Discussion:
[Shorewall-users] Problem with port forwarding to windows pc on local network.
Grant Pasley
2016-08-08 11:25:09 UTC
Permalink
Hi there,

I have Shorewall version 5.0.8.2 running on centos 7. I am not able to
get the dnat to a local pc working. The pc has the shorewall server set
as it's gateway and I am able to telnet to port 3389 on the pc from the
server.
I can see the connection coming in on the shorewall server but it does
not forward to the pc. If I telnet to the pc from the lan it works fine
though. The firewall on the pc is completely off. Please see attached
dunp of shorewall config and below the connection coming in - can anyone
see what I am missing?

Aug 8 13:23:49 sentinel kernel: Shorewall:xis-fw:ACCEPT:IN=eno1 OUT=
MAC=ff:ff:ff:ff:ff:ff:d4:ca:6d:46:e1:ce:08:00 SRC=192.168.1.1
DST=255.255.255.255 LEN=161 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
SPT=43098 DPT=5678 LEN=141
Aug 8 13:23:55 sentinel kernel: Shorewall:xis-fw:ACCEPT:IN=eno1 OUT=
MAC=e0:69:95:50:4d:e2:d4:ca:6d:46:e1:ce:08:00 SRC=120.146.190.53
DST=192.168.1.2 LEN=52 TOS=0x00 PREC=0x00 TTL=106 ID=31747 DF PROTO=TCP
SPT=51902 DPT=3389 WINDOW=8192 RES=0x00 SYN URGP=0
Aug 8 13:23:58 sentinel kernel: Shorewall:xis-fw:ACCEPT:IN=eno1 OUT=
MAC=e0:69:95:50:4d:e2:d4:ca:6d:46:e1:ce:08:00 SRC=120.146.190.53
DST=192.168.1.2 LEN=52 TOS=0x00 PREC=0x00 TTL=106 ID=31821 DF PROTO=TCP
SPT=51902 DPT=3389 WINDOW=8192 RES=0x00 SYN URGP=0
Aug 8 13:23:59 sentinel kernel: Shorewall:xis-fw:ACCEPT:IN=eno1 OUT=
MAC=e0:69:95:50:4d:e2:d4:ca:6d:46:e1:ce:08:00 SRC=120.146.190.53
DST=192.168.1.2 LEN=48 TOS=0x00 PREC=0x00 TTL=106 ID=31893 DF PROTO=TCP
SPT=51902 DPT=3389 WINDOW=8192 RES=0x00 SYN URGP=0
--
thanks and regards,

grant pasley.
xtranet.



---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
Tom Eastep
2016-08-08 13:54:05 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Grant Pasley
Hi there,
I have Shorewall version 5.0.8.2 running on centos 7. I am not able
to get the dnat to a local pc working. The pc has the shorewall
server set as it's gateway and I am able to telnet to port 3389 on
the pc from the server. I can see the connection coming in on the
shorewall server but it does not forward to the pc. If I telnet to
the pc from the lan it works fine though. The firewall on the pc is
completely off. Please see attached dunp of shorewall config and
below the connection coming in - can anyone see what I am missing?
Aug 8 13:23:49 sentinel kernel: Shorewall:xis-fw:ACCEPT:IN=eno1
OUT= MAC=ff:ff:ff:ff:ff:ff:d4:ca:6d:46:e1:ce:08:00 SRC=192.168.1.1
DST=255.255.255.255 LEN=161 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
PROTO=UDP SPT=43098 DPT=5678 LEN=141 Aug 8 13:23:55 sentinel
kernel: Shorewall:xis-fw:ACCEPT:IN=eno1 OUT=
MAC=e0:69:95:50:4d:e2:d4:ca:6d:46:e1:ce:08:00 SRC=120.146.190.53
DST=192.168.1.2 LEN=52 TOS=0x00 PREC=0x00 TTL=106 ID=31747 DF
PROTO=TCP SPT=51902 DPT=3389 WINDOW=8192 RES=0x00 SYN URGP=0 Aug 8
13:23:58 sentinel kernel: Shorewall:xis-fw:ACCEPT:IN=eno1 OUT=
MAC=e0:69:95:50:4d:e2:d4:ca:6d:46:e1:ce:08:00 SRC=120.146.190.53
DST=192.168.1.2 LEN=52 TOS=0x00 PREC=0x00 TTL=106 ID=31821 DF
PROTO=TCP SPT=51902 DPT=3389 WINDOW=8192 RES=0x00 SYN URGP=0 Aug 8
13:23:59 sentinel kernel: Shorewall:xis-fw:ACCEPT:IN=eno1 OUT=
MAC=e0:69:95:50:4d:e2:d4:ca:6d:46:e1:ce:08:00 SRC=120.146.190.53
DST=192.168.1.2 LEN=48 TOS=0x00 PREC=0x00 TTL=106 ID=31893 DF
PROTO=TCP SPT=51902 DPT=3389 WINDOW=8192 RES=0x00 SYN URGP=0
You have a rule that specifically excludes packets from 120.146.190.53
from DNAT:

Chain PREROUTING (policy ACCEPT 33 packets, 4103 bytes)
pkts bytes target prot opt in out source
destination
598 96585 loc_dnat all -- enp3s0 * 0.0.0.0/0
0.0.0.0/0
0 0 RETURN all -- eno1 * 154.70.136.0/21
0.0.0.0/0
3 152 RETURN all -- eno1 * 120.146.190.53
0.0.0.0/0 <==============================
0 0 RETURN all -- eno1 * 91.109.240.0/22
0.0.0.0/0
0 0 RETURN all -- eno1 * 41.0.0.0/8
0.0.0.0/0
0 0 RETURN all -- eno1 * 105.0.0.0/8
0.0.0.0/0
9 1449 RETURN all -- eno1 * 192.168.0.0/16
0.0.0.0/0
0 0 net_dnat all -- eno1 * 0.0.0.0/0
0.0.0.0/0

That IP address appears to be part of the 'xis' sub-zone of the 'net'
zone and your DNAT rule applies only to 'net'. You can correct that
problem by setting IMPLICIT_CONTINUE=Yes in shorewall.conf (assuming
that you want traffic from the 'xis' zone to follow 'net' rules in the
absence of a match on xis-specific rules).

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJXqI79AAoJEJbms/JCOk0QN4MQAIeWq9H5upD+pRHNk8OvFMa3
pkzdawES8dm6zgjAkz1XMsaMgD/7bI9fBSFc5yA2QNi2+HoWVGLiEn8GeP/5bdQt
S9PgsrPTv2gKR8jGt9OouWHZVo/4sD1dJmhSBAkgmi7l4COGnvPFFhtBbBYAMDpj
Ay6jHWov6nc6JYiglrpeNV3tWyOCDj60svPLwkSHno9Shl8IqdThLWA8lhylJXi+
JA0m7ioBoQhg7e27CAbGFT4LDrmLlzfbcv9Z9iqJHElxxS0AEgp6znQJ+44awLG7
KpqMyOwhZPr9q5SkhR8/ZL8PhuVj4P75oQRaNLypBWLfuZC0pbNkotThiDh3BkAN
0HIVtpXWYT3rcH0LXgcASCv97LAcpqhy8eIRBWa3seLTjafDY0ciYC/9n6n+PrgU
SI9otX1g0MAljqpFaYsdiKq1JOAmUATb3VN/BU/m1H+eRF5MA4UxbO9/0B0aWzch
pa/W0oiGN6ZFwmaV9rpABJ49okusF/SfApjQPUh7g/esymMyTxILpYMtFMJZnjSz
lpXpPF4YrGdAeIuxSzwz2FRBYXaEPsaGrZXeMU+QKNRwW86Tx1EyATYbwYrPzgUn
ZRF2+xWwAcauxzf9hLpSfsKAr7D7aLpl8FR0UeGHqCA24gcopdXmDJRuS7wz4eln
ZcC4H0FkJ6SqJhFTwVPK
=cj1V
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Grant Pasley
2016-08-08 22:01:21 UTC
Permalink
wow - thank you Tom, changed to xis and working fine now :-[

thanks and regards,

grant pasley.
xtranet.
Post by Tom Eastep
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Grant Pasley
Hi there,
I have Shorewall version 5.0.8.2 running on centos 7. I am not able
to get the dnat to a local pc working. The pc has the shorewall
server set as it's gateway and I am able to telnet to port 3389 on
the pc from the server. I can see the connection coming in on the
shorewall server but it does not forward to the pc. If I telnet to
the pc from the lan it works fine though. The firewall on the pc is
completely off. Please see attached dunp of shorewall config and
below the connection coming in - can anyone see what I am missing?
Aug 8 13:23:49 sentinel kernel: Shorewall:xis-fw:ACCEPT:IN=eno1
OUT= MAC=ff:ff:ff:ff:ff:ff:d4:ca:6d:46:e1:ce:08:00 SRC=192.168.1.1
DST=255.255.255.255 LEN=161 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
PROTO=UDP SPT=43098 DPT=5678 LEN=141 Aug 8 13:23:55 sentinel
kernel: Shorewall:xis-fw:ACCEPT:IN=eno1 OUT=
MAC=e0:69:95:50:4d:e2:d4:ca:6d:46:e1:ce:08:00 SRC=120.146.190.53
DST=192.168.1.2 LEN=52 TOS=0x00 PREC=0x00 TTL=106 ID=31747 DF
PROTO=TCP SPT=51902 DPT=3389 WINDOW=8192 RES=0x00 SYN URGP=0 Aug 8
13:23:58 sentinel kernel: Shorewall:xis-fw:ACCEPT:IN=eno1 OUT=
MAC=e0:69:95:50:4d:e2:d4:ca:6d:46:e1:ce:08:00 SRC=120.146.190.53
DST=192.168.1.2 LEN=52 TOS=0x00 PREC=0x00 TTL=106 ID=31821 DF
PROTO=TCP SPT=51902 DPT=3389 WINDOW=8192 RES=0x00 SYN URGP=0 Aug 8
13:23:59 sentinel kernel: Shorewall:xis-fw:ACCEPT:IN=eno1 OUT=
MAC=e0:69:95:50:4d:e2:d4:ca:6d:46:e1:ce:08:00 SRC=120.146.190.53
DST=192.168.1.2 LEN=48 TOS=0x00 PREC=0x00 TTL=106 ID=31893 DF
PROTO=TCP SPT=51902 DPT=3389 WINDOW=8192 RES=0x00 SYN URGP=0
You have a rule that specifically excludes packets from 120.146.190.53
Chain PREROUTING (policy ACCEPT 33 packets, 4103 bytes)
pkts bytes target prot opt in out source
destination
598 96585 loc_dnat all -- enp3s0 * 0.0.0.0/0
0.0.0.0/0
0 0 RETURN all -- eno1 * 154.70.136.0/21
0.0.0.0/0
3 152 RETURN all -- eno1 * 120.146.190.53
0.0.0.0/0 <==============================
0 0 RETURN all -- eno1 * 91.109.240.0/22
0.0.0.0/0
0 0 RETURN all -- eno1 * 41.0.0.0/8
0.0.0.0/0
0 0 RETURN all -- eno1 * 105.0.0.0/8
0.0.0.0/0
9 1449 RETURN all -- eno1 * 192.168.0.0/16
0.0.0.0/0
0 0 net_dnat all -- eno1 * 0.0.0.0/0
0.0.0.0/0
That IP address appears to be part of the 'xis' sub-zone of the 'net'
zone and your DNAT rule applies only to 'net'. You can correct that
problem by setting IMPLICIT_CONTINUE=Yes in shorewall.conf (assuming
that you want traffic from the 'xis' zone to follow 'net' rules in the
absence of a match on xis-specific rules).
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJXqI79AAoJEJbms/JCOk0QN4MQAIeWq9H5upD+pRHNk8OvFMa3
pkzdawES8dm6zgjAkz1XMsaMgD/7bI9fBSFc5yA2QNi2+HoWVGLiEn8GeP/5bdQt
S9PgsrPTv2gKR8jGt9OouWHZVo/4sD1dJmhSBAkgmi7l4COGnvPFFhtBbBYAMDpj
Ay6jHWov6nc6JYiglrpeNV3tWyOCDj60svPLwkSHno9Shl8IqdThLWA8lhylJXi+
JA0m7ioBoQhg7e27CAbGFT4LDrmLlzfbcv9Z9iqJHElxxS0AEgp6znQJ+44awLG7
KpqMyOwhZPr9q5SkhR8/ZL8PhuVj4P75oQRaNLypBWLfuZC0pbNkotThiDh3BkAN
0HIVtpXWYT3rcH0LXgcASCv97LAcpqhy8eIRBWa3seLTjafDY0ciYC/9n6n+PrgU
SI9otX1g0MAljqpFaYsdiKq1JOAmUATb3VN/BU/m1H+eRF5MA4UxbO9/0B0aWzch
pa/W0oiGN6ZFwmaV9rpABJ49okusF/SfApjQPUh7g/esymMyTxILpYMtFMJZnjSz
lpXpPF4YrGdAeIuxSzwz2FRBYXaEPsaGrZXeMU+QKNRwW86Tx1EyATYbwYrPzgUn
ZRF2+xWwAcauxzf9hLpSfsKAr7D7aLpl8FR0UeGHqCA24gcopdXmDJRuS7wz4eln
ZcC4H0FkJ6SqJhFTwVPK
=cj1V
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

Loading...