I read the FAQ and the Troubleshooting guide and I still can''t get port forwarding to work (everything else works great). I have tried the following rules at different times and none have worked (I want to get traffic from port 2021 on the firewall to go to port 2021 on 1.3: 1. ACCEPT net loc:192.168.1.3 tcp 2021 - all 2. ACCEPT net loc:192.168.1.3 udp 2021 - all 3. ACCEPT net loc:192.168.1.3:2021 tcp 2021 - all You''ll find my configuration at the end of the email. Any tips would be great. Portforwarding was very important for me, it would be really sad if I couldn''t get it to work! Let me know if you need any more information. Thanks, Axis Here is the rest of my conf: hosts ($cur_ip is imported from another file, it hold the current external IP of the firewall) -------- net eth0:$cur_ip routestopped loc eth1:192.168.1.0/24 routestopped interfaces: -------------- net eth0 $cur_ip dhcp, routestopped loc eth1 192.168.1.255 routestopped masq: -------- eth0 192.168.1.0/24 policy (this is set to be fully open right now, because I want to get it all going and then start restricting traffic): -------- loc net ACCEPT net all ACCEPT all all ACCEPT zones --------- net Net Internet loc Local Local networks
On Fri, 3 May 2002, axis wrote:> I read the FAQ and the Troubleshooting guide and I still can''t get port forwarding to work (everything else works great). I have tried the following rules at different times and none have worked (I want to get traffic from port 2021 on the firewall to go to port 2021 on 1.3: > > 1. ACCEPT net loc:192.168.1.3 tcp 2021 - all > 2. ACCEPT net loc:192.168.1.3 udp 2021 - all > 3. ACCEPT net loc:192.168.1.3:2021 tcp 2021 - all > > You''ll find my configuration at the end of the email. > > Any tips would be great. Portforwarding was very important for me, it would be really sad if I couldn''t get it to work! Let me know if you need any more information. > > Thanks, > Axis > > Here is the rest of my conf: > hosts ($cur_ip is imported from another file, it hold the current external IP of the firewall) > -------- > > net eth0:$cur_ip routestopped > loc eth1:192.168.1.0/24 routestopped >The documentation for the hosts file (both in the HTML documentation and in the file itself) states: WARNING: 90% of Shorewall users don''t need to put entries in this file and 80% of those who try to add such entries do it wrong. You are a member of both groups (you don''t need the entries and you got them wrong) -- get rid of those!!!> interfaces: > -------------- > > net eth0 $cur_ip dhcp, routestopped > loc eth1 192.168.1.255 routestoppedThe third column is the BROADCAST address, not the IP address -- why don''t you just put "detect" there?> > masq: > -------- > > eth0 192.168.1.0/24 > > policy (this is set to be fully open right now, because I want to get it all going and then start restricting traffic): > -------- > > loc net ACCEPT > net all ACCEPT > all all ACCEPTWith those policies, why do you want a firewall?> > zones > --------- > > net Net Internet > loc Local Local networks > > >Make the changes that I recommended above and it should work (assuming that you are testing from OUTSIDE your firewall). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Fri, 3 May 2002, Tom Eastep wrote:> > interfaces: > > -------------- > > > > net eth0 $cur_ip dhcp, routestopped > > loc eth1 192.168.1.255 routestopped > > The third column is the BROADCAST address, not the IP address -- why don''t > you just put "detect" there? >Also, it looks like you have a space between "dhcp," and "routestopped". No embedded spaces are allowed in comma-separated lists. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
You are a god! It works now! thanks, Luis ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "axis" <shorewall@luisma.com> Cc: <shorewall-users@shorewall.net> Sent: Friday, May 03, 2002 3:02 PM Subject: Re: [Shorewall-users] port forwarding> On Fri, 3 May 2002, axis wrote: > > > I read the FAQ and the Troubleshooting guide and I still can''t get portforwarding to work (everything else works great). I have tried the following rules at different times and none have worked (I want to get traffic from port 2021 on the firewall to go to port 2021 on 1.3:> > > > 1. ACCEPT net loc:192.168.1.3 tcp 2021 - all > > 2. ACCEPT net loc:192.168.1.3 udp 2021 - all > > 3. ACCEPT net loc:192.168.1.3:2021 tcp 2021 - all > > > > You''ll find my configuration at the end of the email. > > > > Any tips would be great. Portforwarding was very important for me, itwould be really sad if I couldn''t get it to work! Let me know if you need any more information.> > > > Thanks, > > Axis > > > > Here is the rest of my conf: > > hosts ($cur_ip is imported from another file, it hold the currentexternal IP of the firewall)> > -------- > > > > net eth0:$cur_ip routestopped > > loc eth1:192.168.1.0/24 routestopped > > > > The documentation for the hosts file (both in the HTML > documentation and in the file itself) states: > > WARNING: 90% of Shorewall users don''t need to put entries in this file and > 80% of those who try to add such entries do it wrong. > > You are a member of both groups (you don''t need the entries and you got > them wrong) -- get rid of those!!! > > > interfaces: > > -------------- > > > > net eth0 $cur_ip dhcp, routestopped > > loc eth1 192.168.1.255 routestopped > > The third column is the BROADCAST address, not the IP address -- why don''t > you just put "detect" there? > > > > > masq: > > -------- > > > > eth0 192.168.1.0/24 > > > > policy (this is set to be fully open right now, because I want to get itall going and then start restricting traffic):> > -------- > > > > loc net ACCEPT > > net all ACCEPT > > all all ACCEPT > > With those policies, why do you want a firewall? > > > > > zones > > --------- > > > > net Net Internet > > loc Local Local networks > > > > > > > > Make the changes that I recommended above and it should work (assuming > that you are testing from OUTSIDE your firewall). > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >
On Fri, 3 May 2002, Luis Hernandez wrote:> You are a god! It works now! >Good -- I hope that you''ve changed your polices to something more secure :-) -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net