(I believe I''ve included the pertinent information from my Shorewall configuration in this message, but if I''ve left something out, you can find a tarball of the contents of my /etc/shorewall folder, the output of all the "shorewall show *" commands and "ip (route|addr) show" at http://hofserver.dyndns.org/shorewall-conf.tar.gz) My first question is about port forwarding: as I have but a single public IP address (DHCP, to boot) for my home network, so I employ DNAT rules to push a number of services to a server in my DMZ. One of those services was NNTP, but I have decided that running an NNTP server off my own hardware, even for the few discussion groups it hosted, was too much of a hassle. Now, I''d like to change that port forward to point to a publicly available NNTP server rather than my own. But when I just change the DNAT line, it fails to actually redirect connections; instead the client just gets a "connection denied" message. Here''s the DNAT rule I''m using, from /etc/shorewall/rules: DNAT:info net net:$IP_NNTP tcp nntp $IP_NNTP comes from /etc/shorewall/params: IP_NNTP=63.223.5.254 (I can successfully connect to this IP directly.) And this is the only line that shows up in my log (even though I use DNAT:info): Dec 15 16:25:56 [kernel] fp=net_dnat:1 a=DNAT IN=eth0 OUT= SRC=66.92.183.37 DST=24.5.211.101 LEN=60 TOS=0x10 PREC=0x00 TTL=47 ID=26687 DF PROTO=TCP SPT=2303 DPT=119 WINDOW=57344 RES=0x00 SYN URGP=0 I''d appreciate any help you can give. ------------------ I''m also looking for advice on tunneling options. I intent to tunnel my own home network with that of a friend (who is running an almost identical Shorewall setup). However, while he has a static IP for his network, I''m stuck with DHCP for mine. Looking at the Shorewall docs, it appears that PPTP is the only tunneling option for which Shorewall does not require a fixed IP on both ends? If so, my concerns regarding using PPTP are that A) I have not found (or perhaps found but not recognized) documentation that says PPTP is bi-directional; it appears it is most commonly used for a single host connecting to a remote network rather than connection two networks together, and B) there appears to be some concert about the security of PPTP; what I''m trying to do is create a secure, encrypted tunnel so that we don''t have to worry about using "weak" services like SMB, FTP, and the like. Again, any advice is very welcome. -- Dark "the shortest distance between two jokes is a straight line" R. "Science is like sex: sometimes something useful comes out, but that is not the reason we are doing it." --Richard Feynman
On Monday 15 December 2003 03:54 pm, Dark Ryder wrote:> (I believe I''ve included the pertinent information from my Shorewall > configuration in this message, but if I''ve left something out, you can find > a tarball of the contents of my /etc/shorewall folder, the output of all > the "shorewall show *" commands and "ip (route|addr) show" at > http://hofserver.dyndns.org/shorewall-conf.tar.gz) >Thanks.> My first question is about port forwarding: as I have but a single public > IP address (DHCP, to boot) for my home network, so I employ DNAT rules to > push a number of services to a server in my DMZ. One of those services was > NNTP, but I have decided that running an NNTP server off my own hardware, > even for the few discussion groups it hosted, was too much of a hassle. > Now, I''d like to change that port forward to point to a publicly available > NNTP server rather than my own. But when I just change the DNAT line, it > fails to actually redirect connections; instead the client just gets a > "connection denied" message. > > Here''s the DNAT rule I''m using, from /etc/shorewall/rules: > DNAT:info net net:$IP_NNTP tcp nntp > > $IP_NNTP comes from /etc/shorewall/params: > IP_NNTP=63.223.5.254 > > (I can successfully connect to this IP directly.) > > And this is the only line that shows up in my log (even though I use > DNAT:info): Dec 15 16:25:56 [kernel] fp=net_dnat:1 a=DNAT IN=eth0 OUT> SRC=66.92.183.37 DST=24.5.211.101 LEN=60 TOS=0x10 PREC=0x00 TTL=47 ID=26687 > DF PROTO=TCP SPT=2303 DPT=119 WINDOW=57344 RES=0x00 SYN URGP=0 > > I''d appreciate any help you can give. >You need to set the ''routeback'' option for eth0 in /etc/shorewall/interfaces and your rule needs to be: DNAT net net:$IP_NNTP tcp nntp - $EXT_IP:$EXT_IP where $EXT_IP is your external IP. The FAQ shows you how to set EXT_IP in /etc/shorewall/params (don''t recall which FAQ off-hand). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Mon, 15 Dec 2003, Dark Ryder wrote:> I''m also looking for advice on tunneling options. I intent to tunnel my own > home network with that of a friend (who is running an almost identical Shorewall > setup). However, while he has a static IP for his network, I''m stuck with DHCP > for mine. Looking at the Shorewall docs, it appears that PPTP is the only > tunneling option for which Shorewall does not require a fixed IP on both ends? > If so, my concerns regarding using PPTP are that A) I have not found (or perhaps > found but not recognized) documentation that says PPTP is bi-directional; it > appears it is most commonly used for a single host connecting to a remote > network rather than connection two networks together, and B) there appears to be > some concert about the security of PPTP; what I''m trying to do is create a > secure, encrypted tunnel so that we don''t have to worry about using "weak" > services like SMB, FTP, and the like.I personally would use PPTP with your end being the client -- PPTP works fine to connect two networks. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On 2003.12.15 16:40:09, Tom Eastep wrote:> I personally would use PPTP with your end being the client -- PPTP works > fine to connect two networks.Great, thanks. I''ll look into IPSEC-over-PPTP or MPPE for security. -- Dark "the shortest distance between two jokes is a straight line" R. "Science is like sex: sometimes something useful comes out, but that is not the reason we are doing it." --Richard Feynman
On Mon, 15 Dec 2003, Dark Ryder wrote:> On 2003.12.15 17:03:03, Tom Eastep wrote: > > Apparently -- that wasn''t an error but was rather the expected result of > > your old rule (that included ":info" after DNAT). > > That doesn''t seem to be it; remote clients get a "connection timed out". I > pulled the ":info" off to make sure that wasn''t it, but clients still get the > same results (though no entry in the Shorewall log, now).Of course -- it''s the ":info" that generates the message.> Tested to make sure > the clients can still connect directly (i.e. that it''s not a problem on their > end), but that''s all still okay. >What does "shorewall show connections" look like WRT the client''s connection while this is going on? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net