Ok, I hate to be the newbie posting a dumb question, but I can''t get port forwarding to work... in interfaces I have: net eth0 detect dhcp loc eth1 192.168.1.255 routestopped in rules I have: # # Forward FTP connections to 2021 to 192.168.1.3 # ACCEPT net loc:192.168.1.3 tcp 2021 21 So, the end result should be that traffic from the net going to port 2021 should be forwarded to port 21 of 192.168.1.3. The packets aren''t dropped since they aren''t logged, so something is going on, but they aren''t being forwarded to my internal machine. When the firewall is started, the rule is added: Rule "ACCEPT net loc:192.168.1.3 tcp 2021 21" added. The only thing that is a little sketchy is this message during startup: Determining Hosts in Zones... Net Zone: eth0:0.0.0.0/0 Local Zone: eth1:0.0.0.0/0 Everything else works great. Thanks in advance for any help, Luis
What you want should look like this: ACCEPT net loc:192.168.1.3:21 tcp 2021 - all Or you could replace "all" above with the IP address of eth0. ----- Original Message ----- From: "Luis Hernandez" <shorewall.net@luisma.com> To: <shorewall-users@shorewall.net> Sent: Thursday, March 07, 2002 9:12 AM Subject: [Shorewall-users] port forwarding not working! Ok, I hate to be the newbie posting a dumb question, but I can''t get port forwarding to work... in interfaces I have: net eth0 detect dhcp loc eth1 192.168.1.255 routestopped in rules I have: # # Forward FTP connections to 2021 to 192.168.1.3 # ACCEPT net loc:192.168.1.3 tcp 2021 21 So, the end result should be that traffic from the net going to port 2021 should be forwarded to port 21 of 192.168.1.3. The packets aren''t dropped since they aren''t logged, so something is going on, but they aren''t being forwarded to my internal machine. When the firewall is started, the rule is added: Rule "ACCEPT net loc:192.168.1.3 tcp 2021 21" added. The only thing that is a little sketchy is this message during startup: Determining Hosts in Zones... Net Zone: eth0:0.0.0.0/0 Local Zone: eth1:0.0.0.0/0 Everything else works great. Thanks in advance for any help, Luis
> -----Original Message----- > From: Luis Hernandez [mailto:shorewall.net@luisma.com] > Sent: Thursday, March 07, 2002 8:13 AM > To: shorewall-users@shorewall.net > Subject: [Shorewall-users] port forwarding not working! > > > Ok, I hate to be the newbie posting a dumb question, but I > can''t get port forwarding to work... > > in interfaces I have: > > net eth0 detect dhcp > loc eth1 192.168.1.255 routestopped > > in rules I have: > > # > # Forward FTP connections to 2021 to 192.168.1.3 > # > ACCEPT net loc:192.168.1.3 tcp 2021 21 > > So, the end result should be that traffic from the net going > to port 2021 should be forwarded to port 21 of 192.168.1.3. > The packets aren''t dropped since they aren''t logged, so something > is going on, but they aren''t being forwarded to my internal machine.I believe the correct syntax should be: (I have not tested) ACCEPT net local:192.168.1.3:21 tcp 2021 - all NOTE: I could be totally wrong here, but since your trying to use ftp on port 2021 (instead of 21), the ip_nat_ftp module may not work with regards to the ftp-data channel. You might be limited to using passive ftp mode only. Again, I have not tested this type of configuration. AFAIK, you might be able to pass arguments to the ip_nat_ftp module to override the port. Steve Cowles
----- Original Message ----- From: "Cowles, Steve" <Steve@SteveCowles.com> To: <shorewall-users@shorewall.net> Sent: Thursday, March 07, 2002 6:33 AM Subject: RE: [Shorewall-users] port forwarding not working!> > I believe the correct syntax should be: (I have not tested) > ACCEPT net local:192.168.1.3:21 tcp 2021 - all > > NOTE: I could be totally wrong here, but since your trying to use ftp on > port 2021 (instead of 21), the ip_nat_ftp module may not work with regards > to the ftp-data channel. You might be limited to using passive ftp mode > only. Again, I have not tested this type of configuration. AFAIK, youmight> be able to pass arguments to the ip_nat_ftp module to override the port.In /etc/shorewall/modules, add "ports=21,2021" to the entres for the FTP modules. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> -----Original Message----- > From: Tom Eastep [mailto:teastep@shorewall.net] > Sent: Thursday, March 07, 2002 8:50 AM > To: Cowles, Steve; shorewall-users@shorewall.net > Subject: Re: [Shorewall-users] port forwarding not working! > > > > I believe the correct syntax should be: (I have not tested) > > ACCEPT net local:192.168.1.3:21 tcp 2021 - all > > > > NOTE: I could be totally wrong here, but since your trying > > to use ftp on port 2021 (instead of 21), the ip_nat_ftp > > module may not work with regards to the ftp-data channel. > > You might be limited to using passive ftp mode only. Again, > > I have not tested this type of configuration. AFAIK, you > > might be able to pass arguments to the ip_nat_ftp module to > > override the port. > > In /etc/shorewall/modules, add "ports=21,2021" to the entres > for the FTP modules.Tom, Thanks for the clarification. It''s good to know you can run both active/passive mode ftp on non-standard ports. Steve Cowles