[Shorewall-newbies] Single Static IP FW and internal servers

Lyvim Xaphir lxaphir at yahoo.com
Sat Dec 20 10:15:27 PST 2003


Hi, I'm new to the list, and I've been using Shorewall for about 4 weeks
now.  So far I've really been impressed with the security.  But I have
run into some snags which is why I added this mailing list to the other
10 lists I'm subscribed to. ;)


I'm running Mandrake 9.2 on the firewall, which has two network cards
and a static public IP.  The 192.168 net is on eth1 and the static IP is
of course on eth0.  I altered the shorewall "rules" file such that I
could ssh into the fw from the local net; that was no problem.  I also
tried to add ACCEPT statements to the rules table which were *supposed*
to open up the fw to the net with respect to smtp and pop3.  However I
still cannot get to those ports from an outside shell account. Don't
know what I'm doing wrong.

The real nagging problem is a port forwarding to an internal Neverwinter
Nights server, which isn't working either.  Here are the rules as they
sit now:

#ACTION SOURCE DEST PROTO DEST  SOURCE      ORIGINAL 
#                         PORT  PORT(S)     DEST
ACCEPT  masq    fw      tcp     domain,bootps,http,https,631,imap,pop3,smtp,ssh,nntp,ntp        -
ACCEPT  masq    fw      udp     domain,bootps,http,https,631,imap,pop3,smtp,ssh,nntp,ntp        -
ACCEPT  fw      masq    tcp     631,515,137,138,139     -
ACCEPT  fw      masq    udp     631,515,137,138,139     -
ACCEPT  fw      net     tcp     53      -
ACCEPT  fw      net     udp     53      -
ACCEPT  fw      net     tcp     smtp    -
ACCEPT  fw      net     udp     smtp    -
ACCEPT  fw      net     tcp     pop3    -
ACCEPT  fw      net     udp     pop3    -

DNAT    net     loc:192.168.1.125:5121  udp      5120:5300       -


I *should* be able to telnet into the smtp or pop3 ports from a shell
account, however I cannot.  Also I cannot see the DNAT'ted server with a
neverwinter nights client.

NWN documentation recommends that if you have a firewall, the following
ports should be open:

5120 thru 5300
6500
27900
28900

For NAT setups they show the following details:

Outgoing Packets --

Source ports: 5120-5129
Destination ports: 5121-5300

Incoming Packets --

Source ports: 5121-5300
Destination ports: 5120-5129

A FreeBSD Netfilter setup recommends the following:

----------------------------------------------------------
# Equivalent rules for "Basic Configuration"
iptables -A FORWARD -p udp -d 255.255.255.255 --sport 5120 -j ACCEPT

iptables -A FORWARD -p udp -d $nwserver --dport 5121 --sport 5120 \
        -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p udp -s $nwserver --sport 5121 --dport 5120 \
        -m state --state ESTABLISHED -j ACCEPT

# Equivalent rules for "GameSpy Configuration"
iptables -A FORWARD -p udp -s $nwserver --sport 5121 \
        -d 216.177.89.34 --dport 27900 \
        -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p udp -d $nwserver --dport 5121 \
        -s 216.177.89.34 --sport 27900 \
        -m state --state ESTABLISHED -j ACCEPT

iptables -A FORWARD -p udp -s $nwserver --sport 5121 \
        -d 66.244.193.142 --dport 5121 \
        -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p udp -d $nwserver --dport 5121 \
        -s 66.244.193.142 --sport 5121 \
        -m state --state ESTABLISHED -j ACCEPT

# Equivalent rules from "Configuring NAT"
iptables -t nat -A PREROUTING -p udp --dport 5121 --sport 5120 \
        -j DNAT --to $nwserver:5121
----------------------------------------------------------------

I am not sure exactly how to translate all this into the Shorewall rules
table; especially since I am unable to do something as simple as
telnetting to port 25.  I suspect there is more wrong than just getting
the right ACCEPT or DNAT lines in place.

Any advice?

Happy holidays,

LX



More information about the Shorewall-newbies mailing list