Shorewall users - Mar 2011 - Port Forwarding

I have a backup server, hex, which also has security cameras on eth2.  eth1 is
the LAN.

I want to take a given security camera at IP 10.5.12.40 on eth2 (cam) and
present it to the LAN as 192.168.1.4:80.  So in Shorewall rules I have:
DNAT    net     $FW:10.5.12.40          tcp     www
ACCEPT  net:192.168.1.1  cam          tcp     www    -

Of course cam is defined in interfaces, zones, and policy.  But when I point my
browser at 192.168.1.4 nothing happens.  No dmesg firewall messages, but also
nothing else.  What am I doing wrong?


------------------------------------------------------------------------------
What You Don''t Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d

On Thu, Mar 03, 2011 at 10:28:34PM -0800, CACook@quantum-sci.com
wrote:
> 
> I have a backup server, hex, which also has security cameras on eth2.  eth1
is the LAN.
> 
> I want to take a given security camera at IP 10.5.12.40 on eth2 (cam) and
present it to the LAN as 192.168.1.4:80.  So in Shorewall rules I have:
> DNAT    net     $FW:10.5.12.40          tcp     www
> ACCEPT  net:192.168.1.1  cam          tcp     www    -
> 
> Of course cam is defined in interfaces, zones, and policy.  But when I
point my browser at 192.168.1.4 nothing happens.  No dmesg firewall messages,
but also nothing else.  What am I doing wrong?
> 
> 
First, to confirm, do you have ip forwarding enabled?

Second, you shouldn''t need the ACCEPT rule, since the DNAT creates a
coresponding ACEPT rule for you already.  If you lok at the
shorewall-rules(5) man page, this example corresponds to what you want
to do:

Example 2:

    Forward all ssh and http connection requests from the internet to local
system 192.168.1.3

            #ACTION SOURCE  DEST            PROTO   DEST    SOURCE  ORIGINAL
            #                                       PORT    PORT(S) DEST
            DNAT    net     loc:192.168.1.3 tcp     ssh,http

So, something like this would work:

DNAT    net     $FW:10.5.12.40          tcp     www

Which is what you already have for your first rule.  Now, if you want
to limit the DNAT requests to a prticular host in the net zone, you
incorporate it into the same rule:

DNAT    net:192.168.1.1     $FW:10.5.12.40          tcp     www

Now, please also note that if you are rudoing the DNAT redirection on
the same machine from which you are running the web browser, that you
may want to see this as well:
http://www.shorewall.net/Shorewall_Squid_Usage.html#Firewall

It is written for Squid, but the same principle applies.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


------------------------------------------------------------------------------
What You Don''t Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d

On Fri 04 March 2011 05:55:35 Roberto C. Sánchez wrote:
> First, to confirm, do you have ip forwarding enabled?
Well, I have no idea.

> Second, you shouldn''t need the ACCEPT rule, since the DNAT creates
a
> coresponding ACEPT rule for you already.
If I don''t put in that ACCEPT rule I get firewall blocking errors in
dmesg.

> Now, please also note that if you are rudoing the DNAT redirection on
> the same machine from which you are running the web browser, that you
> may want to see this as well:
> http://www.shorewall.net/Shorewall_Squid_Usage.html#Firewall
> 
> It is written for Squid, but the same principle applies.
Sorry, I can''t understand how that fits.

Right now almost everything in my systems is failing.  Hard drive in laptop
going out;  running remote X apps doesn''t work on HTPC;  camera app
doesn''t work on backup server;  my phone quit;  download of Debian is
so slow it''s going to take 12 hours;  and this is my only day off. 
It''s hard to think at this point.





------------------------------------------------------------------------------
What You Don''t Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d

Any help?


On Fri 04 March 2011 10:50:57 CACook@quantum-sci.com
wrote:
> On Fri 04 March 2011 05:55:35 Roberto C. Sánchez wrote:
> > First, to confirm, do you have ip forwarding enabled?
> 
> Well, I have no idea.
> 
> 
> > Second, you shouldn''t need the ACCEPT rule, since the DNAT
creates a
> > coresponding ACEPT rule for you already.
> 
> If I don''t put in that ACCEPT rule I get firewall blocking errors
in dmesg.
> 
> 
> > Now, please also note that if you are rudoing the DNAT redirection on
> > the same machine from which you are running the web browser, that you
> > may want to see this as well:
> > http://www.shorewall.net/Shorewall_Squid_Usage.html#Firewall
> > 
> > It is written for Squid, but the same principle applies.
> 
> Sorry, I can''t understand how that fits.
> 
> Right now almost everything in my systems is failing.  Hard drive in laptop
going out;  running remote X apps doesn''t work on HTPC;  camera app
doesn''t work on backup server;  my phone quit;  download of Debian is
so slow it''s going to take 12 hours;  and this is my only day off. 
It''s hard to think at this point.
> 
> 
> 
> 
> 
------------------------------------------------------------------------------
What You Don''t Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d

On 3/6/11 7:48 PM, CACook@quantum-sci.com wrote:
> 
> Any help?
> 
> 
> On Fri 04 March 2011 10:50:57 CACook@quantum-sci.com wrote:
>> On Fri 04 March 2011 05:55:35 Roberto C. Sánchez wrote:
>>> First, to confirm, do you have ip forwarding enabled?
>> 
>> Well, I have no idea.
>> 
>> 
>>> Second, you shouldn''t need the ACCEPT rule, since the DNAT
>>> creates a coresponding ACEPT rule for you already.
>> 
>> If I don''t put in that ACCEPT rule I get firewall blocking
errors
>> in dmesg.
>> 
>> 
>>> Now, please also note that if you are rudoing the DNAT
>>> redirection on the same machine from which you are running the
>>> web browser, that you may want to see this as well: 
>>> http://www.shorewall.net/Shorewall_Squid_Usage.html#Firewall
>>> 
>>> It is written for Squid, but the same principle applies.
>> 
>> Sorry, I can''t understand how that fits.
>> 
>> Right now almost everything in my systems is failing.  Hard drive
>> in laptop going out;  running remote X apps doesn''t work on
HTPC;
>> camera app doesn''t work on backup server;  my phone quit; 
download
>> of Debian is so slow it''s going to take 12 hours;  and this is
my
>> only day off.  It''s hard to think at this point.
>> 
With which problem?

- hard drive
- X apps
- camera
- download speed
- vague ''port forwarding'' problem

There are so many.

For ''port forwarding'', I suggest that you look at the
troubleshooting
instructions in Shorewall FAQs 1a and 1b. I wrote Shorewall and there is
nothing that I can add to the instructions in those two FAQs.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
What You Don''t Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d

On 3/3/11 10:28 PM, CACook@quantum-sci.com wrote:
> 
> I have a backup server, hex, which also has security cameras on eth2.
> eth1 is the LAN.
> 
> I want to take a given security camera at IP 10.5.12.40 on eth2 (cam)
> and present it to the LAN as 192.168.1.4:80.  So in Shorewall rules I
> have: 
> DNAT    net              $FW:10.5.12.40          tcp     www
> ACCEPT  net:192.168.1.1  cam                     tcp     www    -
> 
> Of course cam is defined in interfaces, zones, and policy.  But when
> I point my browser at 192.168.1.4 nothing happens.  No dmesg firewall
> messages, but also nothing else.  What am I doing wrong?
> 
Although I responded to your latest post last night, I took another look
at your problem this morning.

First of all, your rules are wrong. You want a single rule:

DNAT	net	cam:10.5.12.40		tcp	www

That assumes that ''cam'' is defined to be the zone consisting
of hosts
attached to eth2; e.g., the following in /etc/shorewall/interfaces:

cam	eth2	-	...

Secondly, your camera probably doesn''t have a default route defined; in
fact, it is probably incapable of having a default route and can only
communicate with other hosts on its own LAN.

In the latter case, you need this entry in /etc/shorewall/masq:

eth2:10.5.12.40		0.0.0.0/0

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
What You Don''t Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d

On Monday 7 March, 2011 07:55:39 Tom Eastep wrote:
> First of all, your rules are wrong. You want a single rule:
> 
> DNAT	net	cam:10.5.12.40		tcp	www
 
Thanks, but it''s not working.  Everything''s set like you say,
but when I try from another machine:
[515690.154919] Shorewall:FORWARD:DROP:IN=eth0 OUT=eth0 SRC=192.168.1.1
DST=10.5.12.40 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=32540 DF PROTO=TCP SPT=59797
DPT=80 WINDOW=4380 RES=0x00 SYN URGP=0

For some reason it''s not masquerading through the camera server.

> That assumes that ''cam'' is defined to be the zone
consisting of hosts
> attached to eth2; e.g., the following in /etc/shorewall/interfaces:
> 
> cam	eth2	-	...
Ya have that.  Using tcpflags as only option.  Only the one IP camera is on this
interface ATM.

 
> Secondly, your camera probably doesn''t have a default route
defined; in
> fact, it is probably incapable of having a default route and can only
> communicate with other hosts on its own LAN.
> 
> In the latter case, you need this entry in /etc/shorewall/masq:
> 
> eth2:10.5.12.40		0.0.0.0/0
Thank you.  This seems to be setting it to masquerade requests from any machine
on the LAN on any port, specifically to one camera.  How would I craft it if
multiple cams on eth2?

What I want to do is route all requests that are to 192.168.1.4:10080 to
10.5.12.40:80.  The camera is on eth2, and 192.168.1.4 is my LAN on eth0.

I''d like the LAN to access the camera even though it''s on a
different interface and IP, but machines accessing it are vetted and the server
is protected by Shorewall.  I could set different cameras to different ports.

------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d

On 3/17/11 9:05 AM, CACook@quantum-sci.com wrote:
> On Monday 7 March, 2011 07:55:39 Tom Eastep wrote:
>> First of all, your rules are wrong. You want a single rule:
>> 
>> DNAT	net	cam:10.5.12.40		tcp	www
> 
> Thanks, but it''s not working.  Everything''s set like you
say, but
> when I try from another machine: [515690.154919]
> Shorewall:FORWARD:DROP:IN=eth0 OUT=eth0 SRC=192.168.1.1
> DST=10.5.12.40 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=32540 DF PROTO=TCP
> SPT=59797 DPT=80 WINDOW=4380 RES=0x00 SYN URGP=0
> 
> For some reason it''s not masquerading through the camera server.
> 
Your routing is wrong. Note that it is trying to route the packet back
out of eth0.
> 
>> That assumes that ''cam'' is defined to be the zone
consisting of
>> hosts attached to eth2; e.g., the following in
>> /etc/shorewall/interfaces:
>> 
>> cam	eth2	-	...
> 
> Ya have that.  Using tcpflags as only option.  Only the one IP camera
> is on this interface ATM.
> 
How have you configured eth2?
> 
>> Secondly, your camera probably doesn''t have a default route
>> defined; in fact, it is probably incapable of having a default
>> route and can only communicate with other hosts on its own LAN.
>> 
>> In the latter case, you need this entry in /etc/shorewall/masq:
>> 
>> eth2:10.5.12.40		0.0.0.0/0
> 
> Thank you.  This seems to be setting it to masquerade requests from
> any machine on the LAN on any port, specifically to one camera.  How
> would I craft it if multiple cams on eth2?
Then just remove the :10.4.12.40 part.
> 
> What I want to do is route all requests that are to 192.168.1.4:10080
> to 10.5.12.40:80.  The camera is on eth2, and 192.168.1.4 is my LAN
> on eth0.
Shorewall does not handle routing. You must configure that using your
distributions network configuration tools. It will happen automatically
if you configure eth2 to have an address beginning with 10.4.12. and a
net mask of 255.255.255.0.
> 
> I''d like the LAN to access the camera even though it''s on
a different
> interface and IP, but machines accessing it are vetted and the server
> is protected by Shorewall.  I could set different cameras to
> different ports.
Let''s get one working first. And if you have additional problems,
please
include the output of ''shorewall dump'' as an attachment to
your report.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d

> Your routing is wrong. Note that it is trying to route the packet back
> out of eth0.
> 
> How have you configured eth2?
Noticed that, but don''t know why.  (Debian Testing)  I''ve
deinstalled network-manager and manually edit /etc/network/interfaces like I
always have:
allow-hotplug eth2
iface eth2 inet static
	address 10.5.42.4
	netmask 255.255.255.0
	network 10.5.42.0
	broadcast 10.5.42.255

# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.5.42.0       *               255.255.255.0   U     0      0        0 eth2
localnet        *               255.255.255.0   U     0      0        0 eth0
default         hex.darkmatt 0.0.0.0         UG    0      0        0 eth0

> Let''s get one working first. And if you have additional problems,
please
> include the output of ''shorewall dump'' as an attachment
to your report.
Attached.




------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d

On 3/17/11 10:49 AM, CACook@quantum-sci.com wrote:
>> Your routing is wrong. Note that it is trying to route the packet back
>> out of eth0.
>>
>> How have you configured eth2?
> 
> Noticed that, but don''t know why.  (Debian Testing)  I''ve
deinstalled network-manager and manually edit /etc/network/interfaces like I
always have:
> allow-hotplug eth2
> iface eth2 inet static
> 	address 10.5.42.4
> 	netmask 255.255.255.0
> 	network 10.5.42.0
> 	broadcast 10.5.42.255
> 
> # route
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
> 10.5.42.0       *               255.255.255.0   U     0      0        0
eth2
> localnet        *               255.255.255.0   U     0      0        0
eth0
> default         hex.darkmatt 0.0.0.0         UG    0      0        0 eth0
> 
> 
>> Let''s get one working first. And if you have additional
problems, please
>> include the output of ''shorewall dump'' as an
attachment to your report.
> 
> Attached.
The camera is at 10.5.42.40 but your DNAT rule says 10.5.12.40.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d

On Thursday 17 March, 2011 11:09:56 Tom Eastep wrote:
> The camera is at 10.5.42.40 but your DNAT rule says 10.5.12.40.
Oh, FFS.  Don''t tell me it''s that particular...

OK, so I believe that all the ports the camera presents are now on 192.168.1.4. 
Is there a way to map the ports the camera presents, to different ports on
192.168.1.4?

BTW, I''m about 2 miles from you. (123rd St & Lakeshore,  Lake
Shity)




------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d

On 3/17/11 3:07 PM, CACook@quantum-sci.com wrote:
> On Thursday 17 March, 2011 11:09:56 Tom Eastep wrote:
>> The camera is at 10.5.42.40 but your DNAT rule says 10.5.12.40.
> 
> Oh, FFS.  Don''t tell me it''s that particular...
:-)
> 
> OK, so I believe that all the ports the camera presents are now on
> 192.168.1.4.  Is there a way to map the ports the camera presents, to
> different ports on 192.168.1.4?
Yes -- see Shorewall FAQ 1c.
> 
> BTW, I''m about 2 miles from you. (123rd St & Lakeshore,  Lake
Shity)
> 
Cool.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d

This is a little off topic, but I haven''t been able to find an answer
elsewhere.  I need to run a command on another machine on my LAN.  I have a
backup server which does weekly rsync backups of the other machines.  But when
the time comes for it to be backed up I do an rsync push to one of the other
machines.  When that''s done I must initiate a BTRFS snapshot of this
machine''s backup on that remote machine.

So from my backup server I need to run a command on another machine, hopefully
securely.  Anyone know a way?  Backup server has root privs on all machines with
public key.  I understand the risks, and have been careful with security on this
machine.


------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software 
be a part of the solution? Download the Intel(R) Manageability Checker 
today! http://p.sf.net/sfu/intel-dev2devmar

A ssh command ?

|ssh -i toto.key root@10.1.1.1 ''ls -la''|

Le 25/03/2011 17:34, CACook@quantum-sci.com a écrit :
> This is a little off topic, but I haven''t been able to find an
answer elsewhere.  I need to run a command on another machine on my LAN.  I have
a backup server which does weekly rsync backups of the other machines.  But when
the time comes for it to be backed up I do an rsync push to one of the other
machines.  When that''s done I must initiate a BTRFS snapshot of this
machine''s backup on that remote machine.
>
> So from my backup server I need to run a command on another machine,
hopefully securely.  Anyone know a way?  Backup server has root privs on all
machines with public key.  I understand the risks, and have been careful with
security on this machine.
>
>
>
------------------------------------------------------------------------------
> Enable your software for Intel(R) Active Management Technology to meet the
> growing manageability and security demands of your customers. Businesses
> are taking advantage of Intel(R) vPro (TM) technology - will your software
> be a part of the solution? Download the Intel(R) Manageability Checker
> today! http://p.sf.net/sfu/intel-dev2devmar
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>


------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software 
be a part of the solution? Download the Intel(R) Manageability Checker 
today! http://p.sf.net/sfu/intel-dev2devmar

I thought it might be something like that, but:

# ssh root@droog ''/sbin/btrfs subvolume snapshot
root@droog:///home/backups.hex/hex-root/
root@droog:///home/backups.hex/hex-root-snap-$(date
+"%Y-%m-%d")''
ERROR: error accessing
''root@droog:///home/backups.hex/hex-root/''



On Friday 25 March, 2011 10:34:53 Stealth wrote:
> A ssh command ?
> 
> |ssh -i toto.key root@10.1.1.1 ''ls -la''|
> 
> Le 25/03/2011 17:34, CACook@quantum-sci.com a écrit :
> > This is a little off topic, but I haven''t been able to find
an answer elsewhere.  I need to run a command on another machine on my LAN.  I
have a backup server which does weekly rsync backups of the other machines.  But
when the time comes for it to be backed up I do an rsync push to one of the
other machines.  When that''s done I must initiate a BTRFS snapshot of
this machine''s backup on that remote machine.
> >
> > So from my backup server I need to run a command on another machine,
hopefully securely.  Anyone know a way?  Backup server has root privs on all
machines with public key.  I understand the risks, and have been careful with
security on this machine.

------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software 
be a part of the solution? Download the Intel(R) Manageability Checker 
today! http://p.sf.net/sfu/intel-dev2devmar