dermotg@comcast.net
2004-Jul-06 23:20 UTC
Configuring shorewall with NAT address and port forwarding (non subscribed user)
I have inherited what I believe an unusual network configuration (for legacy
purposes cannot at the moment rectify):
My ISP allocates addresses via DHCP, which is
not too unusual, but the addresses are NAT
addresses (192.168.123.10-15), which again might not be too unusual, however
their port forwarding to me is a little bizarre.
My ISP then provides port forwarding from the
public internet by exposing (at my request) up
to 5 class C subnet addresses (204.17.105.X
and maps the addresses directly to one of
the NAT addresses (i.e.; 204.17.105.15->192.168.123.15)
The box I am trying to configure is a PIII 500
with a single ethernet connection running
Mandrake 10 with an upgraded shorewall (version
2.03) with modified one-interface config files
per the documentation.
Basically Shorewall appears to be working but not as I expect it to and would
appreciate any
pointers to what I am doing wrong:
The one interface config files are modified
to allow http and ssh and ftp
Testing seems to demostrate a successful
setup for http but ssh and ftp do not
appear to work.
With shorwall running, I can see the default
apache web page when visiting the class c
address from any browser.
With shorwall stopped, I cannot see the
default apache web page when visiting the
class c address from any browser, getting
a page not fould error. Deduction:
shorewall is doing something.
I have searched the FAQ’s etc for hints/
solutions etc and the closest configuration to
my own that I have read about is discussed in
FAQ 14, which talks about DHCP assigned NAT addresses:
Based on this FAQ, I have tried the
suggestions;
enabling/ disabling norfc1918
doesn''t appear to have any effect.
allowing the RETURN of 192.168.123.0/16
with rorfc1918 enabled
Is this a shorewall config issue or a sppofing problem?
Regards,
Dermot Grady
Tom Eastep
2004-Jul-06 23:32 UTC
Re: Configuring shorewall with NAT address and port forwarding (non subscribed user)
dermotg@comcast.net wrote:> > Is this a shorewall config issue or a sppofing problem?For all you''ve told us, it could be caused by your neighbor''s dog having fleas. Please see http://shorewall.net/support.htm for the information that we require in order to be able to help you. The only things I can tell you for certain are: a) with your setup, I would recommend that you not set ''norfc1918'' on your interface. b) Please check your logs and compare what you find there against FAQ #17. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2004-Jul-06 23:38 UTC
Re: Configuring shorewall with NAT address and port forwarding (non subscribed user)
dermotg@comcast.net wrote:> > With shorwall stopped, I cannot see the > default apache web page when visiting the > class c address from any browser, getting > a page not fould error. Deduction: > shorewall is doing something.And if you "shorewall clear", does everything work perfectly? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net