I''ve had some issues with my network, and I''ve had to reconfigure my Gibraltar CD. It runs shorewall 1.4.8, and I have a 2-interface setup, so I downloaded the relevant files from the install page. Masq and such works, but I''m having a problem with my port forwarding. It works for port 22, but it doesn''t seem to work for any other port. I''ve turned on :info, and here are the relevant tests: kernel: Shorewall:net_dnat:DNAT:IN=eth1 OUT= MAC=MAC_ADDRESS SRC=SRC_IP DST=PUBLIC_IP LEN=60 TOS=0x00 PREC=0x20 TTL=40 ID=55181 DF PROTO=TCP SPT=62684 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 kernel: Shorewall:net_dnat:DNAT:IN=eth1 OUT= MAC=MAC_ADDRESS SRC=SRC_IP DST=PUBLIC_IP LEN=60 TOS=0x10 PREC=0x20 TTL=40 ID=21056 DF PROTO=TCP SPT=62694 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 One thing that I''ve noticed is that it doesn''t seem to visibly translate the DST from my public IP (ADSL, eth1) to the relevant RFC1918 IP on my internal network ($SERVER_IP). Excerpt from /etc/shorewall/rules: # # SSH Forwarding # DNAT:info net loc:$SERVER_IP tcp 22 # # HTTPd Forwarding # DNAT:info net loc:$SERVER_IP tcp 80 DNAT:info net loc:$SERVER_IP tcp https Excerpt from /etc/shorewall/interfaces: net eth1 detect dhcp,routefilter,norfc1918 loc eth0 detect dhcp Excerpt from /etc/shorewall/masq: eth1 eth0 Excerpt from /etc/shorewall/policy: loc net ACCEPT # If you want open access to the Internet from your Firewall # remove the comment from the following line. fw net ACCEPT loc fw ACCEPT #1 fw loc ACCEPT #2 net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info ** I added the #1 and #2 rules to allow the FW to act as an internal DNS cache, and to facilitate internal communication. Would it be safer to just turn on the relevant ports in the rules, and turn off this policy? Excerpt from /etc/shorewall/routestopped: eth0 - Excerpt from /etc/shorewall/zones: net Net Internet loc Local Local Networks #dmz DMZ Demilitarized Zone I had all this working before, but of course I can''t find those backups. :( I''ve been backing up as I go, and I think this is the last thing on my FW I need to get working right now. Thanks for any help, please LMK if there is any more relevant information. Adam
Please read carefully http://www.shorewall.net/support.htm Pay attention in paragraph: "When reporting a problem, ALWAYS include this information" -Guilsson On Wed, 22 Sep 2004 11:17:40 -0700, scriven <scriven@hive.lore.com> wrote:> I''ve had some issues with my network, and I''ve had to reconfigure my > Gibraltar CD. It runs shorewall 1.4.8, and I have a 2-interface setup, so > I downloaded the relevant files from the install page. > > Masq and such works, but I''m having a problem with my port forwarding. It > works for port 22, but it doesn''t seem to work for any other port. > > I''ve turned on :info, and here are the relevant tests: > kernel: Shorewall:net_dnat:DNAT:IN=eth1 OUT= MAC=MAC_ADDRESS SRC=SRC_IP DST=PUBLIC_IP LEN=60 TOS=0x00 PREC=0x20 TTL=40 ID=55181 DF PROTO=TCP SPT=62684 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > kernel: Shorewall:net_dnat:DNAT:IN=eth1 OUT= MAC=MAC_ADDRESS SRC=SRC_IP DST=PUBLIC_IP LEN=60 TOS=0x10 PREC=0x20 TTL=40 ID=21056 DF PROTO=TCP SPT=62694 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 > > One thing that I''ve noticed is that it doesn''t seem to visibly translate the > DST from my public IP (ADSL, eth1) to the relevant RFC1918 IP on my internal > network ($SERVER_IP). > > Excerpt from /etc/shorewall/rules: > # > # SSH Forwarding > # > DNAT:info net loc:$SERVER_IP tcp 22 > # > # HTTPd Forwarding > # > DNAT:info net loc:$SERVER_IP tcp 80 > DNAT:info net loc:$SERVER_IP tcp https > > Excerpt from /etc/shorewall/interfaces: > net eth1 detect dhcp,routefilter,norfc1918 > loc eth0 detect dhcp > > Excerpt from /etc/shorewall/masq: > eth1 eth0 > > Excerpt from /etc/shorewall/policy: > loc net ACCEPT > # If you want open access to the Internet from your Firewall > # remove the comment from the following line. > fw net ACCEPT > loc fw ACCEPT #1 > fw loc ACCEPT #2 > net all DROP info > # THE FOLLOWING POLICY MUST BE LAST > all all REJECT info > > ** I added the #1 and #2 rules to allow the FW to act as an internal DNS cache, > and to facilitate internal communication. Would it be safer to just turn on > the relevant ports in the rules, and turn off this policy? > > Excerpt from /etc/shorewall/routestopped: > eth0 - > > Excerpt from /etc/shorewall/zones: > net Net Internet > loc Local Local Networks > #dmz DMZ Demilitarized Zone > > I had all this working before, but of course I can''t find those backups. > :( I''ve been backing up as I go, and I think this is the last thing on my > FW I need to get working right now. > > Thanks for any help, please LMK if there is any more relevant information. > Adam > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
On Wednesday 22 September 2004 11:17, scriven wrote:> I''ve had some issues with my network, and I''ve had to reconfigure my > Gibraltar CD. It runs shorewall 1.4.8, and I have a 2-interface setup, so > I downloaded the relevant files from the install page. > > Masq and such works, but I''m having a problem with my port forwarding. It > works for port 22, but it doesn''t seem to work for any other port. > > I''ve turned on :info, and here are the relevant tests: > kernel: Shorewall:net_dnat:DNAT:IN=eth1 OUT= MAC=MAC_ADDRESS SRC=SRC_IP > DST=PUBLIC_IP LEN=60 TOS=0x00 PREC=0x20 TTL=40 ID=55181 DF PROTO=TCP > SPT=62684 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 kernel: > Shorewall:net_dnat:DNAT:IN=eth1 OUT= MAC=MAC_ADDRESS SRC=SRC_IP > DST=PUBLIC_IP LEN=60 TOS=0x10 PREC=0x20 TTL=40 ID=21056 DF PROTO=TCP > SPT=62694 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 > > One thing that I''ve noticed is that it doesn''t seem to visibly translate > the DST from my public IP (ADSL, eth1) to the relevant RFC1918 IP on my > internal network ($SERVER_IP).Logging of DNAT rules occurs in the ''nat'' table''s PREROUTING chain before the translation occurs. Have you checked the DNAT troubleshooting tips in FAQs 1a and 1b? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Wed, 22 Sep 2004 11:17:40 -0700, scriven <scriven@hive.lore.com> wrote:> # If you want open access to the Internet from your Firewall > # remove the comment from the following line. > fw net ACCEPT > loc fw ACCEPT#1 > fw loc ACCEPT#2 > net all DROP info > # THE FOLLOWING POLICY MUST BE LAST > all all REJECT info > ** I added the #1 and #2 rules to allow the FW to act as an internal DNS > cache, > and to facilitate internal communication. Would it be safer to just > turn on > the relevant ports in the rules, and turn off this policy?I use the following: # DNS ACCEPT fw net tcp 53 ACCEPT fw net udp 53 ACCEPT loc fw tcp 53 ACCEPT loc fw udp 53 HTH, Ingo.