Mitch Martin
2002-Nov-20 04:04 UTC
[Shorewall-users] Shorewall with X-Window - help needed
Hello all,
I''ve reached the point whereas I must ask for your assistance. Yes,
I''ve
read _all_ the Shorewall documentation to the point that I could almost
regurgitate it word by word. ;) Of course, reading and completing
understanding are two separate issues. ;) I''ve also searched the list
database and, while it was extremely helpful, I wasn''t able to solve my
problem.
This is my Shorewall server:
RedHat 7.3
Shorewall 1.3.6 (this was the latest version when I started this project)
;)
iptables 1.2.5
iproute
After building this Shorewall server a couple months ago, I tested it as a
basic two interface firewall and it performed great. But, I had another
plan for it and I started implementing that plan about one week ago. Herein
lies my problem....
This is what we have at my work:
A: Conventional NT4 Domain LAN with SonicWall firewall/gateway to the
Internet.
Various MS Windows DHCP clients.
Subnet - 128.xxx.xxx.0/24
Default gateway - 128.xxx.xxx.1
B: A second LAN with two DEC Alpha VMS servers running SCADA software.
Various other Dec equipment with all static IP''s
Subnet - 129.102.82.0/25
SCADA Server A - 129.102.82.6
SCADA Server B - 129.102.82.7
There is no default gateway setup on these servers and, since I
don''t know VMS, I''m trying to work around that issue.
This is what I would like to accomplish:
I would like to run an x-server application called eXcursion on a few LAN
PC''s to access the SCADA servers. The SCADA servers alternate on being
the
active server and standby server on a week by week basis. You can select
which server to connect to when starting the eXcursion application. I have
tested the functionality of the applications by setting up a Windows PC with
eXcursion on the SCADA LAN using a static IP and entries for the two SCADA
servers in the PC''s "host" file. I sniffed the traffic and
found that the
PC (x-window server application) connects to the SCADA machine via tcp port
512 from a dynamic port on the PC. (1038, 1039, etc) Once established, the
PC sends a exec command to port 512 with the username and password and the
SCADA machine sends back an OK. At this point, the SCADA machine will
establish a connection from ports 1038, 1039, etc to the PC''s port 6000
(x-window port). There is no XDMCP broadcast on port 177. Armed with this
information, I''ve tried setting up Shorewall between the Windows LAN
and the
SCADA LAN without complete success. I''ve used different combinations
of
DNAT, SNAT and Masq but still cannot get the connection back from the SCADA
server to the PC. I can establish the PC to SCADA connection with DNAT or
Masq or combinations of the two but I just can''t get that return
connection
established. On the PC, I''ve used both the host file and/or static
routing
to get to the Shorewall server while using either IP addresses from the
Wndows LAN subnet or the SCADA subnet.
This is the Shorewall server:
The Windows LAN side is eth0, IP 128.xxx.xxx.26, zone net
SCADA side is eth1, 129.102.82.32, zone loc
Due to the SCADA servers rotating usage, I''ve tried multiple
IP''s on eth0
and eth1 in order to direct the connection to the currently active SCADA
server. At this point, I would be happy to just get one of them working and
I might be able to figure out the rest. ;)
There''s not much point is listing my policies and rules as
I''ve tried so
many different things. Based upon the FAQ''s, and the things that
I''ve read
from this mailing list, I might be able to solve this problem by entering a
default gateway on the VMS machines and using a static route on the
PC''s,
along with a host file entry. However, as Shorewall is so "full
featured"
I''m hoping that it can be done without my having to learn VMS. ;) I
thought that my best chance at getting this to work would be static NAT with
one-to-one mapping. However, that failed me also. :(
No, I''m not expecting someone to write my rules and policies for me.
But, I
would certainly appreciate some guidance from those of you whom are not as
"intellectually challenged" as myself. ;) Thanks!
Regards,
Mitch
--On Tuesday, November 19, 2002 11:04:47 PM -0500 Mitch Martin <mitch@rf-radio.com> wrote:> Hello all, > > I''ve reached the point whereas I must ask for your assistance. Yes, I''ve > read _all_ the Shorewall documentation to the point that I could almost > regurgitate it word by word. ;) Of course, reading and completing > understanding are two separate issues. ;) I''ve also searched the list > database and, while it was extremely helpful, I wasn''t able to solve my > problem. > > This is my Shorewall server: > RedHat 7.3 > Shorewall 1.3.6 (this was the latest version when I started this project) > ;) > iptables 1.2.5 > iproute > After building this Shorewall server a couple months ago, I tested it as a > basic two interface firewall and it performed great. But, I had another > plan for it and I started implementing that plan about one week ago. > Herein lies my problem.... > > This is what we have at my work: > A: Conventional NT4 Domain LAN with SonicWall firewall/gateway to the > Internet. > Various MS Windows DHCP clients. > Subnet - 128.xxx.xxx.0/24 > Default gateway - 128.xxx.xxx.1 > > B: A second LAN with two DEC Alpha VMS servers running SCADA software. > Various other Dec equipment with all static IP''s > Subnet - 129.102.82.0/25 > SCADA Server A - 129.102.82.6 > SCADA Server B - 129.102.82.7 > There is no default gateway setup on these servers and, since I > don''t know VMS, I''m trying to work around that issue. >Do these VMS boxes have ANY route to 128.xxx.xxx.0/24? Because if they don''t there is no point in my reading any further. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
--On Wednesday, November 20, 2002 12:16:50 AM -0500 Mitch Martin <mitch@rf-radio.com> wrote:> > First of all, I failed to address my reply to the list and for that... I > apologize. Second, in my haste, I was not very clear on my last reply to > you. It''s just that I have put so much thought and time into this problem > for the past week that I have convinced myself that there WAS a way to do > it. If only I could get past this mental block. ;-) >I''ve gone back and read your original post and this should be very easy provided that you DON''T USE DNAT, NAT, SNAT, MASQ, etc. If ''pc'' is the zone where the PCs are and ''scada'' is the zone where the VMS boxes are then: ACCEPT pc scada tcp 512 ACCEPT scada pc tcp 6000:6010 #Just to be sure Again, the Shorewall box should do no masquerading, SNAT or DNAT between the two zones. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
--On Wednesday, November 20, 2002 06:52:49 AM -0800 Tom Eastep <teastep@shorewall.net> wrote:> > I''ve gone back and read your original post and this should be very easy > provided that you DON''T USE DNAT, NAT, SNAT, MASQ, etc. > > If ''pc'' is the zone where the PCs are and ''scada'' is the zone where the > VMS boxes are then: > > ACCEPT pc scada tcp 512 > ACCEPT scada pc tcp 6000:6010 #Just to be sure > > Again, the Shorewall box should do no masquerading, SNAT or DNAT between > the two zones. >This solution of course assumes that the VMS boxes have a route to your PC''s. One additional idea that comes to mind is to dedicate a set of IP addresses in each LAN for use by this application. Let''s say 128.xxx.xxx.224/29 and 129.102.82.224/29. Each of the PCs needing access to the SCADA application is assigned a specfic 128.xxx.xxx.224/29 address to connect to. The Shorewall box is configured with the 128.xxx.xxx.xxx IP addresses on one interface and the 129.102.82.xxx addresses on the other. TCP 512 connections to a 128.xxx.xxx.xxx address are DNATed to a scada server and are SNATed to the corresponding 129.102.82.xxx address. TCP 6000:6010 connections to a 129.102.82.xxx address are DNATed to the PC associated with the corresponding 128.xxx.xxx.xxx address and are SNATed to the 128.xxx.xxx.xxx address. All that complexity just to avoid adding a route on a couple of VMS boxes -- doesn''t seem worth it to me... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
Mitch Martin
2002-Nov-21 02:49 UTC
[Shorewall-users] Shorewall with X-Window - help needed
----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Mitch Martin" <mitch@rf-radio.com>; "Shorewall Users" <shorewall-users@shorewall.net> Sent: Wednesday, November 20, 2002 10:19 AM Subject: Re: [Shorewall-users] Shorewall with X-Window - help needed> > > --On Wednesday, November 20, 2002 06:52:49 AM -0800 Tom Eastep > <teastep@shorewall.net> wrote: > > > > > I''ve gone back and read your original post and this should be very easy > > provided that you DON''T USE DNAT, NAT, SNAT, MASQ, etc. > > > > If ''pc'' is the zone where the PCs are and ''scada'' is the zone where the > > VMS boxes are then: > > > > ACCEPT pc scada tcp 512 > > ACCEPT scada pc tcp 6000:6010 #Just to be sure > > > > Again, the Shorewall box should do no masquerading, SNAT or DNAT between > > the two zones. > > > > This solution of course assumes that the VMS boxes have a route to your > PC''s.Whew.... you had me worried that I hadn''t seen the forest for the trees until you added the comment about needing a route on the VMS boxes. ;)> > One additional idea that comes to mind is to dedicate a set of IPaddresses> in each LAN for use by this application. Let''s say 128.xxx.xxx.224/29 and > 129.102.82.224/29. Each of the PCs needing access to the SCADA application > is assigned a specfic 128.xxx.xxx.224/29 address to connect to. > > The Shorewall box is configured with the 128.xxx.xxx.xxx IP addresses on > one interface and the 129.102.82.xxx addresses on the other. TCP 512 > connections to a 128.xxx.xxx.xxx address are DNATed to a scada server and > are SNATed to the corresponding 129.102.82.xxx address. TCP 6000:6010 > connections to a 129.102.82.xxx address are DNATed to the PC associated > with the corresponding 128.xxx.xxx.xxx address and are SNATed to the > 128.xxx.xxx.xxx address.Actually, that is the route (pun intended) that I was taking during the course of my work over the past week or so. Just never got it to function correctly for me. Probably because I didn''t keep notes of all the different changes and just lost my way...> > All that complexity just to avoid adding a route on a couple of VMS boxes > -- doesn''t seem worth it to me...Nor does it to me at this point. The main reason for NOT adding that route in the first place was due to departmental & political reasons. But, that''s a little off topic for this list. Anyway, I now have permission to add the route to the VMS boxes and I''ve downloaded and printed some VMS documetation to help me accomplish that task. Once again, thank you so much for your time and your dedication to this software project. I will insist that my employer, and myself, show our appreciation with a donation to the Starlight Foundation. It''s been a pleasure corrosponding with you. Best regards, Mitch
--On Wednesday, November 20, 2002 09:49:12 PM -0500 Mitch Martin <mitch@rf-radio.com> wrote:> I > will insist that my employer, and myself, show our appreciation with a > donation to the Starlight > Foundation.The foundation will appreciate that most sincerely as will I. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net