Shorewall version: 2.2.3 OS: Debian Sarge stable, up to date I''ve a firewall related problem on our school server. It seems to be hard, but may be solved by adding 1-2 lines to the shorewall rules. Sadly I cannot figure out these lines for days... My shorewall status output has been attached, conforming to the Shorewall Support Guide. In our shool, some machine require forwarded ports due to some programs, like SkyPE. I''ve opened 10 ports for each machine: port 4xxx0:4xxx9 where xxx is the low byte of the machine''s IP address in decimal. For example: 192.158.0.134 got all tcp and udp traffic comes to the server on ports 41340..41349. Direct connection between two local machines works fine, since not routed by our server. Forwared ports work file, when SkyPE communicates with a machine outside our local network (Internet). MY PROBLEM: Connections to the forwarded ports from our local network does not work. For example, SkyPE file transfers cannot connect and finally relayed through the Internet (1k/s). This problem is not related to SkyPE only. This can be reproduced using any service listening on a forwarded port if someone from the local network tries to connect it on the servers''s forwaded port (not directly). Let''s see some numbers. I''ve used tcpdump to monitor a connection attempt. I found only two packets per connection attempt when trying to connect telnet to a listening (tcp) service from 192.168.0.136 to 195.228.231.170:41340 (forwarded to 192.168.0.134:41340): 18:34:16.888867 IP 192.168.0.136.1558 > adsl.mginfszki.sulinet.hu.41340: S 336540881:336540881(0) win 64500 <mss 1460,nop,wscale 0,nop,nop,sackOK> 18:34:16.889048 IP 192.168.0.136.1558 > 192.168.0.134.41340: S 336540881:336540881(0) win 64500 <mss 1460,nop,wscale 0,nop,nop,sackOK> Out external IP address according to resolveip (ADSL Internet connection): IP address of adsl.mginfszki.sulinet.hu is 195.228.231.170 This is a problem, since services listening on local machines (like SkyPE) got DNAT''ed packets and replies to 195.228.231.170:4xxxn ports. These packages should be forwarded back to eth0 (our LAN adapter) by the firewall to a local machine. These packages seem to be lost. They cannot be found in syslog or anywhere else. They cannot be caught by tcpdump. More information: Adapters on our server: eth0: 192.168.0.1, lan: LAN adapter eth1: 195.199.157.217, koz: special school network, like an Internet connection eth2: 195.228.231.170, net: ADSL Internet connection I use source-based routing to route some traffic back to eth1, but this should not affect my problem described above. My problem only affects eth0 and eth2, possibly only eth0. If you have any idea, please drop me an answer. Thanks, Viktor
Tom Eastep
2005-Sep-09 17:14 UTC
Re: Cannot connect a local machine to another via DNAT''ed ports
Letezo wrote:> > If you have any idea, please drop me an answer. >This is Shorewall FAQ #2 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key