Ralph Freibeuter
2002-Oct-22 19:17 UTC
[Shorewall-users] Shorewall / Port forwarding / Mandrake 9
Hi all. I am new to this list and I have a big problem with Mandrake 9 and the integrated Shorewall firewall. I think it has to do with it. The configuration in here looks like this: I have a Linux Box (Mandrake 9) with two NICs and two other PCs (Macs) that are all connected to a 16port HUB. Also the Linux. The DSL Modem is connected to the uplink port of the HUB. The Linux Box routes the interal PCs to the internet and this works fine. It''s all the standard installation of Mandrake 9. The Linux NICs are internal configured to: eth0: 10.0.0.1 / and I think it''s used to connect and be also ppp0 for DSL eth1: 192.168.1.1 / connects to the LAN site. My Problem. I want the Linux Box to forward requests from internal and external users that go to port 80 to my internal machine with fix IP 192.168.1.10. At the moment the Linux http server answers port 80 requests. What I tried until now: Into /etc/shorewall/rules I tested: DNAT net loc:192.168.1.10 tcp http (did not work - I always rebooted after configuring something) Then I tried the following (tip from a mandrake newsgroup on internet): iptables -t nat -I PREROUTING -p tcp -i ppp0 --dport 80 -j DNAT --to 192.168.1.10:80 (did not work - it now blocks all requests to port 80 from internal and external) I also changed the interfaces file from shorewall to: net ppp0 detect masq eth0 detect loc eth1 detect It was before (masq eth1 and loc eth0) but because eth0 is 10.0.0.1 I changed it the way above. I hope this was correct. Anyway, both configs (the original and my changed) do not work. I have no access. None from outside and none from inside the LAN. route shows the following into the terminal: 217.5.98.45 * 255.255.255.255 UH 0 0 0 ppp0 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 10.0.0.0 * 255.255.0.0 U 0 0 0 eth0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default 217.5.98.45 0.0.0.0 UG 0 0 0 ppp0 iptables -L shows the following: Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ppp0_in all -- anywhere anywhere eth0_in all -- anywhere anywhere eth1_in all -- anywhere anywhere common all -- anywhere anywhere LOG all -- anywhere anywhere LOG level info prefix `Shorewall:INPUT:REJECT:'' reject all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ppp0_fwd all -- anywhere anywhere eth0_fwd all -- anywhere anywhere eth1_fwd all -- anywhere anywhere common all -- anywhere anywhere LOG all -- anywhere anywhere LOG level info prefix `Shorewall:FORWARD:REJECT:'' reject all -- anywhere anywhere Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere state NEW,RELATED,ESTABLISHED fw2net all -- anywhere anywhere fw2masq all -- anywhere anywhere all2all all -- anywhere anywhere common all -- anywhere anywhere LOG all -- anywhere anywhere LOG level info prefix `Shorewall:OUTPUT:REJECT:'' reject all -- anywhere anywhere Chain all2all (6 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN common all -- anywhere anywhere LOG all -- anywhere anywhere LOG level info prefix `Shorewall:all2all:REJECT:'' reject all -- anywhere anywhere Chain common (5 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp echo-request icmpdef icmp -- anywhere anywhere DROP tcp -- anywhere anywhere state INVALID REJECT udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn reject-with icmp-port-unreachable REJECT udp -- anywhere anywhere udp dpt:microsoft-ds reject-with icmp-port-unreachable reject tcp -- anywhere anywhere tcp dpt:135 DROP udp -- anywhere anywhere udp dpt:1900 DROP all -- anywhere 255.255.255.255 DROP all -- anywhere BASE-ADDRESS.MCAST.NET/4 reject tcp -- anywhere anywhere tcp dpt:auth DROP all -- anywhere 10.0.255.255 DROP all -- anywhere 192.168.1.255 Chain dynamic (6 references) target prot opt source destination Chain eth0_fwd (1 references) target prot opt source destination dynamic all -- anywhere anywhere masq2net all -- anywhere anywhere all2all all -- anywhere anywhere Chain eth0_in (1 references) target prot opt source destination dynamic all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp echo-request masq2fw all -- anywhere anywhere Chain eth1_fwd (1 references) target prot opt source destination dynamic all -- anywhere anywhere loc2net all -- anywhere anywhere all2all all -- anywhere anywhere Chain eth1_in (1 references) target prot opt source destination dynamic all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp echo-request loc2fw all -- anywhere anywhere Chain fw2masq (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ipp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:netbios-ns ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:netbios-dgm ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:netbios-ssn ACCEPT udp -- anywhere anywhere state NEW udp dpt:631 ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-ns ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-dgm ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-ssn all2all all -- anywhere anywhere Chain fw2net (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN ACCEPT all -- anywhere anywhere Chain icmpdef (1 references) target prot opt source destination Chain loc2fw (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp-data ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp all2all all -- anywhere anywhere Chain loc2net (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN ACCEPT all -- anywhere anywhere Chain masq2fw (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp-data ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:bootps ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ipp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imap ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nntp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ntp ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain ACCEPT udp -- anywhere anywhere state NEW udp dpt:bootps ACCEPT udp -- anywhere anywhere state NEW udp dpt:http ACCEPT udp -- anywhere anywhere state NEW udp dpt:https ACCEPT udp -- anywhere anywhere state NEW udp dpt:631 ACCEPT udp -- anywhere anywhere state NEW udp dpt:imap ACCEPT udp -- anywhere anywhere state NEW udp dpt:pop3 ACCEPT udp -- anywhere anywhere state NEW udp dpt:smtp ACCEPT udp -- anywhere anywhere state NEW udp dpt:nntp ACCEPT udp -- anywhere anywhere state NEW udp dpt:ntp all2all all -- anywhere anywhere Chain masq2net (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN ACCEPT all -- anywhere anywhere Chain net2all (3 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN common all -- anywhere anywhere LOG all -- anywhere anywhere LOG level info prefix `Shorewall:net2all:DROP:'' DROP all -- anywhere anywhere Chain net2fw (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp-data ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp net2all all -- anywhere anywhere Chain newnotsyn (9 references) target prot opt source destination DROP all -- anywhere anywhere Chain ppp0_fwd (1 references) target prot opt source destination dynamic all -- anywhere anywhere net2all all -- anywhere anywhere net2all all -- anywhere anywhere Chain ppp0_in (1 references) target prot opt source destination dynamic all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp echo-request net2fw all -- anywhere anywhere Chain reject (6 references) target prot opt source destination REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain shorewall (0 references) target prot opt source destination iptables -t nat -L shows the following into the terminal: Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination ppp0_masq all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain ppp0_masq (1 references) target prot opt source destination MASQUERADE all -- 192.168.1.0/24 anywhere I hope this is not to much information to all of you. But all steps until now needed theses informations to other users that are also trying to help me. But until now there are no positive results. Please help me. I must have this forwarding of port 80 working. The internal server has some linkings that I can not always relink on the linux server. So it must run on the machine 192.168.1.10 :( Please help! Ralph