Shorewall users - Aug 2010 - How configure my firewall to execute netperf ? I use shorewall (iptable firewall) on Debian

Hi,

I''ve two computers :
* A : it''s a server with a firewall
* B : a computer on internet

I''ve installed netserver on host A.
I use netperf on host B.

On host B, I launch :

$ netperf -H host_A_address_IP

If I stop the firewall on host A, all work great.
It isn''t work when firewall is enabled.

In filewall rules, I''ve opened default netserver port : 12865

/etc/shorewall/rules
ACCEPT          net             $FW             tcp     12865

host A have full access to internet.

/etc/shorewall/policy
$FW             net             ACCEPT

Where is the problem ? Can you help me ?

It''s exactly the same issue than 
http://www.archivum.info/netfilter/2003-03/00360/iptables-config-for-netperf.html

There are no answer to this last question.

Other information : host A is a Debian and Firewall is configured with 
Shorewall

I''ve also posted this question on netperf mailing list :
http://www.netperf.org/pipermail/netperf-talk/2010-August/000757.html

Thanks for your help.
Regards,
Stephane

-- 
Stéphane Klein<stephane@harobed.org>
blog: http://stephane-klein.info
Twitter: http://twitter.com/klein_stephane
pro: http://www.is-webdesign.com


------------------------------------------------------------------------------
This SF.net email is sponsored by 

Make an app they can''t live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev

On 8/14/10 12:58 PM, Klein Stéphane wrote:
> Hi,
> 
> I''ve two computers :
> * A : it''s a server with a firewall
> * B : a computer on internet
> 
> I''ve installed netserver on host A.
> I use netperf on host B.
> 
> On host B, I launch :
> 
> $ netperf -H host_A_address_IP
> 
> If I stop the firewall on host A, all work great.
> It isn''t work when firewall is enabled.
> 
> In filewall rules, I''ve opened default netserver port : 12865
> 
> /etc/shorewall/rules
> ACCEPT          net             $FW             tcp     12865
> 
> host A have full access to internet.
> 
> /etc/shorewall/policy
> $FW             net             ACCEPT
> 
> Where is the problem ? Can you help me ?
Look at your log.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
This SF.net email is sponsored by 

Make an app they can''t live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev

>
> On 8/14/10 12:58 PM, Klein Stéphane wrote:
> >  Hi,
> >
> >  I''ve two computers :
> >  * A : it''s a server with a firewall
> >  * B : a computer on internet
> >
> >  I''ve installed netserver on host A.
> >  I use netperf on host B.
> >
> >  On host B, I launch :
> >
> >  $ netperf -H host_A_address_IP
> >
> >  If I stop the firewall on host A, all work great.
> >  It isn''t work when firewall is enabled.
> >
> >  In filewall rules, I''ve opened default netserver port :
12865
> >
> >  /etc/shorewall/rules
> >  ACCEPT          net             $FW             tcp     12865
> >
> >  host A have full access to internet.
> >
> >  /etc/shorewall/policy
> >  $FW             net             ACCEPT
> >
> >  Where is the problem ? Can you help me ?
>
> Look at your log.
>
> -Tom
>    
This is my log :

Aug 14 22:57:55 gw kernel: [18066.388731] Shorewall:net2fw:DROP:IN=eth0 
OUT= MAC=00:13:d3:9e:3b:c2:00:24:23:00:7a:2d:08:00 SRC=192.168.1.10 
DST=192.168.1.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=642 DF PROTO=TCP 
SPT=56536 DPT=58042 WINDOW=5840 RES=0x00 SYN URGP=0
Aug 14 22:57:58 gw kernel: [18069.394144] Shorewall:net2fw:DROP:IN=eth0 
OUT= MAC=00:13:d3:9e:3b:c2:00:24:23:00:7a:2d:08:00 SRC=192.168.1.10 
DST=192.168.1.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=643 DF PROTO=TCP 
SPT=56536 DPT=58042 WINDOW=5840 RES=0x00 SYN URGP=0
Aug 14 22:58:04 gw kernel: [18075.818119] Shorewall:net2fw:DROP:IN=eth0 
OUT= MAC=00:13:d3:9e:3b:c2:00:24:23:00:7a:2d:08:00 SRC=192.168.1.10 
DST=192.168.1.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=644 DF PROTO=TCP 
SPT=56536 DPT=58042 WINDOW=5840 RES=0x00 SYN URGP=0

I don''t understand : all connection from FW to net are allowed. Here 
this connections are dropped !
An idea ?

Regards,
Stephane

-- 
Stéphane Klein<stephane@harobed.org>
blog: http://stephane-klein.info
Twitter: http://twitter.com/klein_stephane
pro: http://www.is-webdesign.com


------------------------------------------------------------------------------
This SF.net email is sponsored by 

Make an app they can''t live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev

> Aug 14 22:58:04 gw kernel: [18075.818119] Shorewall:net2fw:DROP:IN=eth0 
> OUT= MAC=00:13:d3:9e:3b:c2:00:24:23:00:7a:2d:08:00 SRC=192.168.1.10 
> DST=192.168.1.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=644 DF PROTO=TCP 
> SPT=56536 DPT=58042 WINDOW=5840 RES=0x00 SYN URGP=0
> 
> I don''t understand : all connection from FW to net are allowed.
Here
> this connections are dropped !
The connection being dropped is from the net to the firewall, not FW to
net.

In your earlier posting, you allowed access to port 12865. The destination
port above is 58042.

You might want to check over your configuration.

------------------------------------------------------------------------------
This SF.net email is sponsored by 

Make an app they can''t live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev

On 8/14/10 2:01 PM, Klein Stéphane wrote:
>>
>> On 8/14/10 12:58 PM, Klein Stéphane wrote:
>>>  Hi,
>>>
>>>  I''ve two computers :
>>>  * A : it''s a server with a firewall
>>>  * B : a computer on internet
>>>
>>>  I''ve installed netserver on host A.
>>>  I use netperf on host B.
>>>
>>>  On host B, I launch :
>>>
>>>  $ netperf -H host_A_address_IP
>>>
>>>  If I stop the firewall on host A, all work great.
>>>  It isn''t work when firewall is enabled.
>>>
>>>  In filewall rules, I''ve opened default netserver port :
12865
>>>
>>>  /etc/shorewall/rules
>>>  ACCEPT          net             $FW             tcp     12865
>>>
>>>  host A have full access to internet.
>>>
>>>  /etc/shorewall/policy
>>>  $FW             net             ACCEPT
>>>
>>>  Where is the problem ? Can you help me ?
>>
>> Look at your log.
>>
>> -Tom
>>    
> 
> This is my log :
> 
> Aug 14 22:57:55 gw kernel: [18066.388731] Shorewall:net2fw:DROP:IN=eth0 
> OUT= MAC=00:13:d3:9e:3b:c2:00:24:23:00:7a:2d:08:00 SRC=192.168.1.10 
> DST=192.168.1.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=642 DF PROTO=TCP 
> SPT=56536 DPT=58042 WINDOW=5840 RES=0x00 SYN URGP=0
> Aug 14 22:57:58 gw kernel: [18069.394144] Shorewall:net2fw:DROP:IN=eth0 
> OUT= MAC=00:13:d3:9e:3b:c2:00:24:23:00:7a:2d:08:00 SRC=192.168.1.10 
> DST=192.168.1.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=643 DF PROTO=TCP 
> SPT=56536 DPT=58042 WINDOW=5840 RES=0x00 SYN URGP=0
> Aug 14 22:58:04 gw kernel: [18075.818119] Shorewall:net2fw:DROP:IN=eth0 
> OUT= MAC=00:13:d3:9e:3b:c2:00:24:23:00:7a:2d:08:00 SRC=192.168.1.10 
> DST=192.168.1.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=644 DF PROTO=TCP 
> SPT=56536 DPT=58042 WINDOW=5840 RES=0x00 SYN URGP=0
> 
> I don''t understand : all connection from FW to net are allowed.
Here
> this connections are dropped !
> An idea ?
You need to consult Shorewall FAQ 17. Those are INCOMING packets
(IN=eth0 OUT=) for TCP port 58042 which your firewall is obviously blocking.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
This SF.net email is sponsored by 

Make an app they can''t live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev