Shorewall users - Dec 2003 - RealPlayer rules again - more detailed

Hi again,

I try it again, and hope to get RealPlayer G2 and Shorewall 1.4.8 to work
together with your help.

My network looks like this:
Net Zone (DSL) -------- Firewall/Router ------- Wlan Zone
The Realplayer is a client in the Wlan Zone and the Wlan Zone is masqueraded
on the Firewall/Router.

In the logging I could find entries like this:
This line repeats a view times with DPT={6790,6791}

Dec  3 13:32:04 Router kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT=
MACSRC=205.219.198.204 DST=217.84.70.128 LEN=520 TOS=0x00 PREC=0x00 TTL=54
ID=28050
PROTO=UDP SPT=1339 DPT=6790 LEN=500

/etc/shorewall/policy
wlan    net     ACCEPT  -
loc      net      ACCEPT
$FW    all     ACCEPT  -
net     all     DROP    info
all     all     REJECT  info

/etc/shorewall/rules
DROP:info       net     all     tcp     -       -
DROP:info       net     all     udp     -       -
ACCEPT  wlan:~00-09-5B-12-35-54 $FW     tcp     ssh,https,www,10000,3306    
   -
ACCEPT  wlan:~00-09-5B-12-35-54 $FW     udp     ssh,https,www,10000,3306    
   -
ACCEPT:info     net     all     udp     6790,6791       -
DNAT    net     wlan:192.168.2.1:7070   tcp     554     -


Oliver

-- 
Einfach Leben ist nicht genug, sagte der
Schmetterling. Man braucht Sonnenschein,
Freiheit und kleine Blumen. (Anderson)

+++ GMX - die erste Adresse f?r Mail, Message, More +++
Neu: Preissenkung f?r MMS und FreeMMS! http://www.gmx.net

Hi again,

I try it again, and hope to get RealPlayer G2 and Shorewall 1.4.8 to
work
together with your help.

My network looks like this:
Net Zone (DSL) -------- Firewall/Router ------- Wlan Zone
The Realplayer is a client in the Wlan Zone and the Wlan Zone is
masqueraded
on the Firewall/Router.

In the logging I could find entries like this:
This line repeats a view times with DPT={6790,6791}

Dec  3 13:32:04 Router kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT=
MACSRC=205.219.198.204 DST=217.84.70.128 LEN=520 TOS=0x00 PREC=0x00
TTL=54 ID=28050
PROTO=UDP SPT=1339 DPT=6790 LEN=500

/etc/shorewall/policy
wlan    net     ACCEPT  -
loc      net      ACCEPT
$FW    all     ACCEPT  -
net     all     DROP    info
all     all     REJECT  info

/etc/shorewall/rules
DROP:info       net     all     tcp     -       -
DROP:info       net     all     udp     -       -
ACCEPT  wlan:~00-09-5B-12-35-54 $FW     tcp
ssh,https,www,10000,3306
   -
ACCEPT  wlan:~00-09-5B-12-35-54 $FW     udp
ssh,https,www,10000,3306
   -
ACCEPT:info     net     all     udp     6790,6791       -
DNAT    net     wlan:192.168.2.1:7070   tcp     554     -

----------<reply>--------------------
Oliver:

ACCEPT:info     net     all     udp     6790,6791       -
this will not work... from Tom''s earlier reply, this should be

DNAT    net    loc:192.168.1.5         udp     1271,6790

Similar to the DNAT rule you used for the 554 port forwarding.

In your case, your client is on the wlan zone so that is
DNAT    net    wlan:192.168.1.5         udp     1271,6790
changing 192.168.1.5 to the ip address of the machine that has
RealPlayer

Hope it helps...

Jerry Vonau

Hi,

now I get the following in the logs:

Dec  3 15:08:59 Router root: Shorewall Started
Dec  3 15:09:04 Router kernel: Shorewall:wlan2net:ACCEPT:IN=wlan0 OUT=ppp0
SRC=192.168.2.1 DST=207.188.6.203 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=18315
DF
PROTO=TCP SPT=36370 DPT=7070 WINDOW=5840 RES=0x00 SYN URGP=0 
Dec  3 15:09:06 Router kernel: Shorewall:net_dnat:DNAT:IN=ppp0 OUT=
MACSRC=205.219.198.204 DST=217.84.70.128 LEN=520 TOS=0x00 PREC=0x00 TTL=54
ID=52564
PROTO=UDP SPT=1339 DPT=6790 LEN=500 
Dec  3 15:09:06 Router kernel: Shorewall:net2wlan:DROP:IN=ppp0 OUT=wlan0
SRC=205.219.198.204 DST=192.168.2.1 LEN=520 TOS=0x00 PREC=0x00 TTL=53
ID=52564
PROTO=UDP SPT=1339 DPT=6790 LEN=500 
Dec  3 15:09:06 Router kernel: Shorewall:net_dnat:DNAT:IN=ppp0 OUT=
MACSRC=205.219.198.204 DST=217.84.70.128 LEN=520 TOS=0x00 PREC=0x00 TTL=54
ID=52571
PROTO=UDP SPT=1339 DPT=6790 LEN=500 
Dec  3 15:09:06 Router kernel: Shorewall:net2wlan:DROP:IN=ppp0 OUT=wlan0
SRC=205.219.198.204 DST=192.168.2.1 LEN=520 TOS=0x00 PREC=0x00 TTL=53
ID=52571
PROTO=UDP SPT=1339 DPT=6790 LEN=500

Whats my mistake now ?

Oliver
> 
> 
> 
> Hi again,
> 
> I try it again, and hope to get RealPlayer G2 and Shorewall 1.4.8 to
> work
> together with your help.
> 
> My network looks like this:
> Net Zone (DSL) -------- Firewall/Router ------- Wlan Zone
> The Realplayer is a client in the Wlan Zone and the Wlan Zone is
> masqueraded
> on the Firewall/Router.
> 
> In the logging I could find entries like this:
> This line repeats a view times with DPT={6790,6791}
> 
> Dec  3 13:32:04 Router kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MAC>
SRC=205.219.198.204 DST=217.84.70.128 LEN=520 TOS=0x00 PREC=0x00
> TTL=54 ID=28050
> PROTO=UDP SPT=1339 DPT=6790 LEN=500
> 
> /etc/shorewall/policy
> wlan    net     ACCEPT  -
> loc      net      ACCEPT
> $FW    all     ACCEPT  -
> net     all     DROP    info
> all     all     REJECT  info
> 
> /etc/shorewall/rules
> DROP:info       net     all     tcp     -       -
> DROP:info       net     all     udp     -       -
> ACCEPT  wlan:~00-09-5B-12-35-54 $FW     tcp
> ssh,https,www,10000,3306
>    -
> ACCEPT  wlan:~00-09-5B-12-35-54 $FW     udp
> ssh,https,www,10000,3306
>    -
> ACCEPT:info     net     all     udp     6790,6791       -
> DNAT    net     wlan:192.168.2.1:7070   tcp     554     -
> 
> ----------<reply>--------------------
> Oliver:
> 
> ACCEPT:info     net     all     udp     6790,6791       -
> this will not work... from Tom''s earlier reply, this should be
> 
> DNAT    net    loc:192.168.1.5         udp     1271,6790
> 
> Similar to the DNAT rule you used for the 554 port forwarding.
> 
> In your case, your client is on the wlan zone so that is
> DNAT    net    wlan:192.168.1.5         udp     1271,6790
> changing 192.168.1.5 to the ip address of the machine that has
> RealPlayer
> 
> Hope it helps...
> 
> Jerry Vonau
> 
-- 
Einfach Leben ist nicht genug, sagte der
Schmetterling. Man braucht Sonnenschein,
Freiheit und kleine Blumen. (Anderson)

+++ GMX - die erste Adresse f?r Mail, Message, More +++
Neu: Preissenkung f?r MMS und FreeMMS! http://www.gmx.net




-- 
Einfach Leben ist nicht genug, sagte der
Schmetterling. Man braucht Sonnenschein,
Freiheit und kleine Blumen. (Anderson)

+++ GMX - die erste Adresse f?r Mail, Message, More +++
Neu: Preissenkung f?r MMS und FreeMMS! http://www.gmx.net

Hi,

now I get the following in the logs:

Dec  3 15:08:59 Router root: Shorewall Started
Dec  3 15:09:04 Router kernel: Shorewall:wlan2net:ACCEPT:IN=wlan0
OUT=ppp0
SRC=192.168.2.1 DST=207.188.6.203 LEN=60 TOS=0x00 PREC=0x00 TTL=63
ID=18315
DF
PROTO=TCP SPT=36370 DPT=7070 WINDOW=5840 RES=0x00 SYN URGP=0
Dec  3 15:09:06 Router kernel: Shorewall:net_dnat:DNAT:IN=ppp0
OUTMACSRC=205.219.198.204 DST=217.84.70.128 LEN=520 TOS=0x00 PREC=0x00
TTL=54
ID=52564
PROTO=UDP SPT=1339 DPT=6790 LEN=500
Dec  3 15:09:06 Router kernel: Shorewall:net2wlan:DROP:IN=ppp0
OUT=wlan0
SRC=205.219.198.204 DST=192.168.2.1 LEN=520 TOS=0x00 PREC=0x00 TTL=53
ID=52564
PROTO=UDP SPT=1339 DPT=6790 LEN=500
Dec  3 15:09:06 Router kernel: Shorewall:net_dnat:DNAT:IN=ppp0
OUTMACSRC=205.219.198.204 DST=217.84.70.128 LEN=520 TOS=0x00 PREC=0x00
TTL=54
ID=52571
PROTO=UDP SPT=1339 DPT=6790 LEN=500
Dec  3 15:09:06 Router kernel: Shorewall:net2wlan:DROP:IN=ppp0
OUT=wlan0
SRC=205.219.198.204 DST=192.168.2.1 LEN=520 TOS=0x00 PREC=0x00 TTL=53
ID=52571
PROTO=UDP SPT=1339 DPT=6790 LEN=500

Whats my mistake now ?

Oliver
>
>
>
> Hi again,
>
> I try it again, and hope to get RealPlayer G2 and Shorewall 1.4.8 to
> work
> together with your help.
>
> My network looks like this:
> Net Zone (DSL) -------- Firewall/Router ------- Wlan Zone
> The Realplayer is a client in the Wlan Zone and the Wlan Zone is
> masqueraded
> on the Firewall/Router.
>
> In the logging I could find entries like this:
> This line repeats a view times with DPT={6790,6791}
>
> Dec  3 13:32:04 Router kernel: Shorewall:net2fw:DROP:IN=ppp0 OUTMAC>
SRC=205.219.198.204 DST=217.84.70.128 LEN=520 TOS=0x00 PREC=0x00
> TTL=54 ID=28050
> PROTO=UDP SPT=1339 DPT=6790 LEN=500
>
> /etc/shorewall/policy
> wlan    net     ACCEPT  -
> loc      net      ACCEPT
> $FW    all     ACCEPT  -
> net     all     DROP    info
> all     all     REJECT  info
>
> /etc/shorewall/rules
> DROP:info       net     all     tcp     -       -
> DROP:info       net     all     udp     -       -
> ACCEPT  wlan:~00-09-5B-12-35-54 $FW     tcp
> ssh,https,www,10000,3306
>    -
> ACCEPT  wlan:~00-09-5B-12-35-54 $FW     udp
> ssh,https,www,10000,3306
>    -
> ACCEPT:info     net     all     udp     6790,6791       -
> DNAT    net     wlan:192.168.2.1:7070   tcp     554     -
>
> ----------<reply>--------------------
> Oliver:
>
> ACCEPT:info     net     all     udp     6790,6791       -
> this will not work... from Tom''s earlier reply, this should be
>
> DNAT    net    loc:192.168.1.5         udp     1271,6790
>
> Similar to the DNAT rule you used for the 554 port forwarding.
>
> In your case, your client is on the wlan zone so that is
> DNAT    net    wlan:192.168.1.5         udp     1271,6790
> changing 192.168.1.5 to the ip address of the machine that has
> RealPlayer
>
> Hope it helps...
>
> Jerry Vonau
>
Might be a case of your drop/log rules are used before the dnat rules
are used.

Dec  3 15:09:06 Router kernel: Shorewall:net2wlan:DROP:IN=ppp0
OUT=wlan0
SRC=205.219.198.204 DST=192.168.2.1 LEN=520 TOS=0x00 PREC=0x00 TTL=53
ID=52564 PROTO=UDP SPT=1339 DPT=6790 LEN=500

"net2wlan:DROP:IN=ppp0" that would fall under the "DROP:info     
net
all     udp     -       -"

part of your rules....

Try moving your DROP:info rules to the bottom of you list of rules...
and restart shorewall.

Jerry