[Shorewall-users] redirecting pseudo-internal traffic

Steve Estes estess@comcast.net
Sat, 27 Apr 2002 20:15:08 -0400


This is a multi-part message in MIME format.

--Boundary_(ID_5nyRuafxhE8PbYrg4VzIcA)
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: 7BIT

Greetings all, 

I'm having a slight configuration inflamation. My situation is that I have two sites both behind shorewall 1.2.12 running an ipsec connection between them. We play various and sundry games over this connection and it works quite well. The quandry I am having is when we play LAN based games, all is well. When we play externally administrated games (Gamespy, Westwood online, Battlenet, etc.), what happens is that one of us creates the game and the other tries to attach to it via the game admin. The game gets the external addr from the admin and tries to connect that way. Now connections coming in through the front door are correctly routed to the game creator. But when I try to connect to this game, I'm also told to connect to his external IP but because of the tunnel, my connection does not go to his front door but rather directly to his fw box through the tunnel and is thus not routed correctly and I can't join. :-(

Now I have a workaround for this which was to include a rule that took connections coming in off the gateway (ipsec tunnel) destined for the game ports and forwarded to the creators IP. That works fine too if a little restrictive but that's okay for the few times we actually go out that way. But when we switch back to lan gaming, the workaround rule has broken lan gaming if the game creator is at a different (local)  IP than the one the rule is forwarding to because the workaround rule is picking up ANY destination, not just the destination being the FW and forwarding them. 

The rule I have is as follows:

ACCEPT  gw:192.168.1.0/24  local:192.168.2.2   udp  <portlist>  -    all

The directions say that "all" should only be used for port forwarding from external ips but I haven't found anything that works quite right without specifying all. What I would ideally like is a rule that says connections from the gateway for the game ports that END ON the firewall (i.e. on the external IP) should be forwarded to local:xxxx but connections from the gateway (for the game ports) with a destination other than the firewall should be left alone and routed per normal. I tried specifying $FW where "all" is but that did not work (message from iptables 1.2.5 that  host/network 'fw' was not found). I could perhaps hardcode my external IP instead of all but I can't see that really improving the configuration situation.

I also thought about having parameterized rules so these rules could be easily turned off/on by a script. My thought was to use a parameter for the ACCEPT and have it either be ACCEPT or "#" to conditionally apply or not the rule but a looksee at the code seemed to indicate that would not work as the actual command itself does not seem to be parameterized, only the arguments -- course I'm not an expert at shell language so I could be misreading that.

If anyone has any ideas I'm all ears.. Thanks..

Steve

--Boundary_(ID_5nyRuafxhE8PbYrg4VzIcA)
Content-type: text/html; charset=iso-8859-1
Content-transfer-encoding: 7BIT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2715.400" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Greetings all, </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>I'm having a slight configuration inflamation. My 
situation is that I have two sites both behind shorewall 1.2.12 running an ipsec 
connection between them. We play various and sundry games over this connection 
and it works quite well. The quandry I am having is when we play LAN based 
games, all is well. When we play externally administrated games (Gamespy, 
Westwood online, Battlenet, etc.), what happens is that one of us creates the 
game and the other tries to attach to it via the game admin. The game gets the 
external addr from the admin and tries to connect that way. Now connections 
coming in through the front door are correctly routed to the game creator. But 
when I try to connect to this game, I'm also told to connect to his external 
IP&nbsp;but because of the tunnel, my connection does not go to his front door 
but rather directly to his fw box through the tunnel and is thus not routed 
correctly and I can't join. :-(</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>Now I have a workaround for this which was to 
include a rule that took connections coming in off the gateway (ipsec tunnel) 
destined for the game ports and forwarded to the creators IP. That works fine 
too if a little restrictive but that's okay for the few times we actually go out 
that way. But when we switch back to lan gaming, the workaround rule has broken 
lan gaming if the game creator is at a different (local) &nbsp;IP than&nbsp;the 
one the rule is forwarding to&nbsp;because the workaround rule is picking up ANY 
destination, not just&nbsp;the destination being the FW&nbsp;and forwarding 
them. </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>The rule I have is as follows:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>ACCEPT&nbsp; gw:192.168.1.0/24&nbsp; 
local:192.168.2.2&nbsp;&nbsp; udp&nbsp; &lt;portlist&gt;&nbsp; 
-&nbsp;&nbsp;&nbsp; all</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>The directions say that "all" should only be used 
for port forwarding from external ips but I haven't found anything that works 
quite right without specifying all. What I would ideally like is a rule that 
says connections from the gateway for the game ports that&nbsp;END ON the 
firewall (i.e. on the external IP)&nbsp;should be forwarded to local:xxxx but 
connections from the gateway (for the game ports) with a destination other than 
the firewall should be left alone and routed per normal. I tried specifying $FW 
where "all" is but that did not work (message from iptables 1.2.5 that&nbsp; 
host/network 'fw' was not found). I could perhaps hardcode my external IP 
instead of all but I can't see that really improving the configuration 
situation.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>I also thought about having parameterized rules so 
these rules could be easily turned off/on by a script. My thought was to use a 
parameter for the ACCEPT and have it either be ACCEPT or "#" to conditionally 
apply or not the rule but a looksee at the code seemed to indicate that would 
not work as the actual command itself does not seem to be parameterized, 
only&nbsp;the arguments -- course I'm not an expert at shell language so I could 
be misreading that.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>If anyone has any ideas I'm all ears.. 
Thanks..</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>Steve</FONT></DIV></BODY></HTML>

--Boundary_(ID_5nyRuafxhE8PbYrg4VzIcA)--