Shorewall users - Jul 2004 - Question concerning faq2

I have read the faq2 but still have problems:
I have created a dyndns account (jankoh.dyndns.org) and forward www requests 
from our local router to my computer. This works for external computers but 
not for internal (faq2).
I have setup the following rule:
ACCEPT	net	loc:192.168.0.254	tcp	www	-	all
as it is descibed on your website.
It works from outside and not from inside (as expected).
So I tried faq2 but it still does not work...
I want a rule like
ACCEPT	net	loc:192.168.0.254	tcp	www	-	all:192.168.0.1
where 192.168.0.1 is the internal device of our router as it is described in 
faq2 but this doesn''t work.
And so I tried faq2b:
(multi for eth1 [loc] is specified anyway)
policy:
loc	loc	ACCEPT
masq:
eth1	192.168.0.0/24
but this one also does not work?!
Did I miss something??? (mostly!!! :-))
What do I have to write in the rules file for 2b (I have dynamic IP so I
don''t
know my current IP (or I have to update it every 24h :( ).

Please help!

Thanks Jan

-- 
OpenPGP public key available:
http://home.arcor.de/jan.kohnert/gnupg_publickey.asc

Key-Fingerprint:
BA8E 11D1 FE7C 9353 7276 5375 486E 9BED 2B03 DF29

Jan Kohnert wrote:
> I have read the faq2 but still have problems:
> I have created a dyndns account (jankoh.dyndns.org) and forward www
requests
> from our local router to my computer. This works for external computers but
> not for internal (faq2).
> I have setup the following rule:
> ACCEPT	net	loc:192.168.0.254	tcp	www	-	all
Are you running Shorewall 1.2? The above syntax hasn''t been supported 
for a long time.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Jan:

Did you miss the "routeback" bit in Faq2?



On 1 Jul 2004 at 20:38, Jan Kohnert wrote:
> I have read the faq2 but still have problems:
> I have created a dyndns account (jankoh.dyndns.org) and forward www
> requests from our local router to my computer. This works for 
external
> computers but not for internal (faq2). I have setup the following
> rule: ACCEPT	net	loc:192.168.0.254	tcp	www	-	all as it is descibed 
on
> your website. It works from outside and not from inside (as 
expected).
> So I tried faq2 but it still does not work... I want a rule like
> ACCEPT	net	loc:192.168.0.254	tcp	www	-	all:192.168.0.1 where
> 192.168.0.1 is the internal device of our router as it is described 
in
> faq2 but this doesn''t work. And so I tried faq2b: (multi for eth1
> [loc] is specified anyway) policy: loc	loc	ACCEPT masq:
> eth1	192.168.0.0/24 but this one also does not work?! Did I miss
> something??? (mostly!!! :-)) What do I have to write in the rules 
file
> for 2b (I have dynamic IP so I don''t know my current IP (or I have
to
> update it every 24h :( ).
> 
> Please help!
> 
> Thanks Jan
> 
> -- 
> OpenPGP public key available:
> http://home.arcor.de/jan.kohnert/gnupg_publickey.asc
> 
> Key-Fingerprint:
> BA8E 11D1 FE7C 9353 7276 5375 486E 9BED 2B03 DF29
> 

-- 
______________________________________
John Andersen
NORCOM / Juneau, Alaska
http://www.screenio.com/
(907) 790-3386

._______________________________________
John S. Andersen
NORCOM  mailto:JAndersen@norcomsoftware.com
Juneau, Alaska
http://www.screenio.com/

Am Donnerstag, 1. Juli 2004 20:52 schrieb Tom Eastep:
> Jan Kohnert wrote:
> > I have read the faq2 but still have problems:
> > I have created a dyndns account (jankoh.dyndns.org) and forward www
> > requests from our local router to my computer. This works for external
> > computers but not for internal (faq2).
> > I have setup the following rule:
> > ACCEPT	net	loc:192.168.0.254	tcp	www	-	all
>
> Are you running Shorewall 1.2? The above syntax hasn''t been
supported
> for a long time.
Yes, still, I''ll try to upgrade to 2.0 from backports.org as soon as
possible,
but I looked for a quick resolution.
> -Tom
Regards Jan

-- 
OpenPGP public key available:
http://home.arcor.de/jan.kohnert/gnupg_publickey.asc

Key-Fingerprint:
BA8E 11D1 FE7C 9353 7276 5375 486E 9BED 2B03 DF29

Am Donnerstag, 1. Juli 2004 20:53 schrieb John S.
Andersen:
> Jan:
>
> Did you miss the "routeback" bit in Faq2?
As I still use 1.2, is it supported in this version???

Regards Jan

--
OpenPGP public key available:
http://home.arcor.de/jan.kohnert/gnupg_publickey.asc

Key-Fingerprint:
BA8E 11D1 FE7C 9353 7276 5375 486E 9BED 2B03 DF29

Jan Kohnert wrote:
> Am Donnerstag, 1. Juli 2004 20:53 schrieb John S. Andersen:
> 
>>Jan:
>>
>>Did you miss the "routeback" bit in Faq2?
> 
> 
> As I still use 1.2, is it supported in this version???
> 
No -- And since I haven''t provided support for 1.2 since 1.4 came out 
(March 2003), I don''t recall clearly what features 1.2 had (and the 
documentation in 1.2 was so weak that finding information is difficult).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> Jan Kohnert wrote:
> 
>> Am Donnerstag, 1. Juli 2004 20:53 schrieb John S. Andersen:
>>
>>> Jan:
>>>
>>> Did you miss the "routeback" bit in Faq2?
>>
>>
>>
>> As I still use 1.2, is it supported in this version???
>>
> 
> No -- And since I haven''t provided support for 1.2 since 1.4 came
out
> (March 2003), I don''t recall clearly what features 1.2 had (and
the
> documentation in 1.2 was so weak that finding information is difficult).
> 
The 1.2 version of FAQ 2 mentions that the interface must have the 
''multi'' option specified -- that option in 1.2 was similar to
the
current ''routeback'' option IIRC.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Am Donnerstag, 1. Juli 2004 20:52 schrieb Tom Eastep:
> Jan Kohnert wrote:
> > I have read the faq2 but still have problems:
> > I have created a dyndns account (jankoh.dyndns.org) and forward www
> > requests from our local router to my computer. This works for external
> > computers but not for internal (faq2).
> > I have setup the following rule:
> > ACCEPT	net	loc:192.168.0.254	tcp	www	-	all
>
> Are you running Shorewall 1.2? The above syntax hasn''t been
supported
> for a long time.
I just upgarded to shorewall 2.0.2f from backports.org. But still the same 
problem: From the outside all works fine, but not from the inside:
shorewall Output:
gateway:~# shorewall restart
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Restarting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Connection Tracking Match: Not available
Determining Zones...
   Zones: net loc
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
   Net Zone: ppp0:0.0.0.0/0
   Local Zone: eth1:192.168.0.0/24
Processing /etc/shorewall/init ...
Deleting user chains...
Creating Interface Chains...
Configuring Proxy ARP
Setting up NAT...
Setting up NETMAP...
Adding Common Rules
Adding rules for DHCP
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...
Pre-processing Actions...
   Pre-processing /usr/share/shorewall/action.DropSMB...
   Pre-processing /usr/share/shorewall/action.RejectSMB...
   Pre-processing /usr/share/shorewall/action.DropUPnP...
   Pre-processing /usr/share/shorewall/action.RejectAuth...
   Pre-processing /usr/share/shorewall/action.DropPing...
   Pre-processing /usr/share/shorewall/action.DropDNSrep...
   Pre-processing /usr/share/shorewall/action.AllowPing...
   Pre-processing /usr/share/shorewall/action.AllowFTP...
   Pre-processing /usr/share/shorewall/action.AllowDNS...
   Pre-processing /usr/share/shorewall/action.AllowSSH...
   Pre-processing /usr/share/shorewall/action.AllowWeb...
   Pre-processing /usr/share/shorewall/action.AllowSMB...
   Pre-processing /usr/share/shorewall/action.AllowAuth...
   Pre-processing /usr/share/shorewall/action.AllowSMTP...
   Pre-processing /usr/share/shorewall/action.AllowPOP3...
   Pre-processing /usr/share/shorewall/action.AllowIMAP...
   Pre-processing /usr/share/shorewall/action.AllowTelnet...
   Pre-processing /usr/share/shorewall/action.AllowVNC...
   Pre-processing /usr/share/shorewall/action.AllowVNCL...
   Pre-processing /usr/share/shorewall/action.AllowNTP...
   Pre-processing /usr/share/shorewall/action.AllowRdate...
   Pre-processing /usr/share/shorewall/action.AllowNNTP...
   Pre-processing /usr/share/shorewall/action.AllowTrcrt...
   Pre-processing /usr/share/shorewall/action.AllowSNMP...
   Pre-processing /usr/share/shorewall/action.AllowPCA...
   Pre-processing /usr/share/shorewall/action.Drop...
   Pre-processing /usr/share/shorewall/action.Reject...
Processing /etc/shorewall/rules...
   Rule "AllowSSH loc fw" added.
   Rule "AllowSSH fw loc" added.
   Rule "AllowPing net fw" added.
   Rule "ACCEPT net fw tcp 4662" added.
   Rule "ACCEPT net fw udp 12112" added.
   Rule "AllowSMB loc fw" added.
   Rule "AllowSMB fw loc" added.
   Rule "AllowDNS loc fw" added.
   Rule "AllowDNS fw net" added.
   Rule "ACCEPT fw loc tcp printer" added.
   Rule "DNAT net loc:192.168.0.254 tcp www" added.
   Rule "DNAT loc:192.168.0.0/24 loc:192.168.0.254:80 tcp www - 
217.228.66.253:192.168.0.254" added.
   Rule "DNAT net loc:192.168.0.254 tcp ftp" added.
   Rule "DNAT loc:192.168.0.0/24 loc:192.168.0.254:21 tcp ftp - 
217.228.66.253:192.168.0.254" added.
Processing Actions...
Processing /usr/share/shorewall/action.Drop...
   Rule "RejectAuth" added.
   Rule "dropBcast" added.
   Rule "DropSMB" added.
   Rule "DropUPnP" added.
   Rule "dropNonSyn" added.
   Rule "DropDNSrep" added.
Processing /usr/share/shorewall/action.Reject...
   Rule "RejectAuth" added.
   Rule "dropBcast" added.
   Rule "RejectSMB" added.
   Rule "DropUPnP" added.
   Rule "dropNonSyn" added.
   Rule "DropDNSrep" added.
Processing /usr/share/shorewall/action.AllowSSH...
   Rule "ACCEPT - - tcp 22" added.
Processing /usr/share/shorewall/action.AllowPing...
   Rule "ACCEPT - - icmp 8" added.
Processing /usr/share/shorewall/action.AllowSMB...
   Rule "ACCEPT - - udp 135,445" added.
   Rule "ACCEPT - - udp 137:139" added.
   Rule "ACCEPT - - udp 1024: 137" added.
   Rule "ACCEPT - - tcp 135,139,445" added.
Processing /usr/share/shorewall/action.AllowDNS...
   Rule "ACCEPT - - udp 53" added.
   Rule "ACCEPT - - tcp 53" added.
Processing /usr/share/shorewall/action.RejectAuth...
   Rule "REJECT - - tcp 113" added.
Processing /usr/share/shorewall/action.DropSMB...
   Rule "DROP - - udp 135" added.
   Rule "DROP - - udp 137:139" added.
   Rule "DROP - - udp 445" added.
   Rule "DROP - - tcp 135" added.
   Rule "DROP - - tcp 139" added.
   Rule "DROP - - tcp 445" added.
Processing /usr/share/shorewall/action.DropUPnP...
   Rule "DROP - - udp 1900" added.
Processing /usr/share/shorewall/action.DropDNSrep...
   Rule "DROP - - udp - 53" added.
Processing /usr/share/shorewall/action.RejectSMB...
   Rule "REJECT - - udp 135" added.
   Rule "REJECT - - udp 137:139" added.
   Rule "REJECT - - udp 445" added.
   Rule "REJECT - - tcp 135" added.
   Rule "REJECT - - tcp 139" added.
   Rule "REJECT - - tcp 445" added.
Processing /etc/shorewall/policy...
   Policy ACCEPT for fw to net using chain fw2net
   Policy ACCEPT for fw to loc using chain fw2loc
   Policy REJECT for net to fw using chain net2all
   Policy REJECT for net to loc using chain net2all
   Policy ACCEPT for loc to fw using chain loc2fw
   Policy ACCEPT for loc to net using chain loc2net
   Policy REJECT for loc to loc using chain all2all
Masqueraded Networks and Hosts:
   To 0.0.0.0/0 (all) from 192.168.0.0/24 through ppp0
Processing /etc/shorewall/tos...
   Rule "all all tcp - ssh 16" added.
   Rule "all all tcp ssh - 16" added.
   Rule "all all tcp - ftp 16" added.
   Rule "all all tcp ftp - 16" added.
   Rule "all all tcp ftp-data - 8" added.
   Rule "all all tcp - ftp-data 8" added.
Activating Rules...
Shorewall Restarted
gateway:~#

OK a little bit wide open, but it will be closed as soon as all works as 
expected.

The interfaces:
gateway:~# grep -v "^#" /etc/shorewall/interfaces
net     ppp0            detect          dhcp
loc     eth1            192.168.0.255   dhcp,detectnets,routeback

gateway:~#

And this is what I get from inside:
jankoh@kohni ~ $ nmap -P0 jankoh.dyndns.org

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-07-03 10:50 CEST
Interesting ports on pD9E442FD.dip.t-dialin.net (217.228.66.253):
(The 1646 ports scanned but not shown below are in state: closed)
PORT     STATE    SERVICE
9/tcp    open     discard
13/tcp   open     daytime
21/tcp   filtered ftp
22/tcp   open     ssh
25/tcp   open     smtp
37/tcp   open     time
80/tcp   filtered http
111/tcp  open     rpcbind
113/tcp  open     auth
139/tcp  open     netbios-ssn
515/tcp  open     printer
901/tcp  open     samba-swat
1024/tcp open     kdm

Nmap run completed -- 1 IP address (1 host up) scanned in 2.191 seconds
jankoh@kohni ~ $

I hope it helps to find my error. Thanks to all!!!
> -Tom
Best regards Jan

-- 
OpenPGP public key available:
http://home.arcor.de/jan.kohnert/gnupg_publickey.asc

Key-Fingerprint:
BA8E 11D1 FE7C 9353 7276 5375 486E 9BED 2B03 DF29

Jan Kohnert wrote:
>    Rule "DNAT loc:192.168.0.0/24 loc:192.168.0.254:80 tcp www - 
> 217.228.66.253:192.168.0.254" added.
That rule doesn''t make any sense.

It should be:

DNAT  loc  loc:<server ip> tcp www - <external ip>:<internal
ip>

Where:

	<server ip>   = IP address of the web server
	<external ip> = Firewall''s external IP
	<internal ip> = Firewall''s internal IP

In your rule <server ip> is equal to <internal ip>.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Am Samstag, 3. Juli 2004 16:04 schrieb Tom Eastep:
> Jan Kohnert wrote:
> >    Rule "DNAT loc:192.168.0.0/24 loc:192.168.0.254:80 tcp www -
> > 217.228.66.253:192.168.0.254" added.
>
> That rule doesn''t make any sense.
>
> It should be:
>
> DNAT  loc  loc:<server ip> tcp www - <external ip>:<internal
ip>
>
> Where:
>
> 	<server ip>   = IP address of the web server
> 	<external ip> = Firewall''s external IP
> 	<internal ip> = Firewall''s internal IP
>
> In your rule <server ip> is equal to <internal ip>.
That was what I wanted. I just misinterpreted the faq.
Thank you!
> -Tom
Best regards Jan

-- 
OpenPGP public key available:
http://home.arcor.de/jan.kohnert/gnupg_publickey.asc

Key-Fingerprint:
BA8E 11D1 FE7C 9353 7276 5375 486E 9BED 2B03 DF29