[Shorewall-newbies] Port Forwarding with Shorewall

Matthew D. Smith msmith at clover.net
Mon Dec 8 09:25:19 PST 2003


OK, here it is. Fresh mandrake 9.2 install. Got the network up and 
working no problem. Is functioning as a gateway just fine, but the 
problem I am having is forwarding certain ports to my windows machines.

Here is my shorewall rules file:

#
#       #ACTION  SOURCE DEST            PROTO   DEST    SOURCE  ORIGINAL
#       #                                       PORT    PORT(S) DEST
#       DNAT      net   loc:192.168.1.3 tcp     80      -       
130.252.100.69
#
#       Example: You want to accept SSH connections to your firewall only
#                from internet IP addresses 130.252.100.69 and 
130.252.100.70
#
#       #ACTION  SOURCE DEST            PROTO   DEST    SOURCE  ORIGINAL
#       #                                       PORT    PORT(S) DEST
#       ACCEPT   net:130.252.100.69,130.252.100.70 \
#                                       tcp     22
##############################################################################
#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL
#                                               PORT    PORT(S)    DEST
ACCEPT  net     fw      tcp     80,443,22,20,21,10000   -
ACCEPT  masq    fw      tcp     80,443,22,20,21,10000   -
ACCEPT  loc     fw      tcp     80,443,22,20,21,10000   -
ACCEPT  masq    fw      tcp     
domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp    -
ACCEPT  masq    fw      udp     
domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp    -
ACCEPT  fw      masq    tcp     631,515,137,138,139     -
ACCEPT  fw      masq    udp     631,515,137,138,139     -
DNAT    net     loc:192.168.0.2    tcp     5900     -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
"rules" 242L, 9718C                                           
240,39-56     Bot
#
#                       Finally, if the list of addresses begins with 
"!" then
#                       the rule will be followed only if the original
#                       destination address in the connection request 
does not
#                       match any of the addresses listed.
#
#                       The address (list) may optionally be followed by
#                       a colon (":") and a second IP address. This causes
#                       Shorewall to use the second IP address as the source
#                       address in forwarded packets. See the Shorewall
#                       documentation for restrictions concerning this 
feature.
#                       If no source IP address is given, the original 
source
#                       address is not altered.
#
#       Example: Accept SMTP requests from the DMZ to the internet
#
#       #ACTION SOURCE  DEST PROTO      DEST    SOURCE  ORIGINAL
#       #                               PORT    PORT(S) DEST
#       ACCEPT  dmz     net       tcp   smtp
#
#       Example: Forward all ssh and http connection requests from the 
internet
#                to local system 192.168.1.3
#
#       #ACTION SOURCE  DEST            PROTO   DEST    SOURCE  ORIGINAL
#       #                                       PORT    PORT(S) DEST
#       DNAT    net     loc:192.168.1.3 tcp     ssh,http
#
#       Example: Redirect all locally-originating www connection requests to
#                port 3128 on the firewall (Squid running on the firewall
#                system) except when the destination address is 192.168.2.2
#
#       #ACTION  SOURCE DEST      PROTO DEST    SOURCE  ORIGINAL
#       #                               PORT    PORT(S) DEST
#       REDIRECT loc    3128      tcp   www      -      !192.168.2.2
#
#       Example: All http requests from the internet to address
#                130.252.100.69 are to be forwarded to 192.168.1.3
#
#       #ACTION  SOURCE DEST            PROTO   DEST    SOURCE  ORIGINAL
#       #                                       PORT    PORT(S) DEST
#       DNAT      net   loc:192.168.1.3 tcp     80      -       
130.252.100.69
#
#       Example: You want to accept SSH connections to your firewall only
#                from internet IP addresses 130.252.100.69 and 
130.252.100.70
#
#       #ACTION  SOURCE DEST            PROTO   DEST    SOURCE  ORIGINAL
#       #                                       PORT    PORT(S) DEST
#       ACCEPT   net:130.252.100.69,130.252.100.70 \
#                                       tcp     22
##############################################################################
#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL
#                                               PORT    PORT(S)    DEST
ACCEPT  net     fw      tcp     80,443,22,20,21,10000   -
ACCEPT  masq    fw      tcp     80,443,22,20,21,10000   -
ACCEPT  loc     fw      tcp     80,443,22,20,21,10000   -
ACCEPT  masq    fw      tcp     
domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp    -
ACCEPT  masq    fw      udp     
domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp    -
ACCEPT  fw      masq    tcp     631,515,137,138,139     -
ACCEPT  fw      masq    udp     631,515,137,138,139     -
DNAT    net     loc:192.168.0.2    tcp     5900     -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


Here is an excerpt from my shorewall check :

Dec 8 08:51:31 net2all:DROP:IN=eth1 OUT=eth0 SRC=209.151.161.98 
DST=192.168.0.2 LEN=52 TOS=0x00 PREC=0x00 TTL=61 ID=54348 DF PROTO=TCP 
SPT=3993 DPT=5900 WINDOW=60352 RES=0x00 SYN URGP=0 Dec 8 08:51:34 
net2all:DROP:IN=eth1 OUT=eth0 SRC=209.151.161.98 DST=192.168.0.2 LEN=52 
TOS=0x00 PREC=0x00 TTL=61 ID=54364 DF PROTO=TCP SPT=3993 DPT=5900 
WINDOW=60352 RES=0x00 SYN URGP=7104 Dec 8 08:51:40 net2all:DROP:IN=eth1 
OUT=eth0 SRC=209.151.161.98 DST=192.168.0.2 LEN=52 TOS=0x00 PREC=0x00 
TTL=61 ID=54527 DF PROTO=TCP SPT=3993 DPT=5900 WINDOW=60352 RES=0x00 SYN 
URGP=0

I have followed the FAQ on port forwarding. I have tried everything else 
I can think of. For some reason it keeps dropping the connection to my 
remote machine (firewall is turned off on my remote machine). My latest 
changed, is i removed port 5900 as an allowed port from the internet.

ANy help would be greatly appreciated.

Thanks

Matt



More information about the Shorewall-newbies mailing list