1) internal net, 
    eth1(10.0.0.0) connected to dsl modem and gets a dynamic ip
------

Nevertheless, eth1 does not host 192.168.,  It has 10.0.0 on it.
So your rulle should point to either a different ip or a different 
zone (masq has 192.168 subnet).





 Is that an internal
router or your path to the outside??
 


______________________________________
John Andersen
NORCOM / Juneau, Alaska
http://www.screenio.com/
(907) 790-3386_______________________________________
John S. Andersen
NORCOM  mailto:JAndersen@norcomsoftware.com
Juneau, Alaska
http://www.screenio.com/

All day long I get a steady flow of these packets from 208.138.130.16 
(port 53) to some high numbered port (40275).  They get dropped, but
what the heck are they?  Anyone have a clue?

Jan  8 15:50:48 norcomix kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
MAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00
SRC=208.138.130.16 DST=24.237.22.45 LEN=53 TOS=0x00 PREC=0x00 TTL=251 ID=8288 DF
PROTO=UDP
SPT=53 DPT=40275 LEN=33 

I don''t get so many as to be a DOS, but they look like some sort of 
probe.

______________________________________
John Andersen
NORCOM / Juneau, Alaska
http://www.screenio.com/
(907) 790-3386_______________________________________
John S. Andersen
NORCOM  mailto:JAndersen@norcomsoftware.com
Juneau, Alaska
http://www.screenio.com/

cheers();

Sorry, don''t have the older posts, so I reply to this one...

> On 9 Jan 2003 at 1:08, Necarus wrote:
>  > My interfaces file would look like this:
> > #ZONE    INTERFACE      BROADCAST       OPTIONS
> > net     ppp0    detect
> > masq    eth0    detect
> > loc     eth1    detect
> > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Necarus, as you are obviously German and your domain hosted by Schlund,
I assume you have an DSL Modem attached over Ethernet. Right?

You really have 3 (!) NICs in your router? That would assume, ppp0 is
really eth3...

I have set up routers with Mandrake 9.0 like you, too. The
pre-configuration from Mandrake seems to be really bad to me.

I would suggest to remove Mandrake Shorewall RPMs and get an RPM from
shorewall.net.


If you don''t have 3 NICs, I can tell you what to do to get your
firewall
running.

.karsten


-- 
Hi, I''m a signature virus. Copy me into your ~/.signature to help me
spread!

Wee.. karsten gonne help me to set upa brand new fw with the new packets.
I hope everythign will work then. Thanks alot to you and to all others
who tried to help )

-Nec

PS: We will do it in private mails, since we both are german and its
easier to talk in th native language, at least for me :)

On 09 Jan 2003 02:14:57 +0100
kb <kb@bluehash.de> wrote:
> cheers();
> 
> Sorry, don''t have the older posts, so I reply to this one...
> 
> 
> > On 9 Jan 2003 at 1:08, Necarus wrote:
> >  > My interfaces file would look like this:
> > > #ZONE    INTERFACE      BROADCAST       OPTIONS
> > > net     ppp0    detect
> > > masq    eth0    detect
> > > loc     eth1    detect
> > > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> 
> Necarus, as you are obviously German and your domain hosted by Schlund,
> I assume you have an DSL Modem attached over Ethernet. Right?
> 
> You really have 3 (!) NICs in your router? That would assume, ppp0 is
> really eth3...
> 
> I have set up routers with Mandrake 9.0 like you, too. The
> pre-configuration from Mandrake seems to be really bad to me.
> 
> I would suggest to remove Mandrake Shorewall RPMs and get an RPM from
> shorewall.net.
> 
> 
> If you don''t have 3 NICs, I can tell you what to do to get your
firewall
> running.
> 
> .karsten
> 
> 
> -- 
> Hi, I''m a signature virus. Copy me into your ~/.signature to help
me spread!

This is the manual way to do this:


80.86.12.18 - public
192.168.0.1 - private

First I add a rule in my rules file like this:

ACCEPT net	loc:192.168.0.1	udp 514

Then I manually enter this iptables rule and press enter:

iptables -A PREROUTING -t nat -i eth0 -p udp -d 80.86.12.18 --dport 514
-j DNAT --to 192.168.0.1:514


Remember to add the iptables rule AFTER you have edited your rules file
and restarted shorewall (cause shorewall clears all rules in ip tables.)

This works for me every time..


Best Regards,

Kenneth.

-----Opprinnelig melding-----
Fra: shorewall-users-bounces@shorewall.net
[mailto:shorewall-users-bounces@shorewall.net] P? vegne av Necarus
Sendt: 9. januar 2003 00:58
Til: JMM Moi-Meme Maitre du Monde
Kopi: shorewall-users@shorewall.net
Emne: Re: [Shorewall-users] prerouting newbie question/mistake :)


On Thu, 9 Jan 2003 00:43:50 +0100
JMM Moi-Meme Maitre du Monde <j6m@cvni.net> wrote:
> On Thu, Jan 09, 2003 at 12:35:37AM +0100, Necarus wrote:
> > 
> > Hola and thanks for any help in advance
> > I installed mandrake 9 a few days ago and wanted to set up some
> > additional rules to shorewall, bu i failed :)
> > 
> > What i want to do is basicly route any incomming udp and tcp packets
on
> > port 4665 to a workstation behind the router.
> > 
> > router with mandrake 9, eth0 (192.168.0.1) internal net,
eth1(10.0.0.0)
> > connected to dsl modem and gets a dynamic ip
> > 
> > workstations 192.168.0.10 / .11 / ....
> > 
> > I read the readme and examples and added 
> > 
> > #ACTION  SOURCE         DEST            PROTO   DEST    SOURCE
ORIGINAL
> > #                                               PORT    PORT(S)
DEST 
> > DNAT    net     loc:192.168.0.10:4665   tcp     4665
> > DNAT    net     loc:192.168.0.10:4665   udp     4665    
> > 
> 
> Why do you want to specify twice the port ? (once by qualifying the
> IP address - which, itself, is only a qualifier of the zone, and once
in
> the proper column)
> 
> Looking at my own configuration (yep Donkey is fun to play with when
you
> know up to what limit should it use bandwith, you should try:
> extr
> 
> DNAT   net     loc:192.168.0.10 udp     4665
> DNAT   net     loc:192.168.0.10 tcp     4665
> 
> 
> Regards
> J6M
Changed it and still get

Jan  9 00:55:33 net2all:DROP:IN=ppp0 OUT=eth0 SRC=134.106.162.82
DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP
SPT=12914 DPT=4665 LEN=27 
Jan  9 00:55:33 net2all:DROP:IN=ppp0 OUT=eth0 SRC=134.106.162.82
DST=192.168.0.10 LEN=51 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP
SPT=12914 DPT=4665 LEN=31 
Jan  9 00:55:34 net2all:DROP:IN=ppp0 OUT=eth0 SRC=195.146.233.103
DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=114 ID=12830 PROTO=UDP
SPT=12977 DPT=4665 LEN=27 
Jan  9 00:55:34 net2all:DROP:IN=ppp0 OUT=eth0 SRC=195.146.233.103
DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=114 ID=12842 PROTO=UDP
SPT=12977 DPT=4665 LEN=27 

lots of those in my log. It is overnet and not edonkey btw :) And it is
still marked as firewalled.

Thanks for the quick repsonce though.

--Nec
_______________________________________________
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://mail.shorewall.net/mailman/listinfo/shorewall-users

I had a problem once where my address was close to that of a DNS server.
Well, someone typed the wrong digit and was trying to use my as a DNS
server.

It looks like one of your systems though:
UDP SRC=208.138.130.16:53 DST=24.237.22.45:40275

Where port 40275 is a dynamic port created on the host system when doing
a query to a DNS server.

Try sniffing the connection with snort or tcpdump:
''snort -dev port 53'' and see which machine is making the
query.

Of course, CGI.NET comes to mind...hint hint... ;-)


On Wed, 08 Jan 2003 16:01:47 -0900
"John S. Andersen" <jsa@norcomix.dyndns.org> opened up to us and
said:
> 
> All day long I get a steady flow of these packets from 208.138.130.16 
> (port 53) to some high numbered port (40275).  They get dropped, but
> what the heck are they?  Anyone have a clue?
> 
> Jan  8 15:50:48 norcomix kernel: Shorewall:net2all:DROP:IN=eth0 OUT>
MAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00 SRC=208.138.130.16
> DST=24.237.22.45 LEN=53 TOS=0x00 PREC=0x00 TTL=251 ID=8288 DF
> PROTO=UDP SPT=53 DPT=40275 LEN=33 
> 
> I don''t get so many as to be a DOS, but they look like some sort
of
> probe.
> 
> ______________________________________
> John Andersen
> NORCOM / Juneau, Alaska
> http://www.screenio.com/
> (907) 790-3386_______________________________________
> John S. Andersen
> NORCOM  mailto:JAndersen@norcomsoftware.com
> Juneau, Alaska
> http://www.screenio.com/
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://mail.shorewall.net/mailman/listinfo/shorewall-users

-- 
Paul Slinski
System Administrator
Global IQX
http://www.globaliqx.com/
pauls@globaliqx.com

Why not simply write

DNAT	net:80.86.12.18	loc:192.168.0.1:514	514

or even

DNAT 	net:80.86.12.18	loc:192.168.0.1		514

HTH

Pascal

On Thu, 2003-01-09 at 00:16, Kenneth Grande, Driftsjef aspIT AS
wrote:
> This is the manual way to do this:
> 
> 
> 80.86.12.18 - public
> 192.168.0.1 - private
> 
> First I add a rule in my rules file like this:
> 
> ACCEPT net	loc:192.168.0.1	udp 514
> 
> Then I manually enter this iptables rule and press enter:
> 
> iptables -A PREROUTING -t nat -i eth0 -p udp -d 80.86.12.18 --dport 514
> -j DNAT --to 192.168.0.1:514
> 
> 
> Remember to add the iptables rule AFTER you have edited your rules file
> and restarted shorewall (cause shorewall clears all rules in ip tables.)
> 
> This works for me every time..
> 
> 
> Best Regards,
> 
> Kenneth.
> 
> -----Opprinnelig melding-----
> Fra: shorewall-users-bounces@shorewall.net
> [mailto:shorewall-users-bounces@shorewall.net] P? vegne av Necarus
> Sendt: 9. januar 2003 00:58
> Til: JMM Moi-Meme Maitre du Monde
> Kopi: shorewall-users@shorewall.net
> Emne: Re: [Shorewall-users] prerouting newbie question/mistake :)
> 
> 
> On Thu, 9 Jan 2003 00:43:50 +0100
> JMM Moi-Meme Maitre du Monde <j6m@cvni.net> wrote:
> 
> > On Thu, Jan 09, 2003 at 12:35:37AM +0100, Necarus wrote:
> > > 
> > > Hola and thanks for any help in advance
> > > I installed mandrake 9 a few days ago and wanted to set up some
> > > additional rules to shorewall, bu i failed :)
> > > 
> > > What i want to do is basicly route any incomming udp and tcp
packets
> on
> > > port 4665 to a workstation behind the router.
> > > 
> > > router with mandrake 9, eth0 (192.168.0.1) internal net,
> eth1(10.0.0.0)
> > > connected to dsl modem and gets a dynamic ip
> > > 
> > > workstations 192.168.0.10 / .11 / ....
> > > 
> > > I read the readme and examples and added 
> > > 
> > > #ACTION  SOURCE         DEST            PROTO   DEST    SOURCE
> ORIGINAL
> > > #                                               PORT    PORT(S)
> DEST 
> > > DNAT    net     loc:192.168.0.10:4665   tcp     4665
> > > DNAT    net     loc:192.168.0.10:4665   udp     4665    
> > > 
> > 
> > Why do you want to specify twice the port ? (once by qualifying the
> > IP address - which, itself, is only a qualifier of the zone, and once
> in
> > the proper column)
> > 
> > Looking at my own configuration (yep Donkey is fun to play with when
> you
> > know up to what limit should it use bandwith, you should try:
> > extr
> > 
> > DNAT   net     loc:192.168.0.10 udp     4665
> > DNAT   net     loc:192.168.0.10 tcp     4665
> > 
> > 
> > Regards
> > J6M
> Changed it and still get
> 
> Jan  9 00:55:33 net2all:DROP:IN=ppp0 OUT=eth0 SRC=134.106.162.82
> DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP
> SPT=12914 DPT=4665 LEN=27 
> Jan  9 00:55:33 net2all:DROP:IN=ppp0 OUT=eth0 SRC=134.106.162.82
> DST=192.168.0.10 LEN=51 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP
> SPT=12914 DPT=4665 LEN=31 
> Jan  9 00:55:34 net2all:DROP:IN=ppp0 OUT=eth0 SRC=195.146.233.103
> DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=114 ID=12830 PROTO=UDP
> SPT=12977 DPT=4665 LEN=27 
> Jan  9 00:55:34 net2all:DROP:IN=ppp0 OUT=eth0 SRC=195.146.233.103
> DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=114 ID=12842 PROTO=UDP
> SPT=12977 DPT=4665 LEN=27 
> 
> lots of those in my log. It is overnet and not edonkey btw :) And it is
> still marked as firewalled.
> 
> Thanks for the quick repsonce though.
> 
> --Nec
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://mail.shorewall.net/mailman/listinfo/shorewall-users
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://mail.shorewall.net/mailman/listinfo/shorewall-users
-- 
Pascal DeMilly <mailing-lists@newgenesys.com>

Why not simply write

DNAT	net:80.86.12.18	loc:192.168.0.1:514	514

or even

DNAT 	net:80.86.12.18	loc:192.168.0.1		514

HTH

Pascal

On Thu, 2003-01-09 at 00:16, Kenneth Grande, Driftsjef aspIT AS
wrote:
> This is the manual way to do this:
> 
> 
> 80.86.12.18 - public
> 192.168.0.1 - private
> 
> First I add a rule in my rules file like this:
> 
> ACCEPT net	loc:192.168.0.1	udp 514
> 
> Then I manually enter this iptables rule and press enter:
> 
> iptables -A PREROUTING -t nat -i eth0 -p udp -d 80.86.12.18 --dport 514
> -j DNAT --to 192.168.0.1:514
> 
> 
> Remember to add the iptables rule AFTER you have edited your rules file
> and restarted shorewall (cause shorewall clears all rules in ip tables.)
> 
> This works for me every time..
> 
> 
> Best Regards,
> 
> Kenneth.
> 
> -----Opprinnelig melding-----
> Fra: shorewall-users-bounces@shorewall.net
> [mailto:shorewall-users-bounces@shorewall.net] P? vegne av Necarus
> Sendt: 9. januar 2003 00:58
> Til: JMM Moi-Meme Maitre du Monde
> Kopi: shorewall-users@shorewall.net
> Emne: Re: [Shorewall-users] prerouting newbie question/mistake :)
> 
> 
> On Thu, 9 Jan 2003 00:43:50 +0100
> JMM Moi-Meme Maitre du Monde <j6m@cvni.net> wrote:
> 
> > On Thu, Jan 09, 2003 at 12:35:37AM +0100, Necarus wrote:
> > > 
> > > Hola and thanks for any help in advance
> > > I installed mandrake 9 a few days ago and wanted to set up some
> > > additional rules to shorewall, bu i failed :)
> > > 
> > > What i want to do is basicly route any incomming udp and tcp
packets
> on
> > > port 4665 to a workstation behind the router.
> > > 
> > > router with mandrake 9, eth0 (192.168.0.1) internal net,
> eth1(10.0.0.0)
> > > connected to dsl modem and gets a dynamic ip
> > > 
> > > workstations 192.168.0.10 / .11 / ....
> > > 
> > > I read the readme and examples and added 
> > > 
> > > #ACTION  SOURCE         DEST            PROTO   DEST    SOURCE
> ORIGINAL
> > > #                                               PORT    PORT(S)
> DEST 
> > > DNAT    net     loc:192.168.0.10:4665   tcp     4665
> > > DNAT    net     loc:192.168.0.10:4665   udp     4665    
> > > 
> > 
> > Why do you want to specify twice the port ? (once by qualifying the
> > IP address - which, itself, is only a qualifier of the zone, and once
> in
> > the proper column)
> > 
> > Looking at my own configuration (yep Donkey is fun to play with when
> you
> > know up to what limit should it use bandwith, you should try:
> > extr
> > 
> > DNAT   net     loc:192.168.0.10 udp     4665
> > DNAT   net     loc:192.168.0.10 tcp     4665
> > 
> > 
> > Regards
> > J6M
> Changed it and still get
> 
> Jan  9 00:55:33 net2all:DROP:IN=ppp0 OUT=eth0 SRC=134.106.162.82
> DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP
> SPT=12914 DPT=4665 LEN=27 
> Jan  9 00:55:33 net2all:DROP:IN=ppp0 OUT=eth0 SRC=134.106.162.82
> DST=192.168.0.10 LEN=51 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP
> SPT=12914 DPT=4665 LEN=31 
> Jan  9 00:55:34 net2all:DROP:IN=ppp0 OUT=eth0 SRC=195.146.233.103
> DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=114 ID=12830 PROTO=UDP
> SPT=12977 DPT=4665 LEN=27 
> Jan  9 00:55:34 net2all:DROP:IN=ppp0 OUT=eth0 SRC=195.146.233.103
> DST=192.168.0.10 LEN=47 TOS=0x00 PREC=0x00 TTL=114 ID=12842 PROTO=UDP
> SPT=12977 DPT=4665 LEN=27 
> 
> lots of those in my log. It is overnet and not edonkey btw :) And it is
> still marked as firewalled.
> 
> Thanks for the quick repsonce though.
> 
> --Nec
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://mail.shorewall.net/mailman/listinfo/shorewall-users
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://mail.shorewall.net/mailman/listinfo/shorewall-users
-- 
Pascal DeMilly <mailing-lists@newgenesys.com>
-- 
Pascal DeMilly <list.shorewall@newgenesys.com>