Shorewall users - Dec 2005 - Forward port through point to point T-1 on two diff networks?

My situation is this:

shorewall 2.4.1
CentOS 4.1

From our corporate office, I have a point to point T-1 to our distribution
center.
At our distribution center, I have 3 PC''s running VNC on ports 5901,2,3
respectively.

I need to be able to forward ports 5901,2,3 from our corporate office
through our point to point T1 to distribution.

We have a distribution center in Atlanta that needs to VNC into those
machines.

So,

Atlanta to Corp shorewall firewall through point to point to vnc machine on
port 5901.

I followed all the examples on shorewall.net and can not seem to get it
working.

Our network at corporate is 192.168.1.x while the network at distribution is
192.168.2.x.  The gateway at the corp office for the T-1 is
192.168.1.1while the gateway for the T1 at distribution is
192.168.2.1.

From corporate office shorewall machine, I can ping 192.168.2.91 through the
ptp T-1 (vnc machine 1, port 5901 at distribution).  I setup an external IP
for this purpose.  12.105.250.121.

What I am trying to do is forward 12.105.250.121:5901 on our firewall
through the point to point T1 to our distribution machine 192.168.2.91:5901.

I am already doing this on machines at our corp office but they are on the
1.x network and not going through the point to point T1.

Does this make sense and does anyone have any pointers?  This is urgent and
my company is willing to pay money if someone can get this working (assuming
it is possible).

Please help.  I can provide my work/cell number if someone cares to make
some money if it requires it.

Merle Reine,
Sys Admin,
GardenFreshCorp

maby make the subnet mask bigger like instead of 255.255.255.0 use a
255.255.0.0

2005/12/12, Merle Reine <merle.reine@gmail.com>:
>
> My situation is this:
>
> shorewall 2.4.1
> CentOS 4.1
>
> From our corporate office, I have a point to point T-1 to our distribution
> center.
> At our distribution center, I have 3 PC''s running VNC on ports
5901,2,3
> respectively.
>
> I need to be able to forward ports 5901,2,3 from our corporate office
> through our point to point T1 to distribution.
>
> We have a distribution center in Atlanta that needs to VNC into those
> machines.
>
> So,
>
> Atlanta to Corp shorewall firewall through point to point to vnc machine
> on port 5901.
>
> I followed all the examples on shorewall.net and can not seem to get it
> working.
>
> Our network at corporate is 192.168.1.x while the network at distribution
> is 192.168.2.x.  The gateway at the corp office for the T-1 is
192.168.1.1while the gateway for the T1 at distribution is
> 192.168.2.1.
>
> From corporate office shorewall machine, I can ping 192.168.2.91 through
> the ptp T-1 (vnc machine 1, port 5901 at distribution).  I setup an
external
> IP for this purpose.  12.105.250.121.
>
> What I am trying to do is forward 12.105.250.121:5901 on our firewall
> through the point to point T1 to our distribution machine
> 192.168.2.91:5901 .
>
> I am already doing this on machines at our corp office but they are on the
> 1.x network and not going through the point to point T1.
>
> Does this make sense and does anyone have any pointers?  This is urgent
> and my company is willing to pay money if someone can get this working
> (assuming it is possible).
>
> Please help.  I can provide my work/cell number if someone cares to make
> some money if it requires it.
>
> Merle Reine,
> Sys Admin,
> GardenFreshCorp
>


--
Gr. SteZZz

Subnet mask bigger on my firewall?

On 12/12/05, SteZZz <stezzz@gmail.com> wrote:
>
> maby make the subnet mask bigger like instead of 255.255.255.0 use a
> 255.255.0.0
>
> 2005/12/12, Merle Reine <merle.reine@gmail.com>:
> >
> > My situation is this:
> >
> > shorewall 2.4.1
> > CentOS 4.1
> >
> > From our corporate office, I have a point to point T-1 to our
> > distribution center.
> > At our distribution center, I have 3 PC''s running VNC on
ports 5901,2,3
> > respectively.
> >
> > I need to be able to forward ports 5901,2,3 from our corporate office
> > through our point to point T1 to distribution.
> >
> > We have a distribution center in Atlanta that needs to VNC into those
> > machines.
> >
> > So,
> >
> > Atlanta to Corp shorewall firewall through point to point to vnc
machine
> > on port 5901.
> >
> > I followed all the examples on shorewall.net and can not seem to get
it
> > working.
> >
> > Our network at corporate is 192.168.1.x while the network at
> > distribution is 192.168.2.x.  The gateway at the corp office for the
T-1
> > is 192.168.1.1 while the gateway for the T1 at distribution is
> > 192.168.2.1.
> >
> > From corporate office shorewall machine, I can ping 192.168.2.91
through
> > the ptp T-1 (vnc machine 1, port 5901 at distribution).  I setup an
external
> > IP for this purpose.  12.105.250.121.
> >
> > What I am trying to do is forward 12.105.250.121:5901 on our firewall
> > through the point to point T1 to our distribution machine
> > 192.168.2.91:5901 .
> >
> > I am already doing this on machines at our corp office but they are on
> > the 1.x network and not going through the point to point T1.
> >
> > Does this make sense and does anyone have any pointers?  This is
urgent
> > and my company is willing to pay money if someone can get this working
> > (assuming it is possible).
> >
> > Please help.  I can provide my work/cell number if someone cares to
make
> > some money if it requires it.
> >
> > Merle Reine,
> > Sys Admin,
> > GardenFreshCorp
> >
>
>
>
> --
> Gr. SteZZz



--
Merle Reine

On Monday 12 December 2005 09:57, Merle Reine wrote:
> My situation is this:
>
> shorewall 2.4.1
> CentOS 4.1
>
> From our corporate office, I have a point to point T-1 to our distribution
> center.
> At our distribution center, I have 3 PC''s running VNC on ports
5901,2,3
> respectively.
>
> I need to be able to forward ports 5901,2,3 from our corporate office
> through our point to point T1 to distribution.
>
> We have a distribution center in Atlanta that needs to VNC into those
> machines.
>
> So,
>
> Atlanta to Corp shorewall firewall through point to point to vnc machine on
> port 5901.
>
> I followed all the examples on shorewall.net and can not seem to get it
> working.
>
> Our network at corporate is 192.168.1.x while the network at distribution
> is 192.168.2.x.  The gateway at the corp office for the T-1 is
> 192.168.1.1while the gateway for the T1 at distribution is
> 192.168.2.1.
>
> From corporate office shorewall machine, I can ping 192.168.2.91 through
> the ptp T-1 (vnc machine 1, port 5901 at distribution).  I setup an
> external IP for this purpose.  12.105.250.121.
>
DNAT	<atlanta zone>	<dist center zone>:192.168.2.91	tcp	5901	-
12.105.250.121

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Monday 12 December 2005 10:30, Tom Eastep wrote:
> On Monday 12 December 2005 09:57, Merle Reine wrote:
> >
> > From corporate office shorewall machine, I can ping 192.168.2.91
through
> > the ptp T-1 (vnc machine 1, port 5901 at distribution).  I setup an
> > external IP for this purpose.  12.105.250.121.
>
> DNAT	<atlanta zone>	<dist center
> zone>:192.168.2.91	tcp	5901	-	12.105.250.121
>
Note that you may also have to masquerade these connections if the 
distribution center doesn''t know how to route traffic to Atlanta:

In /etc/shorewall/masq:

<TI Interface>	    <atlanta network>	<TI IP>	tcp	5901:5903

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom,

Shorewall is awesome.

On my shorewall, I currently have 3 zones setup.

WAN (external 12.105.250.114)
LAN (192.168.1.x)
DMZ (few machines on dmz external)

From what you wrote, should I add another zone for dist?(since it is on
192.168.2.x network throught T-1)?

Atlanta is on seperate dsl connection currently and the plan is to
eventually put in a point to point from atlanta to our corp.

So, there is no zone for atlanta.  So, if I setup a zone for distribution,
it would look like the following?:


DNAT    net  dist:192.168.2.91 tcp     5901    -       12.105.250.121

I currently have our T1 from distribution on the same switch as the rest of
our office and if someone wants to connect to it, they add a route on their
machine  for the 192.168.1.1 gateway.  Would I need to add another nic to
the firewall and have it on another switch for the T1 distribution center to
have another zone?


On 12/12/05, Tom Eastep <teastep@shorewall.net>
wrote:
>
> On Monday 12 December 2005 09:57, Merle Reine wrote:
> > My situation is this:
> >
> > shorewall 2.4.1
> > CentOS 4.1
> >
> > From our corporate office, I have a point to point T-1 to our
> distribution
> > center.
> > At our distribution center, I have 3 PC''s running VNC on
ports 5901,2,3
> > respectively.
> >
> > I needto be able to forward ports 5901,2,3 from our corporate office
> > through our point to point T1 to distribution.
> >> We have a distribution center in Atlanta that needs to VNC into
those
>  machines.
> >
> > So,
> >
> > Atlanta to Corp shorewall firewall through point to point to vnc
machine
> on
> > port 5901.
> >
> > I followed all the examples on shorewall.net and can not seem to get
it
> > working.
> >
> > Our network at corporate is 192.168.1.x while the network at
> distribution
> > is 192.168.2.x.  The gateway at the corp office for the T-1 is
> > 192.168.1.1while the gateway for the T1 at distribution is
> > 192.168.2.1.
> >
> > From corporate office shorewall machine, I can ping 192.168.2.91
through
> > the ptp T-1 (vnc machine 1, port 5901 at distribution).  I setup an
> > external IP for this purpose.  12.105.250.121.
> >
>
> DNAT    <atlanta zone>  <dist center zone>:192.168.2.91 tcp
> 5901    -       12.105.250.121
>
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
>
>

--
Merle Reine

On Monday 12 December 2005 11:20, Merle Reine wrote:
> Tom,
>
> Shorewall is awesome.
>
> On my shorewall, I currently have 3 zones setup.
>
> WAN (external 12.105.250.114)
> LAN (192.168.1.x)
> DMZ (few machines on dmz external)
>
> From what you wrote, should I add another zone for dist?(since it is on
> 192.168.2.x network throught T-1)?
>
> Atlanta is on seperate dsl connection currently and the plan is to
> eventually put in a point to point from atlanta to our corp.
>
> So, there is no zone for atlanta.  So, if I setup a zone for distribution,
> it would look like the following?:
>
>
> DNAT    net  dist:192.168.2.91 tcp     5901    -       12.105.250.121
>
> I currently have our T1 from distribution on the same switch as the rest of
> our office and if someone wants to connect to it, they add a route on their
> machine  for the 192.168.1.1 gateway.  Would I need to add another nic to
> the firewall and have it on another switch for the T1 distribution center
> to have another zone?
>
Your options are spelled out at http://www.shorewall.net/Multiple_Zones.html 
(http://www.shorewall.net/2.0/Multiple_Zones.html if you are running 
Shorewall 2.x). So long as your firewall knows how to route to 192.168.2.91, 
you can use ''loc'' rather than creating a separate
''dist''. I would suggest
thouth that in the SOURCE column of your rule that you qualify
''net'' with the
Atlanta Network(s):

	DNAT	net:<atlanta net 1>,<atlanta net 2>,...	...

Otherwise, you are opening up VNC at the distribution center for full-scale 
attack.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Thanks for all the great help.

My rules file:

# DNAT for VNC machines

#vnc machines in corp office below
DNAT            net:63.242.204.171     loc: 192.168.1.91
tcp     5901    -       12.105.250.x

#vnc machines at distribution (eventually)
DNAT            net:63.242.204.171     loc: 192.168.2.91
tcp     5901    -       12.105.250.121

My masq file:

#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S)
IPSEC
eth0:192.168.1.8           eth0            192.168.1.10
tcp          81
eth0:192.168.1.3           eth0            192.168.1.10
tcp          21
eth1                             eth0            12.105.250.114
eth0:192.168.1.11         eth0            12.105.250.120
tcp          25,22,80,443
eth2                             eth0            12.105.250.118
tcp          80,443,22,21

#added line below to try to get distribution vnc working
eth0                             eth1            12.105.250.114
tcp          5901:5903



eth0 = LAN
eth1 = WAN
eth2 = DMZ

Is the last line  correct according to what you explained:
"Note that you may also have to masquerade these connections if the
distribution center doesn''t know how to route traffic to Atlanta:

In /etc/shorewall/masq:

<TI Interface>      <atlanta network>   <TI IP> tcp    
5901:5903"

I know the T1 IP and the Interface but was not sure what you meant by
<atlanta network>.

btw,  I meant what I said about paying if I can get this working.  Whether
you want a donation the the shorewall project or your pocket, no matter to
me.

Thanks for the prompt assistance.




On 12/12/05, Tom Eastep < teastep@shorewall.net>
wrote:
>
> On Monday 12 December 2005 11:20, Merle Reine wrote:
> > Tom,
> >
> > Shorewall is awesome.
> >
> > On my shorewall, I currently have 3 zones setup.
> >
> > WAN (external 12.105.250.114)
> > LAN (192.168.1.x )
> > DMZ (few machines on dmz external)
> >
> > From what you wrote, should I add another zone for dist?(since it is
on
> > 192.168.2.x network throught T-1)?
> >
> > Atlanta is on seperate dsl connection currently and the plan is to
> > eventually put in a point to point from atlanta to our corp.
> >
> > So, there is no zone for atlanta.  So, if I setup a zone for
> distribution,
> > it would look like the following?:
> >
> >
> > DNAT    net  dist:192.168.2.91 tcp     5901    -       12.105.250.121
> >
> > I currently have our T1 from distribution on the same switch as the
rest
> of
> > our office and if someone wants to connect to it, they add a route on
> their
> > machine  for the 192.168.1.1 gateway.  Would I need to add another nic
> to
> > the firewall and have it on another switch for the T1 distribution
> center
> > to have another zone?
> >
>
> Your options are spelled out at
> http://www.shorewall.net/Multiple_Zones.html
> ( http://www.shorewall.net/2.0/Multiple_Zones.html if you are running
> Shorewall 2.x). So long as your firewall knows how to route to
> 192.168.2.91,
> you can use ''loc'' rather than creating a separate
''dist''. I would suggest
> thouth that in the SOURCE column of your rule that you qualify
''net'' with
> the
> Atlanta Network(s):
>
>         DNAT    net:<atlanta net 1>,<atlanta net 2>,... ...
>
> Otherwise, you are opening up VNC at the distribution center for
> full-scale
> attack.
>
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
>
>

--
Merle Reine

On Monday 12 December 2005 12:05, Merle Reine wrote:
> Thanks for all the great help.
>
> My rules file:
>
> # DNAT for VNC machines
>
> #vnc machines in corp office below
> DNAT            net:63.242.204.171     loc: 192.168.1.91
> tcp     5901    -       12.105.250.x
>
> #vnc machines at distribution (eventually)
> DNAT            net:63.242.204.171     loc: 192.168.2.91
> tcp     5901    -       12.105.250.121
>
> My masq file:
>
> #INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S)
> IPSEC
> eth0:192.168.1.8           eth0            192.168.1.10
> tcp          81
> eth0:192.168.1.3           eth0            192.168.1.10
> tcp          21
> eth1                             eth0            12.105.250.114
> eth0:192.168.1.11         eth0            12.105.250.120
> tcp          25,22,80,443
> eth2                             eth0            12.105.250.118
> tcp          80,443,22,21
>
> #added line below to try to get distribution vnc working
> eth0                             eth1            12.105.250.114
> tcp          5901:5903
>
>
>
> eth0 = LAN
> eth1 = WAN
> eth2 = DMZ
>
> Is the last line  correct according to what you explained:
> "Note that you may also have to masquerade these connections if the
> distribution center doesn''t know how to route traffic to Atlanta:
>
> In /etc/shorewall/masq:
>
> <TI Interface>      <atlanta network>   <TI IP> tcp    
5901:5903"
>
> I know the T1 IP and the Interface but was not sure what you meant by
> <atlanta network>.
The machines in atlanta that need access to the VNC server at the distribution 
center. From your DNAT rule, I''m assuming that set at least includes 
63.242.204.171.
>
> btw,  I meant what I said about paying if I can get this working.  Whether
> you want a donation the the shorewall project or your pocket, no matter to
> me.
>
Thanks -- Please see the "Donations" link on the Shorewall home page.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

It seems to be something to do with the route back out from distribution to
the net.  When I try to vnc into 12.105.250.121:5901 from outside the
network, it just hangs and eventually times out.  I know the setup is right
as it is the same as our other vnc machines except this is going through the
ptp T1 and a 2.x network.  When I change the rules from 2.x to 1.x, it
connects to the vnc machine in the office so I know it is working but
something with going through the ptp T1 is not working.



On 12/12/05, Merle Reine <merle.reine@gmail.com>
wrote:
>
> Thanks for all the great help.
>
> My rules file:
>
> # DNAT for VNC machines
>
> #vnc machines in corp office below
> DNAT            net: 63.242.204.171     loc: 192.168.1.91
> tcp     5901    -       12.105.250.x
>
> #vnc machines at distribution (eventually)
> DNAT            net: 63.242.204.171     loc: 192.168.2.91
> tcp     5901    -       12.105.250.121
>
> My masq file:
>
> #INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S)
> IPSEC
> eth0:192.168.1.8           eth0            192.168.1.10
> tcp          81
> eth0:192.168.1.3           eth0            192.168.1.10
> tcp          21
> eth1                             eth0            12.105.250.114
> eth0:192.168.1.11          eth0            12.105.250.120
> tcp          25,22,80,443
> eth2                             eth0            12.105.250.118
> tcp          80,443,22,21
>
> #added line below to try to get distribution vnc working
> eth0                             eth1            12.105.250.114
> tcp          5901:5903
>
>
>
> eth0 = LAN
> eth1 = WAN
> eth2 = DMZ
>
> Is the last line  correct according to what you explained:
> "Note that you may also have to masquerade these connections if the
> distribution center doesn''t know how to route traffic to Atlanta:
>
> In /etc/shorewall/masq:
>
> <TI Interface>      <atlanta network>   <TI IP> tcp    
5901:5903"
>
> I know the T1 IP and the Interface but was not sure what you meant by
> <atlanta network>.
>
> btw,  I meant what I said about paying if I can get this working.  Whether
> you want a donation the the shorewall project or your pocket, no matter to
> me.
>
> Thanks for the prompt assistance.
>
>
>
>
> On 12/12/05, Tom Eastep < teastep@shorewall.net> wrote:
> >
> > On Monday 12 December 2005 11:20, Merle Reine wrote:
> > > Tom,
> > >
> > > Shorewall is awesome.
> > >
> > > On my shorewall, I currently have 3 zones setup.
> > >
> > > WAN (external 12.105.250.114)
> > > LAN (192.168.1.x )
> > > DMZ (few machines on dmz external)
> > >
> > > From what you wrote, should I add another zone for dist?(since it
is
> > on
> > > 192.168.2.x network throught T-1)?
> > >
> > > Atlanta is on seperate dsl connection currently and the plan is
to
> > > eventually put in a point to point from atlanta to our corp.
> > >
> > > So, there is no zone for atlanta.  So, if I setup a zone for
> > distribution,
> > > it would look like the following?:
> > >
> > >
> > > DNAT    net  dist:192.168.2.91 tcp     5901    -      
12.105.250.121
> > >
> > > I currently have our T1 from distribution on the same switch as
the
> > rest of
> > > our office and if someone wants to connect to it, they add a
route on
> > their
> > > machine  for the 192.168.1.1 gateway.  Would I need to add
another nic
> > to
> > > the firewall and have it on another switch for the T1
distribution
> > center
> > > to have another zone?
> > >
> >
> > Your options are spelled out at
http://www.shorewall.net/Multiple_Zones.html
> >
> > ( http://www.shorewall.net/2.0/Multiple_Zones.html if you are running
> > Shorewall 2.x). So long as your firewall knows how to route to
> > 192.168.2.91,
> > you can use ''loc'' rather than creating a separate
''dist''. I would
> > suggest
> > thouth that in the SOURCE column of your rule that you qualify
''net''
> > with the
> > Atlanta Network(s):
> >
> >         DNAT    net:<atlanta net 1>,<atlanta net 2>,...
...
> >
> > Otherwise, you are opening up VNC at the distribution center for
> > full-scale
> > attack.
> >
> > -Tom
> > --
> > Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> > Shoreline,     \ http://shorewall.net
> > Washington USA  \ teastep@shorewall.net
> > PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
> >
> >
> >
>
>
> --
> Merle Reine



--
Merle Reine

On Monday 12 December 2005 12:29, Merle Reine wrote:
> It seems to be something to do with the route back out from distribution to
> the net.  When I try to vnc into 12.105.250.121:5901 from outside the
> network, it just hangs and eventually times out.  I know the setup is right
> as it is the same as our other vnc machines except this is going through
> the ptp T1 and a 2.x network.  When I change the rules from 2.x to 1.x, it
> connects to the vnc machine in the office so I know it is working but
> something with going through the ptp T1 is not working.
>
Please follow the DNAT troubleshooting steps given in Shorewall FAQs 1a and 
1b.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Monday 12 December 2005 12:32, Tom Eastep wrote:
> On Monday 12 December 2005 12:29, Merle Reine wrote:
> > It seems to be something to do with the route back out from
distribution
> > to the net.  When I try to vnc into 12.105.250.121:5901 from outside
the
> > network, it just hangs and eventually times out.  I know the setup is
> > right as it is the same as our other vnc machines except this is going
> > through the ptp T1 and a 2.x network.  When I change the rules from
2.x
> > to 1.x, it connects to the vnc machine in the office so I know it is
> > working but something with going through the ptp T1 is not working.
>
> Please follow the DNAT troubleshooting steps given in Shorewall FAQs 1a and
> 1b.
And if you can''t determine the problem then please submit a detailed
problem
report. Go to http://www.shorewall.net/support.html and follow the "Getting
Help" link for your version.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key