Shorewall users - Feb 2010 - Port Redirection

Hi Everyone!

I''m having problems to redirect an UDP port to an external server. My 
firewall have 4 interfaces: NET, LOC (192.168.0.0/24), 
DMZ(192.168.1.0/24), CMTC(10.0.0.0/24). On CMTC interface I have a 
direct connection to another network using a VPN link.

I need to redirect an UDP port to on server (10.1.0.2) on CMTC zone 
using my local IP (192.168.0.1) for gateway. I will use an local 
aplicattion to connect to 192.168.0.1:3000 (udp) and it needs to 
redirect to cmtc:10.1.0.2:3000 using the VPN link.

On an old iptables firewall, I have the following rules:

iptables -A FORWARD -p UDP -j ACCEPT
iptables -t nat -A PREROUTING -p UDP -i eth0 -s 0/0 --dport 3000 -j DNAT 
--to 10.1.0.2

My shorewall rule:

DNAT   loc   cmtc:10.1.0.2   udp   -   3000

The iptables rules works fine but my shorewall rule doesn''t. I find out
that the packages arrive on server 10.1.0.2 but I have no return.

I fix it temporally using socat:

socat -d -d udp-listen:3000,fork,reuseaddr udp-sendto:10.1.0.2:3000

Can you help me to figure this out?

João K.


------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

João Alberto Kuchnier wrote:
> 
> On an old iptables firewall, I have the following rules:
> 
> iptables -A FORWARD -p UDP -j ACCEPT
> iptables -t nat -A PREROUTING -p UDP -i eth0 -s 0/0 --dport 3000 -j DNAT 
> --to 10.1.0.2
> 
> My shorewall rule:
> 
> DNAT   loc   cmtc:10.1.0.2   udp   -   3000
> 
> The iptables rules works fine but my shorewall rule doesn''t. I
find out
> that the packages arrive on server 10.1.0.2 but I have no return.
> 
> I fix it temporally using socat:
> 
> socat -d -d udp-listen:3000,fork,reuseaddr udp-sendto:10.1.0.2:3000
> 
> Can you help me to figure this out?
Your Shorewall rule is matching on the SOURCE PORT! You want:

DNAT	LOC	cmct:10.1.0.2	udp	3000

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

Sorry Tom,

I wrote it wrong on e-mail. The rule is correctly spelled in rules file.

Thanks!

João K.


Tom Eastep escreveu:
> João Alberto Kuchnier wrote:
>
>   
>> On an old iptables firewall, I have the following rules:
>>
>> iptables -A FORWARD -p UDP -j ACCEPT
>> iptables -t nat -A PREROUTING -p UDP -i eth0 -s 0/0 --dport 3000 -j
DNAT
>> --to 10.1.0.2
>>
>> My shorewall rule:
>>
>> DNAT   loc   cmtc:10.1.0.2   udp   -   3000
>>
>> The iptables rules works fine but my shorewall rule doesn''t. I
find out
>> that the packages arrive on server 10.1.0.2 but I have no return.
>>
>> I fix it temporally using socat:
>>
>> socat -d -d udp-listen:3000,fork,reuseaddr udp-sendto:10.1.0.2:3000
>>
>> Can you help me to figure this out?
>>     
>
> Your Shorewall rule is matching on the SOURCE PORT! You want:
>
> DNAT	LOC	cmct:10.1.0.2	udp	3000
>
> -Tom
>   
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> ------------------------------------------------------------------------
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>   
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

João Alberto Kuchnier wrote:
> Sorry Tom,
> 
> I wrote it wrong on e-mail. The rule is correctly spelled in rules file.
> 
Then you must troubleshoot the problem using Shorewall FAQs 1a and 1b.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev