anebi@iguanait.com
2010-Jul-06 13:47 UTC
How to setup on shorewall several iptables rules related with symetric NAT, masquarading and port forwarding?
Hi, i have the following topology on our server where we installed shorewall: eth0 - public ip address: 1.2.3.4 tap0 - interface that we add to bridge br0 and br0 have ip: 10.1.1.1 the point of doing this is this article: http://www.virtualbox.org/wiki/Advanced_Networking_Linux The guest machine on virtualbox have bridged interface to br0 on host machine. We have installed sipxecs on this guest and we need to do symetric nat and port forwarding to guest machine. I need to forward the traffic from eth0 ( from server public ip address ) to guest that has ip address 10.1.1.2 for following ports: 5060 udp, 5060 tcp, 5080 udp, 5080 tcp, range 30000-31000 udp, and port 81 on host to be forwarded to 8443 on guest. For now i use iptables and this the result from iptables-save command: # Generated by iptables-save v1.3.5 on Mon Jul 5 15:41:00 2010 *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j LOG --log-level debug -A FORWARD -j LOG --log-level debug -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p tcp -m state --state NEW -m tcp -d 10.1.1.2 --dport 5060 -j ACCEPT -A FORWARD -d 10.1.1.2 -p udp --dport 5060 -j ACCEPT -A FORWARD -d 10.1.1.2 -p udp --dport 5080 -j ACCEPT -A FORWARD -d 10.1.1.2 -p udp --dport 30000:31000 -j ACCEPT -A FORWARD -d 10.1.1.2 -p tcp -m tcp --dport 8443 -j ACCEPT -A FORWARD -i eth0 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i br0 -o eth0 -j ACCEPT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5666 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 82 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Mon Jul 5 15:41:00 2010 # Generated by iptables-save v1.3.5 on Mon Jul 5 15:41:00 2010 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -p udp -d 87.xxx.xxx.43 --dport 5060 -j DNAT --to-destination 10.1.1.2 -A PREROUTING -p tcp -d 87.xxx.xxx.43 --dport 5060 -j DNAT --to-destination 10.1.1.2:5060 -A PREROUTING -p udp -d 87.xxx.xxx.43 --dport 5080 -j DNAT --to-destination 10.1.1.2:5080 -A PREROUTING -p udp -d 87.xxx.xxx.43 --dport 30000:31000 -j DNAT --to-destination 10.1.1.2 -A PREROUTING -p tcp -d 87.xxx.xxx.43 --dport 81 -j DNAT --to-destination 10.1.1.2:8443 -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Mon Jul 5 15:41:00 2010 I have done this until now: /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect tcpflags,logmartians,nosmurfs,blacklist vpn br0 detect tcpflags,logmartians,nosmurfs,blacklist,routeback /etc/shorewall/zones #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 vpn ipv4 /etc/shorwall/masq #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK eth0 br0 /etc/shorewall/policy #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL # Policies for traffic originating from the local LAN/VPN (vpn) vpn net ACCEPT vpn $FW ACCEPT vpn all REJECT info # Policies for traffic originating from the firewall ($FW) $FW net ACCEPT $FW vpn ACCEPT $FW all REJECT info # Policies for traffic originating from the Internet zone (net) net $FW DROP net vpn DROP info net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info /etc/shorewall/rules: ############################################################################################################################ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP #SECTION ESTABLISHED #SECTION RELATED SSH/ACCEPT net $FW HTTP/ACCEPT net $FW HTTPS/ACCEPT net $FW Ping/ACCEPT net $FW ACCEPT $FW vpn icmp ACCEPT $FW net icmp # DNS Ports ACCEPT net $FW tcp 53 ACCEPT net $FW udp 53 # LDAP Port ACCEPT net:212.227.137.253 $FW tcp 389 # FTP Port ACCEPT net $FW tcp 21 # NRPE Port ACCEPT net:212.227.52.184 $FW tcp 5666 # Tomcat HTTP, HTTPS ACCEPT net $FW tcp 8080 ACCEPT net $FW tcp 8443 # OpenVPN ACCEPT net $FW udp 1194 # Specific Ports Forwarded to SIPX DNAT net vpn:10.1.1.2:8443 tcp 81 DNAT net vpn:10.1.1.2:5060 tcp 5060 DNAT net vpn:10.1.1.2:5060 udp 5060 DNAT net vpn:10.1.1.2:5080 tcp 5080 DNAT net vpn:10.1.1.2:5080 udp 5080 DNAT net vpn:10.1.1.2 udp 30000:31000 With iptables configurations i''m able to register to our sipxecs installation on the guest, but with the shorewall configuration i have done, i cannot register to the sipxecs. Probably i miss something or i have configured shorewall wrong. If i access http://mypublic.domain.tld:81, then it looks ok and i can access the guest machine. It looks the port is forwarded properly. The question is what i have done wrong that our voip phone cannot register? Probably DNAT rules are not correct. Please help me to solve this problem. Thanks in advanced! ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
Tom Eastep
2010-Jul-07 00:43 UTC
Re: How to setup on shorewall several iptables rules related with symetric NAT, masquarading and port forwarding?
On 7/6/10 6:47 AM, anebi@iguanait.com wrote:> > The question is what i have done wrong that our voip phone cannot > register? > > Probably DNAT rules are not correct. Please help me to solve this > problem. >We have rather specific requirements for trouble reports involving connection issues. Please see http://www.shorewall.net/support.htm#Guidelines Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first