Shorewall users - Oct 2010 - Problem with Port Forwarding - 2 Network Interfaces.

I am having a problem getting port forwarding to work. Some basic
information:

I am using Shorewall 4.4.10, which comes with Ubuntu Lucid. My internal
network is 192.168.0.0/24 on eth1 and my external network adaptor eth0
is configured as 192.168.1.2. I am connecting to the Internet via an
ADSL modem/router connected to eth0. I have disabled the firewall in
the modem router. My ISP gives me a fixed ip address 217.146.125.41.

Following the guide I set up the basic two interface installation and
I can browse the Internet from within my internal network. However, I
am having problems setting up port forwarding. I want to forward
several services ssh, http, etc to 192.168.0.30.

In 192.168.0.30  /etc/network/interfaces I have:

iface eth0 inet static
  address 192.168.0.30
  gateway 192.168.0.1
  netmask 255.255.255.0

I know that my ISP is not blocking any ports, as I can connect OK if I
just use my router/modem as a firewall.

Firstly I tried in masq:
eth0                    192.168.0.0/24

in rules:
Web(DNAT)       net             loc:192.168.0.30

IMAPS(DNAT)     net             loc:192.168.0.30
IMAP(DNAT)      net             loc:192.168.0.30
SMTP(DNAT)      net             loc:192.168.0.30

SSH(DNAT)       net             loc:192.168.0.30

I read the FAQ and it seems that no packets are reaching the firewall:

pkts bytes target     prot opt in     out     source 
destination
     0     0 DNAT       tcp  --  *      *       0.0.0.0/0
     0.0.0.0/0           tcp dpt:80 /* Web */ to:192.168.0.30

Since I have a fixed ip address I thought that I should reconfigure my
masq file to use SNAT. So I tried:

eth0:0                 192.168.0.0/24   217.146.125.41

However, if I do this none of the clients on my internal network can
connect to the internet.

Any pointers as to what I am doing wrong gratefully received!

Ian.

------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb

You need to configure your Adsl modem to work as a bridge not as a router .

14.10.2010 13:39 пользователь "Ian Barton"
<lists@manor-farm.org> написал:
> I am having a problem getting port forwarding to work. Some basic
> information:
>
> I am using Shorewall 4.4.10, which comes with Ubuntu Lucid. My internal
> network is 192.168.0.0/24 on eth1 and my external network adaptor eth0
> is configured as 192.168.1.2. I am connecting to the Internet via an
> ADSL modem/router connected to eth0. I have disabled the firewall in
> the modem router. My ISP gives me a fixed ip address 217.146.125.41.
>
> Following the guide I set up the basic two interface installation and
> I can browse the Internet from within my internal network. However, I
> am having problems setting up port forwarding. I want to forward
> several services ssh, http, etc to 192.168.0.30.
>
> In 192.168.0.30 /etc/network/interfaces I have:
>
> iface eth0 inet static
> address 192.168.0.30
> gateway 192.168.0.1
> netmask 255.255.255.0
>
> I know that my ISP is not blocking any ports, as I can connect OK if I
> just use my router/modem as a firewall.
>
> Firstly I tried in masq:
> eth0 192.168.0.0/24
>
> in rules:
> Web(DNAT) net loc:192.168.0.30
>
> IMAPS(DNAT) net loc:192.168.0.30
> IMAP(DNAT) net loc:192.168.0.30
> SMTP(DNAT) net loc:192.168.0.30
>
> SSH(DNAT) net loc:192.168.0.30
>
> I read the FAQ and it seems that no packets are reaching the firewall:
>
> pkts bytes target prot opt in out source
> destination
> 0 0 DNAT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:80 /* Web */ to:192.168.0.30
>
> Since I have a fixed ip address I thought that I should reconfigure my
> masq file to use SNAT. So I tried:
>
> eth0:0 192.168.0.0/24 217.146.125.41
>
> However, if I do this none of the clients on my internal network can
> connect to the internet.
>
> Any pointers as to what I am doing wrong gratefully received!
>
> Ian.
>
>
------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3.
> Spend less time writing and rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
> http://p.sf.net/sfu/beautyoftheweb
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb

Ian Barton wrote:
>I am using Shorewall 4.4.10, which comes with Ubuntu Lucid. My internal
>network is 192.168.0.0/24 on eth1 and my external network adaptor eth0
>is configured as 192.168.1.2. I am connecting to the Internet via an
>ADSL modem/router connected to eth0. I have disabled the firewall in
>the modem router. My ISP gives me a fixed ip address 217.146.125.41.
Before going ANY further - is it a modem or a router or both ?

I''ll guess you have two layers of NAT going on here - one in the 
router from your outside public address to 192.168.1.0/24, and a 
second in your Shorewall setup going from 192.168.1.0/24 to 
192.168.0.0/24.
Assuming this is the case, you MUST forward the ports in your router 
AS WELL as in your Shorewall setup.

However, I would suggest getting rid of one of the NAT translations. 
NAT == Broken, and IMnsHO anyone suggesting it "fixes" anything is an 
idiot.

If you can configure your ADSL device as a modem and NOT a router, so 
you can put your public IP (217.146.125.41) on the outside (eth0) of 
your Shorewall setup then I would suggest doing that. You can then do 
all your NAT, firewall, and port forwarding setup in one place.
If your ADSL device can''t do that, then consider replacing it. I use 
a Netgear DM111P at home - although it has one or two quirks. At 
work, I have a number of Draytek Vigor 120 modems in use at customers 
and find it works very well.

The DM111P takes care of the ADSL stuff (including authentication 
etc), so all you do is configure your ethernet port with DHCP and 
plug in. The quirk is that the device only works if you use DHCP, and 
on Debian at least, I''ve found the default route disappears if your 
ADSL line drops.

The Vigor 120 is different - it acts as a PPPoE to PPPoA converter 
(we use PPPoA in the UK), so you can use the PPPoE client provided 
with just about all Linux distros. This gives more visibility of the 
ADSL status to your box.

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb

On 14/10/10 10:53, Simon Hobson wrote:
> Ian Barton wrote:
>
>> I am using Shorewall 4.4.10, which comes with Ubuntu Lucid. My internal
>> network is 192.168.0.0/24 on eth1 and my external network adaptor eth0
>> is configured as 192.168.1.2. I am connecting to the Internet via an
>> ADSL modem/router connected to eth0. I have disabled the firewall in
>> the modem router. My ISP gives me a fixed ip address 217.146.125.41.
>
> Before going ANY further - is it a modem or a router or both ?
>
> I''ll guess you have two layers of NAT going on here - one in the
> router from your outside public address to 192.168.1.0/24, and a
> second in your Shorewall setup going from 192.168.1.0/24 to
> 192.168.0.0/24.
> Assuming this is the case, you MUST forward the ports in your router
> AS WELL as in your Shorewall setup.
>
> However, I would suggest getting rid of one of the NAT translations.
> NAT == Broken, and IMnsHO anyone suggesting it "fixes" anything
is an
> idiot.
>
> If you can configure your ADSL device as a modem and NOT a router, so
> you can put your public IP (217.146.125.41) on the outside (eth0) of
> your Shorewall setup then I would suggest doing that. You can then do
> all your NAT, firewall, and port forwarding setup in one place.
> If your ADSL device can''t do that, then consider replacing it. I
use
> a Netgear DM111P at home - although it has one or two quirks. At
> work, I have a number of Draytek Vigor 120 modems in use at customers
> and find it works very well.
>
> The DM111P takes care of the ADSL stuff (including authentication
> etc), so all you do is configure your ethernet port with DHCP and
> plug in. The quirk is that the device only works if you use DHCP, and
> on Debian at least, I''ve found the default route disappears if
your
> ADSL line drops.
>
> The Vigor 120 is different - it acts as a PPPoE to PPPoA converter
> (we use PPPoA in the UK), so you can use the PPPoE client provided
> with just about all Linux distros. This gives more visibility of the
> ADSL status to your box.
>
Thanks, I was using a Thomson Speedtouch, which was effectively doing 
double NAT and can''t be made into a bridge or simple modem. I have 
switched to using a Belkin modem/router, which I can set in ADSL modem 
only mode. I can now port forward successfully.

At the moment I am using eBox as a firewall. It works well, but as it''s
an appliance type of thing, it installs shed loads of stuff I don''t 
want/need. All I require is a firewall and Squid. If there is lots of 
other stuff installed there is more chance of things going wrong/getting 
hacked.

I live in the UK, so I''ll look at the Vigor 120. I can then use my 
Belkin box as a Wireless access point.

Ian.

------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb