Is it possible to have shorewall change the port of packets from the net before forwarding it to the local server? Somthing like : DNAT net loc:10.1.0.38:1010 tcp 2024 ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386
On Wed, 31 Jul 2002, John Andersen wrote:> Is it possible to have shorewall change the port of packets > from the net before forwarding it to the local server? > > Somthing like : > DNAT net loc:10.1.0.38:1010 tcp 2024 >Yes -- that''s the syntax in fact. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On 31 Jul 2002 at 11:41, Tom Eastep wrote:> On Wed, 31 Jul 2002, John Andersen wrote: > > > Is it possible to have shorewall change the port of packets > > from the net before forwarding it to the local server? > > > > Somthing like : > > DNAT net loc:10.1.0.38:1010 tcp 2024 > > > > Yes -- that''s the syntax in fact. > > -TomI thought so from digging in docs. But I have two such DNATs in my rules and can only make one work. One it to a security camera (a sort of expensive web cam thingie) - fails, and the other is to an instant messager application - works. Actual lines are: # -- This one also works (IM type application) DNAT net loc:192.168.2.148:1814 tcp 1815 # # -- to security-cam - this does not work DNAT net loc:192.168.2.133:80 tcp 8080 # Ive also tried addind UDP line but no go. ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386
On Wed, 31 Jul 2002, John Andersen wrote:> On 31 Jul 2002 at 11:41, Tom Eastep wrote: > > > On Wed, 31 Jul 2002, John Andersen wrote: > > > > > Is it possible to have shorewall change the port of packets > > > from the net before forwarding it to the local server? > > > > > > Somthing like : > > > DNAT net loc:10.1.0.38:1010 tcp 2024 > > > > > > > Yes -- that''s the syntax in fact. > > > > -Tom > > I thought so from digging in docs. > > But I have two such DNATs in my rules > and can only make one work. One it to a security > camera (a sort of expensive web cam thingie) - fails, and > the other is to an instant messager application - works. > > Actual lines are: > > # -- This one also works (IM type application) > DNAT net loc:192.168.2.148:1814 tcp 1815 > # > # -- to security-cam - this does not work > DNAT net loc:192.168.2.133:80 tcp 8080 > # >So do "shorewall show nat", locate the associate nat table rule (it will be in the "net_dnat" chain) and see if the packet and byte count are incrementing when the camera sends packets. If that isn''t happening then either there is an earlier rule that is doing something else with the packets or the packets aren''t reaching the firewall in the first place. If you see the packet count incrementing there, then "shorewall show net2loc" and locate the rule that is allowing port 80 packets to 192.168.2.133 -- are the packet counts incrementing there? Now "shorewall show connections" and locate the connection tracking entry associated with this connection. What state is it in? If it''s UNREPLIED then the server got the SYN packet but either hasn''t replied or doesn''t know how to reply (routing problem). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On 31 Jul 2002 at 14:50, Tom Eastep wrote: > > # -- This one also works (IM type application)> > DNAT net loc:192.168.2.148:1814 tcp 1815 > > # > > # -- to security-cam - this does not work > > DNAT net loc:192.168.2.133:80 tcp 8080 > > # > > > > So do "shorewall show nat", locate the associate nat table rule (it will > be in the "net_dnat" chain) and see if the packet and byte count are > incrementing when the camera sends packets.Show nat does indeed show the rule, and the packet count increases by 1 (bytes by 60) for each attempt to connect (I use lynx from a machine outside the firewall to connect to thefirewall:8080 ).> > If that isn''t happening then either there is an earlier rule that is doing > something else with the packets or the packets aren''t reaching the > firewall in the first place. > > If you see the packet count incrementing there, then "shorewall show > net2loc" and locate the rule that is allowing port 80 packets to > 192.168.2.133 -- are the packet counts incrementing there?Yup, they are, but very slowly, one packet at eacy lynx retry> Now "shorewall show connections" and locate the connection tracking entry > associated with this connection. What state is it in? If it''s UNREPLIED > then the server got the SYN packet but either hasn''t replied or doesn''t > know how to reply (routing problem).Show connections showed this: tcp 6 118 SYN_SENT src=(lynx machineIP) dst=(Firewall IP) sport=36542 dport=8080 [UNREPLIED] src=192.168.2.133 dst=(lynx machine ip) sport=80 dport=36542 use=1 Which means what? The camera (with built in web server) does not know how to route back thru the firewall? ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386
On Wed, 31 Jul 2002, John Andersen wrote:> > Which means what? > The camera (with built in web server) does not know how > to route back thru the firewall?Usually means that the server (192.168.2.133) doesn''t know how to route back to the camera. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On 31 Jul 2002 at 15:37, Tom Eastep wrote:> On Wed, 31 Jul 2002, John Andersen wrote: > > > > > Which means what? > > The camera (with built in web server) does not know how > > to route back thru the firewall? > > Usually means that the server (192.168.2.133) doesn''t know how to route > back to the camera.But the camera IS 192.168.2.133. It has a built in webserver and can get an ip via dhcp or by hard coding it. http://www.intellinet-network.com/ ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386
On Wed, 31 Jul 2002, John Andersen wrote:> On 31 Jul 2002 at 15:37, Tom Eastep wrote: > > > On Wed, 31 Jul 2002, John Andersen wrote: > > > > > > > > Which means what? > > > The camera (with built in web server) does not know how > > > to route back thru the firewall? > > > > Usually means that the server (192.168.2.133) doesn''t know how to route > > back to the camera. > > But the camera IS 192.168.2.133. It has a built in webserver > and can get an ip via dhcp or by hard coding it. > http://www.intellinet-network.com/ >Fine -- then the CAMERA doesn''t know how to route back to the client running LYNX. Does your DHCP server configure a default gateway for it''s clients? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On 31 Jul 2002 at 15:47, Tom Eastep wrote: > > > Usually means that the server (192.168.2.133) doesn''t know how to route> > > back to the camera. > > > > But the camera IS 192.168.2.133. It has a built in webserver > > and can get an ip via dhcp or by hard coding it. > > http://www.intellinet-network.com/ > > > > Fine -- then the CAMERA doesn''t know how to route back to the client > running LYNX. Does your DHCP server configure a default gateway for it''s > clients?(Thats what I though you ment). Yes, the dhcp server does know how to set up the default gateway, (and it works for all the machines in the shop), but apparently the camera is too stupid to accept default gateway via dhcp, because when i set it manually (rather than use dhcp) it seems to. How it ever worked on a public IP I have no idea. Thanks for the help. ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386