Shorewall users - Dec 2004 - Masquerading and UDP replies to local network doesn''t work.

Hi all.

I have a NAT problem. I have read FAQs and a lot of masquerading docs, 
but this seems such a simple problem, that I guess noone else will 
consider this a problem...

This is my setup:

shorewall version
1.4.6.c

uname -a
Linux server 2.4.21-0.13mdksecure #1 SMP

[root@server shorewall]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:0b:6a:08:f9:d4 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.254/24 brd 192.168.0.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:50:fc:c8:18:a2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.199.25/24 brd 192.168.199.255 scope global eth1

[root@server shorewall]# ip route show
192.168.199.0/24 dev eth1  scope link
192.168.0.0/24 dev eth0  scope link
127.0.0.0/8 dev lo  scope link
default via 192.168.199.254 dev eth1

/sbin/shorewall status in anexed

  +------------------+
  |       Local      |
  +------------------+
     (192.168.0.247)
           |
           |  192.168.0.x/24
           |
    (192.168.0.254)
  +------------------+
  | Linux/Shorewall  |    Masquerading setup
  +------------------+
    (192.168.199.25)
           |
           |  192.168.199.x/24
           |
    (192.168.199.254)
  +------------------+
  |    ADSL Router   |    NAT support
  +------------------+
      (public ip)
           |
           |
       (Internet)


I can browse the net from my local network, so it seems that 
Masquerading and the NAT in the ADSL

router are correctly configured, at least for http. I have no other 
route to the internet.

I have this udp based service that I am developing, that I want to use 
between my local network, and a

server running on the (public ip) Internet.
Lets say my machine with ip 192.168.0.247 wants to talk to the server at 
213.13.240.98

192.168.0.247 sends a message to 213.13.240.98. At this point I would 
expect that both the linux box and

the ADSL router would open temporary "holes" in their back nat tables.
The problem is that my 192.168.199.25 isn''t returning the replies back 
to 192.168.0.247, as if the

holes were not open. I can see that with Ethereal. I can also see the 
messages from 213.13.240.98 arriving

at 192.168.199.25, because I see lot of these in the logs:

Dec  2 17:11:29 server kernel: Shorewall:net2fw:ACCEPT:IN=eth1 OUT
MAC=00:50:fc:c8:18:a2:00:a0:c5:8f:ab:5f:08:00 SRC=213.13.240.98 
DST=192.168.199.25 LEN=68 TOS=0x00

PREC=0x80 TTL=52 ID=3996 DF PROTO=UDP SPT=10000 DPT=4347 LEN=48

So the ADSL router has the "hole" in the NAT reply table. (by the way 
how do you call these "holes"?)

Why arent the packets being routed back from 
192.168.199.25/192.168.0.254 to 192.168.0.247 ??

Here are my shorewall config files:

-------------------------------------------------------
/etc/shorewall/interfaces

#ZONE    INTERFACE      BROADCAST       OPTIONS
net     eth1    detect  dhcp
local   eth0    -

-------------------------------------------------------

/etc/shorewall/masq

#INTERFACE    SUBNET          ADDRESS
eth1          eth0

-------------------------------------------------------

/etc/shorewall/nat
  [empty]

-------------------------------------------------------

/etc/shorewall/policy

#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
local   net     ACCEPT  -
$FW     net     ACCEPT  -
local   $FW     ACCEPT  -
$FW     local   ACCEPT  info
all     all     DROP    info

-------------------------------------------------------

/etc/shorewall/rules

#ACTION         SOURCE          DEST            PROTO   DEST    
SOURCE     ORIGINAL
#                                                       PORT    
PORT(S)    DEST
ACCEPT:info     net     all     all     -       -
ACCEPT  net:192.168.199.0/24    $FW     tcp     
echo,ssh,domain,http,https      -
ACCEPT  net:192.168.199.0/24    $FW     udp     
echo,ssh,domain,http,https      -

-------------------------------------------------------

Thanks in advance,

Pedro Alves

On Thu, 2004-12-02 at 18:06 +0000, Pedro Alves wrote:
> Hi all.
> 
> I have a NAT problem. I have read FAQs and a lot of masquerading docs, 
> but this seems such a simple problem, that I guess noone else will 
> consider this a problem...
I think that you are misunderstanding how connection tracking works. The
firewall does NOT open holes unless you have a Netfilter "helper"
module
for your application (such as the ftp helpers described at
http://shorewall.net/FTP.html).

If a local host with IP address A1 sends a UDP packet with source port
P1 and a destination port P2 to internet host A2 then:

a) The source IP in the packet is rewritten to be the firewall''s
external address; and
b) traffic from A2 with source port P2 and destination port P1 and
addressed to the firewall''s external IP address will have the
destination IP address rewritten as A1 and will be forwarded back to the
local system.

If you are able to log the replies using LOG rules then your application
is doing something different from what is described above because the
return traffic is handled by Shorewall before any user-supplied rules
are applied.

-Tom

PS - the above description of what happens assumes that there is no
source port collision; if there is such a collision then the source port
is rewritten on output and the destination port is rewritten when the
replies are returned.
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key