[Shorewall-users] RealPlayer rules again - more detailed

Jerry Vonau jvonau at shaw.ca
Wed Dec 3 17:48:42 PST 2003


Hi,

now I get the following in the logs:

Dec  3 15:08:59 Router root: Shorewall Started
Dec  3 15:09:04 Router kernel: Shorewall:wlan2net:ACCEPT:IN=wlan0
OUT=ppp0
SRC=192.168.2.1 DST=207.188.6.203 LEN=60 TOS=0x00 PREC=0x00 TTL=63
ID=18315
DF
PROTO=TCP SPT=36370 DPT=7070 WINDOW=5840 RES=0x00 SYN URGP=0
Dec  3 15:09:06 Router kernel: Shorewall:net_dnat:DNAT:IN=ppp0 OUT=
MAC=
SRC=205.219.198.204 DST=217.84.70.128 LEN=520 TOS=0x00 PREC=0x00
TTL=54
ID=52564
PROTO=UDP SPT=1339 DPT=6790 LEN=500
Dec  3 15:09:06 Router kernel: Shorewall:net2wlan:DROP:IN=ppp0
OUT=wlan0
SRC=205.219.198.204 DST=192.168.2.1 LEN=520 TOS=0x00 PREC=0x00 TTL=53
ID=52564
PROTO=UDP SPT=1339 DPT=6790 LEN=500
Dec  3 15:09:06 Router kernel: Shorewall:net_dnat:DNAT:IN=ppp0 OUT=
MAC=
SRC=205.219.198.204 DST=217.84.70.128 LEN=520 TOS=0x00 PREC=0x00
TTL=54
ID=52571
PROTO=UDP SPT=1339 DPT=6790 LEN=500
Dec  3 15:09:06 Router kernel: Shorewall:net2wlan:DROP:IN=ppp0
OUT=wlan0
SRC=205.219.198.204 DST=192.168.2.1 LEN=520 TOS=0x00 PREC=0x00 TTL=53
ID=52571
PROTO=UDP SPT=1339 DPT=6790 LEN=500

Whats my mistake now ?

Oliver

>
>
>
> Hi again,
>
> I try it again, and hope to get RealPlayer G2 and Shorewall 1.4.8 to
> work
> together with your help.
>
> My network looks like this:
> Net Zone (DSL) -------- Firewall/Router ------- Wlan Zone
> The Realplayer is a client in the Wlan Zone and the Wlan Zone is
> masqueraded
> on the Firewall/Router.
>
> In the logging I could find entries like this:
> This line repeats a view times with DPT={6790,6791}
>
> Dec  3 13:32:04 Router kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT=
MAC=
> SRC=205.219.198.204 DST=217.84.70.128 LEN=520 TOS=0x00 PREC=0x00
> TTL=54 ID=28050
> PROTO=UDP SPT=1339 DPT=6790 LEN=500
>
> /etc/shorewall/policy
> wlan    net     ACCEPT  -
> loc      net      ACCEPT
> $FW    all     ACCEPT  -
> net     all     DROP    info
> all     all     REJECT  info
>
> /etc/shorewall/rules
> DROP:info       net     all     tcp     -       -
> DROP:info       net     all     udp     -       -
> ACCEPT  wlan:~00-09-5B-12-35-54 $FW     tcp
> ssh,https,www,10000,3306
>    -
> ACCEPT  wlan:~00-09-5B-12-35-54 $FW     udp
> ssh,https,www,10000,3306
>    -
> ACCEPT:info     net     all     udp     6790,6791       -
> DNAT    net     wlan:192.168.2.1:7070   tcp     554     -
>
> ----------<reply>--------------------
> Oliver:
>
> ACCEPT:info     net     all     udp     6790,6791       -
> this will not work... from Tom's earlier reply, this should be
>
> DNAT    net    loc:192.168.1.5         udp     1271,6790
>
> Similar to the DNAT rule you used for the 554 port forwarding.
>
> In your case, your client is on the wlan zone so that is
> DNAT    net    wlan:192.168.1.5         udp     1271,6790
> changing 192.168.1.5 to the ip address of the machine that has
> RealPlayer
>
> Hope it helps...
>
> Jerry Vonau
>

Might be a case of your drop/log rules are used before the dnat rules
are used.

Dec  3 15:09:06 Router kernel: Shorewall:net2wlan:DROP:IN=ppp0
OUT=wlan0
SRC=205.219.198.204 DST=192.168.2.1 LEN=520 TOS=0x00 PREC=0x00 TTL=53
ID=52564 PROTO=UDP SPT=1339 DPT=6790 LEN=500

"net2wlan:DROP:IN=ppp0" that would fall under the "DROP:info       net
all     udp     -       -"

part of your rules....

Try moving your DROP:info rules to the bottom of you list of rules...
and restart shorewall.

Jerry




More information about the Shorewall-users mailing list