Shorewall users - Feb 2006 - UDP packets are being dropped

I have a new firewall which I just commisioned. Although it has four 
interfaces, and will be used as a multi-ISP machine, I have only enabled 
two intefaces and set it up as a simple firewall for a LAN.
eth0 - static ISP
eth3 - LAN 192.168.200.0/24

Everything works fine with the exception of our asterisk server on the 
LAN. Both IAX2 (UDP port 4569) and SIP (UDP port 5060) are being dropped 
instead of  being  being forwarded to the server with the IP address 
192.168.200.11 using the  rules below:
DNAT      net             loc:192.168.200.11      udp     
4569,5060,10000:20000

Any idea why this does not work? DNAT to the 192.168.200.2 server work 
fine, as does DNAT of SSH to 192.168.200.11

Here are the log entry:
Feb 22 19:32:26 firewall kernel: Shorewall:net2all:DROP:IN=eth0 OUT= 
MAC=00:03:47:95:9d:65:00:00:0c:45:4b:5b:08:00 SRC=207.44.160.82 
DST=207.42.133.146 LEN=40 TOS=0x10 PREC=0x00 TTL=48 ID=9134 DF PROTO=UDP 
SPT=4569 DPT=4569 LEN=20

/etc/shorewall/rules:
#
SSH/ACCEPT      loc             $FW
SSH/ACCEPT      net             $FW
#
#
# pcAnywhere
DNAT            net             loc:192.168.200.76      tcp     5631:5632
DNAT            net             loc:192.168.200.76      udp     5631:5632
DNAT            net             loc:192.168.200.70      tcp     5633:5634
DNAT            net             loc:192.168.200.70      udp     5633:5634
#
# SSH to PBX
#
DNAT            net             loc:192.168.200.11:22   tcp     24
#
# IAX2 to pbx
#
DNAT            net             loc:192.168.200.11      udp     
4569,5060,10000:20000
#
# Services to Loki
#
DNAT            net             loc:192.168.200.2       tcp     
smtp,http,imap
DNAT            net             loc:192.168.200.2       udp     53
#
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

/etc/shorewall/rules:
#
SSH/ACCEPT      loc             $FW
SSH/ACCEPT      net             $FW
#
#
# pcAnywhere
DNAT            net             loc:192.168.200.76      tcp     5631:5632
DNAT            net             loc:192.168.200.76      udp     5631:5632
DNAT            net             loc:192.168.200.70      tcp     5633:5634
DNAT            net             loc:192.168.200.70      udp     5633:5634
#
# SSH to PBX
#
DNAT            net             loc:192.168.200.11:22   tcp     24
#
# IAX2 to pbx
#
DNAT            net             loc:192.168.200.11      udp 
4569,5060,10000:20000
#
# Services to Loki
#
DNAT            net             loc:192.168.200.2       tcp 
smtp,http,imap
DNAT            net             loc:192.168.200.2       udp     53
#
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

===================================================
What version are you using ? 

My syntax looks like:

ACCEPT  $FW             net             tcp     25

I don''t see where you "ACCEPT" anything - and therefore
default to
"REJECT"  in your net to all  "net2all" category

/etc/shorewall/rules:
#
SSH/ACCEPT      loc             $FW
SSH/ACCEPT      net             $FW
#
#
# pcAnywhere
DNAT            net             loc:192.168.200.76      tcp     5631:5632
DNAT            net             loc:192.168.200.76      udp     5631:5632
DNAT            net             loc:192.168.200.70      tcp     5633:5634
DNAT            net             loc:192.168.200.70      udp     5633:5634
#
# SSH to PBX
#
DNAT            net             loc:192.168.200.11:22   tcp     24
#
# IAX2 to pbx
#
DNAT            net             loc:192.168.200.11      udp 
4569,5060,10000:20000
#
# Services to Loki
#
DNAT            net             loc:192.168.200.2       tcp 
smtp,http,imap
DNAT            net             loc:192.168.200.2       udp     53
#
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

===================================================
What version are you using ? 

My syntax looks like:

ACCEPT  $FW             net             tcp     25

I don''t see where you "ACCEPT" anything - and therefore
default to
"REJECT"  in your net to all  "net2all" category

=================================
Sorry - too quick on the trigger, I don''t use DNAT and the example that
comes with 3.0.5 shows that syntax...sorry

I also noticed when I did "iptables -L | grep udp" there was a rule

DROP       udp  --  anywhere             anywhere            udp 
spt:netbios-ns dpts:1024:65535

Where does this come from and can it be the cause of the problem?


Chris

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Chris Mason wrote:
> I also noticed when I did "iptables -L | grep udp" there was a
rule
> 
> DROP       udp  --  anywhere             anywhere            udp
> spt:netbios-ns dpts:1024:65535
> 
> Where does this come from and can it be the cause of the problem?
Looks like it came from a macro rule - SMB/DROP.

Paul



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Chris Mason wrote:
> I also noticed when I did "iptables -L | grep udp" there was a
rule
> 
> DROP       udp  --  anywhere             anywhere            udp 
> spt:netbios-ns dpts:1024:65535
> 
> Where does this come from and can it be the cause of the problem?
> 
> 
That is in the SMB.macro, called from the action.Drop file by default. 
Used to suppress the logging of dropped traffic, to avoid the cluttering 
up of the log.

No, that is not the cause of your issue, only the source port of 138 
would be involved. A shorewall dump might help shed some light.
> Chris
> 
Jerry


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

The problem persisted through the night but in the the morning, I 
stopped both PBXs and started them simultaneously and the problem went 
away. I believe it was an issue of state. Now the PBX behind the 
firewall has registered with the correct providers and calls are going out.

-- 
Chris Mason



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642