Shorewall users - Nov 2002 - shorewall ang gnomemeeting

Hi all,

I have setuop shorewall on my ultrasparc running debian woody.

Before this i was playing with gnomemeeting on my desktop, and i work
fine.

But now i have to allow gnomemeeting traffic behind my firewall.

I have a cable modem internet connection on eth0 (zone "net") and my
local network on eth1 (zone "loc").

On gnomemeeting FAQ i can read about firewall:

-8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-
6.3.1. What iptables rules could I use for GNU/Linux?

Here are some rules you can use for GNU/Linux with iptables:

IPTABLES=/usr/local/sbin/iptables
OUT_DEV=ppp0
IN_HOST=192.168.1.12
TCP_PORT_RANGE=30000:30010
UDP_PORT_RANGE=5000:5003
TCP_LISTENING_PORT=1720
$IPTABLES -t nat -A POSTROUTING -o $OUT_DEV -j MASQUERADE
$IPTABLES -t nat -A PREROUTING -i $OUT_DEV -p tcp --dport
$TCP_PORT_RANGE -j DNAT --to-dest $IN_HOST
$IPTABLES -t nat -A PREROUTING -i $OUT_DEV -p udp --dport
$UDP_PORT_RANGE -j DNAT --to-dest $IN_HOST
$IPTABLES -A FORWARD -p tcp -i $OUT_DEV --dport $TCP_PORT_RANGE -d
$IN_HOST -j ACCEPT
$IPTABLES -A FORWARD -p udp -i $OUT_DEV --dport $UDP_PORT_RANGE -d
$IN_HOST -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $OUT_DEV -p tcp --dport
$TCP_LISTENING_PORT -j DNAT --to-dest $IN_HOST
$IPTABLES -A FORWARD -p tcp -i $OUT_DEV --dport $TCP_LISTENING_PORT -d
$IN_HOST -j ACCEPT
-8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-

So i have add in my /etc/shorewall/rules:
ACCEPT:info		net	  loc		tcp	30000:30010
ACCEPT:info		net	  loc		udp	5000:5003
ACCEPT:info		net	  loc		tcp	1720
ACCEPT:info		loc	  net		tcp	30000:30010
ACCEPT:info		loc	  net		udp	5000:5003
ACCEPT:info		loc	  net		tcp	1720 


And i''ve activate IP translation in gnomemeeting (and i''ve set
the
public address of my firewall)

But unfortunatly i can''t call nobody and nobody can call me!

Is anybody have some idea on what i do wrong, or how can i do to verify
the network traffic?

thanks
Chris

--On Friday, November 15, 2002 04:55:08 PM +0100 Gagneraud Christian 
<chgans@tuxfamily.org> wrote:
> Hi all,
>
> I have setuop shorewall on my ultrasparc running debian woody.
>
> Before this i was playing with gnomemeeting on my desktop, and i work
> fine.
>
> But now i have to allow gnomemeeting traffic behind my firewall.
>
> I have a cable modem internet connection on eth0 (zone "net") and
my
> local network on eth1 (zone "loc").
>
> On gnomemeeting FAQ i can read about firewall:
>
>
-8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-
> 6.3.1. What iptables rules could I use for GNU/Linux?
>
> Here are some rules you can use for GNU/Linux with iptables:
>
> IPTABLES=/usr/local/sbin/iptables
> OUT_DEV=ppp0
> IN_HOST=192.168.1.12
> TCP_PORT_RANGE=30000:30010
> UDP_PORT_RANGE=5000:5003
> TCP_LISTENING_PORT=1720
> $IPTABLES -t nat -A POSTROUTING -o $OUT_DEV -j MASQUERADE
> $IPTABLES -t nat -A PREROUTING -i $OUT_DEV -p tcp --dport
> $TCP_PORT_RANGE -j DNAT --to-dest $IN_HOST
> $IPTABLES -t nat -A PREROUTING -i $OUT_DEV -p udp --dport
> $UDP_PORT_RANGE -j DNAT --to-dest $IN_HOST
> $IPTABLES -A FORWARD -p tcp -i $OUT_DEV --dport $TCP_PORT_RANGE -d
> $IN_HOST -j ACCEPT
> $IPTABLES -A FORWARD -p udp -i $OUT_DEV --dport $UDP_PORT_RANGE -d
> $IN_HOST -j ACCEPT
> $IPTABLES -t nat -A PREROUTING -i $OUT_DEV -p tcp --dport
> $TCP_LISTENING_PORT -j DNAT --to-dest $IN_HOST
> $IPTABLES -A FORWARD -p tcp -i $OUT_DEV --dport $TCP_LISTENING_PORT -d
> $IN_HOST -j ACCEPT
>
-8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-
>
> So i have add in my /etc/shorewall/rules:
> ACCEPT:info		net	  loc		tcp	30000:30010
> ACCEPT:info		net	  loc		udp	5000:5003
> ACCEPT:info		net	  loc		tcp	1720
> ACCEPT:info		loc	  net		tcp	30000:30010
> ACCEPT:info		loc	  net		udp	5000:5003
> ACCEPT:info		loc	  net		tcp	1720
>
You probably need DNAT rules rather than ACCEPT rules.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://shorewall.sf.net
ICQ: #60745924  \ teastep@shorewall.net