[Shorewall-newbies] Single Static IP FW and internal servers

Tom Eastep teastep at shorewall.net
Sun Dec 28 07:49:26 PST 2003


On Saturday 20 December 2003 02:15 am, Lyvim Xaphir wrote:
> Hi, I'm new to the list, and I've been using Shorewall for about 4 weeks
> now.  So far I've really been impressed with the security.  But I have
> run into some snags which is why I added this mailing list to the other
> 10 lists I'm subscribed to. ;)
>
>
> I'm running Mandrake 9.2 on the firewall, which has two network cards
> and a static public IP.  The 192.168 net is on eth1 and the static IP is
> of course on eth0.  I altered the shorewall "rules" file such that I
> could ssh into the fw from the local net; that was no problem.  I also
> tried to add ACCEPT statements to the rules table which were *supposed*
> to open up the fw to the net with respect to smtp and pop3.  However I
> still cannot get to those ports from an outside shell account. Don't
> know what I'm doing wrong.
>
> The real nagging problem is a port forwarding to an internal Neverwinter
> Nights server, which isn't working either.  Here are the rules as they
> sit now:
>
> #ACTION SOURCE DEST PROTO DEST  SOURCE      ORIGINAL
> #                         PORT  PORT(S)     DEST
> ACCEPT  masq    fw      tcp    
> domain,bootps,http,https,631,imap,pop3,smtp,ssh,nntp,ntp        - ACCEPT 
> masq    fw      udp    
> domain,bootps,http,https,631,imap,pop3,smtp,ssh,nntp,ntp        - ACCEPT 

There are a lot of problems with the above two rules:

a) bootps is handled by the 'dhcp' option in /etc/shorewall/interfaces
b) ntp is UDP only
c) the rest are TCP only.

> fw      masq    tcp     631,515,137,138,139     -
> ACCEPT  fw      masq    udp     631,515,137,138,139     -
> ACCEPT  fw      net     tcp     53      -
> ACCEPT  fw      net     udp     53      -
> ACCEPT  fw      net     tcp     smtp    -
> ACCEPT  fw      net     udp     smtp    -
> ACCEPT  fw      net     tcp     pop3    -
> ACCEPT  fw      net     udp     pop3    -
>
> DNAT    net     loc:192.168.1.125:5121  udp      5120:5300       -
>
>
> I *should* be able to telnet into the smtp or pop3 ports from a shell
> account, however I cannot.  Also I cannot see the DNAT'ted server with a
> neverwinter nights client.
>
> NWN documentation recommends that if you have a firewall, the following
> ports should be open:
>
> 5120 thru 5300
> 6500
> 27900
> 28900
>
> For NAT setups they show the following details:
>
> Outgoing Packets --
>
> Source ports: 5120-5129
> Destination ports: 5121-5300
>
> Incoming Packets --
>
> Source ports: 5121-5300
> Destination ports: 5120-5129
>
> A FreeBSD Netfilter setup recommends the following:
>
> ----------------------------------------------------------
> # Equivalent rules for "Basic Configuration"
> iptables -A FORWARD -p udp -d 255.255.255.255 --sport 5120 -j ACCEPT
>
> iptables -A FORWARD -p udp -d $nwserver --dport 5121 --sport 5120 \
>         -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -p udp -s $nwserver --sport 5121 --dport 5120 \
>         -m state --state ESTABLISHED -j ACCEPT
>
> # Equivalent rules for "GameSpy Configuration"
> iptables -A FORWARD -p udp -s $nwserver --sport 5121 \
>         -d 216.177.89.34 --dport 27900 \
>         -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -p udp -d $nwserver --dport 5121 \
>         -s 216.177.89.34 --sport 27900 \
>         -m state --state ESTABLISHED -j ACCEPT
>
> iptables -A FORWARD -p udp -s $nwserver --sport 5121 \
>         -d 66.244.193.142 --dport 5121 \
>         -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -p udp -d $nwserver --dport 5121 \
>         -s 66.244.193.142 --sport 5121 \
>         -m state --state ESTABLISHED -j ACCEPT
>
> # Equivalent rules from "Configuring NAT"
> iptables -t nat -A PREROUTING -p udp --dport 5121 --sport 5120 \
>         -j DNAT --to $nwserver:5121
> ----------------------------------------------------------------

Looks to me like what you want is:

DNAT	net	masq:192.168.1.125	udp	5120:5129	5121:5300

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net




More information about the Shorewall-newbies mailing list