[Shorewall-newbies] Single Static IP FW and internal servers

Lyvim Xaphir lxaphir at yahoo.com
Tue Jan 6 04:22:44 PST 2004


On Sun, 2003-12-28 at 10:49, Tom Eastep wrote:
> On Saturday 20 December 2003 02:15 am, Lyvim Xaphir wrote:
> > Hi, I'm new to the list, and I've been using Shorewall for about 4 weeks
> > now.  So far I've really been impressed with the security.  But I have
> > run into some snags which is why I added this mailing list to the other
> > 10 lists I'm subscribed to. ;)
> >
> >
> > I'm running Mandrake 9.2 on the firewall, which has two network cards
> > and a static public IP.  The 192.168 net is on eth1 and the static IP is
> > of course on eth0.  I altered the shorewall "rules" file such that I
> > could ssh into the fw from the local net; that was no problem.  I also
> > tried to add ACCEPT statements to the rules table which were *supposed*
> > to open up the fw to the net with respect to smtp and pop3.  However I
> > still cannot get to those ports from an outside shell account. Don't
> > know what I'm doing wrong.
> >
> > The real nagging problem is a port forwarding to an internal Neverwinter
> > Nights server, which isn't working either.  Here are the rules as they
> > sit now:
> >
> > #ACTION SOURCE DEST PROTO DEST  SOURCE      ORIGINAL
> > #                         PORT  PORT(S)     DEST
> > ACCEPT  masq    fw      tcp    
> > domain,bootps,http,https,631,imap,pop3,smtp,ssh,nntp,ntp        - ACCEPT 
> > masq    fw      udp    
> > domain,bootps,http,https,631,imap,pop3,smtp,ssh,nntp,ntp        - ACCEPT 
> 
> There are a lot of problems with the above two rules:
> 
> a) bootps is handled by the 'dhcp' option in /etc/shorewall/interfaces
> b) ntp is UDP only
> c) the rest are TCP only.

That's very interesting, since those rules above were set up by the
Mandrake Control Center program.  Looks like I should post a bug report
to Mandrake bugzilla.

Interesting concept.....that a developer, in charge of the shorewall
setup rules, would make such an error, when info on tcp and udp standard
ports are readily available on the net.

Here's something else you might be interested in also, Tom.  In a recent
conversation on the Mandrake lists, the topic came up that the Mandrake
control center program was also failing to set up a local zone with the
firewall when RFC-1918 addresses were being used on the local lan.  In
other words, the install prog set up a net and a fw zone, and..eh, that
was all. (!)

So somehow, this friend of mine (who happens to be Ronald Hall) has a
system that is using a fw and a net zone, but no loc and no masq.  The
RFC-1918 IP's are being treated as public IP's??  We were like, what the
hell is up with that??

Yea, the routers dump the 1918 packets.  But still...

Now he's trying to get NFS working, using just the net and fw zones,
with suggestions I sent from the Shorewall web documentation on NFS. 
But no go.  Anyway, that's a topic for another thread, just thought you
might be interested.

Now I better correct my firewall ruleset ASAP. :)


> 
> > fw      masq    tcp     631,515,137,138,139     -
> > ACCEPT  fw      masq    udp     631,515,137,138,139     -
> > ACCEPT  fw      net     tcp     53      -
> > ACCEPT  fw      net     udp     53      -
> > ACCEPT  fw      net     tcp     smtp    -
> > ACCEPT  fw      net     udp     smtp    -
> > ACCEPT  fw      net     tcp     pop3    -
> > ACCEPT  fw      net     udp     pop3    -
> >
> > DNAT    net     loc:192.168.1.125:5121  udp      5120:5300       -
> >
> >
> > I *should* be able to telnet into the smtp or pop3 ports from a shell
> > account, however I cannot.  Also I cannot see the DNAT'ted server with a
> > neverwinter nights client.
> >
> > NWN documentation recommends that if you have a firewall, the following
> > ports should be open:
> >
> > 5120 thru 5300
> > 6500
> > 27900
> > 28900
> >
> > For NAT setups they show the following details:
> >
> > Outgoing Packets --
> >
> > Source ports: 5120-5129
> > Destination ports: 5121-5300
> >
> > Incoming Packets --
> >
> > Source ports: 5121-5300
> > Destination ports: 5120-5129
> >
> > A FreeBSD Netfilter setup recommends the following:
> >
> > ----------------------------------------------------------
> > # Equivalent rules for "Basic Configuration"
> > iptables -A FORWARD -p udp -d 255.255.255.255 --sport 5120 -j ACCEPT
> >
> > iptables -A FORWARD -p udp -d $nwserver --dport 5121 --sport 5120 \
> >         -m state --state NEW,ESTABLISHED -j ACCEPT
> > iptables -A FORWARD -p udp -s $nwserver --sport 5121 --dport 5120 \
> >         -m state --state ESTABLISHED -j ACCEPT
> >
> > # Equivalent rules for "GameSpy Configuration"
> > iptables -A FORWARD -p udp -s $nwserver --sport 5121 \
> >         -d 216.177.89.34 --dport 27900 \
> >         -m state --state NEW,ESTABLISHED -j ACCEPT
> > iptables -A FORWARD -p udp -d $nwserver --dport 5121 \
> >         -s 216.177.89.34 --sport 27900 \
> >         -m state --state ESTABLISHED -j ACCEPT
> >
> > iptables -A FORWARD -p udp -s $nwserver --sport 5121 \
> >         -d 66.244.193.142 --dport 5121 \
> >         -m state --state NEW,ESTABLISHED -j ACCEPT
> > iptables -A FORWARD -p udp -d $nwserver --dport 5121 \
> >         -s 66.244.193.142 --sport 5121 \
> >         -m state --state ESTABLISHED -j ACCEPT
> >
> > # Equivalent rules from "Configuring NAT"
> > iptables -t nat -A PREROUTING -p udp --dport 5121 --sport 5120 \
> >         -j DNAT --to $nwserver:5121
> > ----------------------------------------------------------------
> 
> Looks to me like what you want is:
> 
> DNAT	net	masq:192.168.1.125	udp	5120:5129	5121:5300
> 
> -Tom

Excellent, thank you much.  I got it working with

DNAT    net     loc:192.168.0.18        udp     5121    -       -

after I tried it with the source port filter (5121:5300).  According to
the documentation, that was supposed to work; it did not.  Maybe the
reason was because I was using the local zone instead of the masq zone;
I suspect I am now doing it incorrectly by DNATing from the net directly
to the local zone, and that I should have the rule written as you do
above using masq.  Is there a downside to using the loc zone?

I'm now anxious to try the masq rule. :)

LX



More information about the Shorewall-newbies mailing list