Discussion:
[Shorewall-users] Port Forwarding
C***@quantum-sci.com
2011-03-04 06:28:34 UTC
Permalink
I have a backup server, hex, which also has security cameras on eth2. eth1 is the LAN.

I want to take a given security camera at IP 10.5.12.40 on eth2 (cam) and present it to the LAN as 192.168.1.4:80. So in Shorewall rules I have:
DNAT net $FW:10.5.12.40 tcp www
ACCEPT net:192.168.1.1 cam tcp www -

Of course cam is defined in interfaces, zones, and policy. But when I point my browser at 192.168.1.4 nothing happens. No dmesg firewall messages, but also nothing else. What am I doing wrong?
Roberto C. Sánchez
2011-03-04 13:55:35 UTC
Permalink
Post by C***@quantum-sci.com
I have a backup server, hex, which also has security cameras on eth2. eth1 is the LAN.
DNAT net $FW:10.5.12.40 tcp www
ACCEPT net:192.168.1.1 cam tcp www -
Of course cam is defined in interfaces, zones, and policy. But when I point my browser at 192.168.1.4 nothing happens. No dmesg firewall messages, but also nothing else. What am I doing wrong?
First, to confirm, do you have ip forwarding enabled?

Second, you shouldn't need the ACCEPT rule, since the DNAT creates a
coresponding ACEPT rule for you already. If you lok at the
shorewall-rules(5) man page, this example corresponds to what you want
to do:

Example 2:

Forward all ssh and http connection requests from the internet to local system 192.168.1.3

#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
DNAT net loc:192.168.1.3 tcp ssh,http

So, something like this would work:

DNAT net $FW:10.5.12.40 tcp www

Which is what you already have for your first rule. Now, if you want
to limit the DNAT requests to a prticular host in the net zone, you
incorporate it into the same rule:

DNAT net:192.168.1.1 $FW:10.5.12.40 tcp www

Now, please also note that if you are rudoing the DNAT redirection on
the same machine from which you are running the web browser, that you
may want to see this as well:
http://www.shorewall.net/Shorewall_Squid_Usage.html#Firewall

It is written for Squid, but the same principle applies.

Regards,

-Roberto
--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
C***@quantum-sci.com
2011-03-04 18:50:57 UTC
Permalink
Post by Roberto C. Sánchez
First, to confirm, do you have ip forwarding enabled?
Well, I have no idea.
Post by Roberto C. Sánchez
Second, you shouldn't need the ACCEPT rule, since the DNAT creates a
coresponding ACEPT rule for you already.
If I don't put in that ACCEPT rule I get firewall blocking errors in dmesg.
Post by Roberto C. Sánchez
Now, please also note that if you are rudoing the DNAT redirection on
the same machine from which you are running the web browser, that you
http://www.shorewall.net/Shorewall_Squid_Usage.html#Firewall
It is written for Squid, but the same principle applies.
Sorry, I can't understand how that fits.

Right now almost everything in my systems is failing. Hard drive in laptop going out; running remote X apps doesn't work on HTPC; camera app doesn't work on backup server; my phone quit; download of Debian is so slow it's going to take 12 hours; and this is my only day off. It's hard to think at this point.
C***@quantum-sci.com
2011-03-07 03:48:31 UTC
Permalink
Any help?
Post by C***@quantum-sci.com
Post by Roberto C. Sánchez
First, to confirm, do you have ip forwarding enabled?
Well, I have no idea.
Post by Roberto C. Sánchez
Second, you shouldn't need the ACCEPT rule, since the DNAT creates a
coresponding ACEPT rule for you already.
If I don't put in that ACCEPT rule I get firewall blocking errors in dmesg.
Post by Roberto C. Sánchez
Now, please also note that if you are rudoing the DNAT redirection on
the same machine from which you are running the web browser, that you
http://www.shorewall.net/Shorewall_Squid_Usage.html#Firewall
It is written for Squid, but the same principle applies.
Sorry, I can't understand how that fits.
Right now almost everything in my systems is failing. Hard drive in laptop going out; running remote X apps doesn't work on HTPC; camera app doesn't work on backup server; my phone quit; download of Debian is so slow it's going to take 12 hours; and this is my only day off. It's hard to think at this point.
Tom Eastep
2011-03-07 03:58:13 UTC
Permalink
Post by C***@quantum-sci.com
Any help?
Post by C***@quantum-sci.com
Post by Roberto C. Sánchez
First, to confirm, do you have ip forwarding enabled?
Well, I have no idea.
Post by Roberto C. Sánchez
Second, you shouldn't need the ACCEPT rule, since the DNAT
creates a coresponding ACEPT rule for you already.
If I don't put in that ACCEPT rule I get firewall blocking errors in dmesg.
Post by Roberto C. Sánchez
Now, please also note that if you are rudoing the DNAT
redirection on the same machine from which you are running the
http://www.shorewall.net/Shorewall_Squid_Usage.html#Firewall
It is written for Squid, but the same principle applies.
Sorry, I can't understand how that fits.
Right now almost everything in my systems is failing. Hard drive
in laptop going out; running remote X apps doesn't work on HTPC;
camera app doesn't work on backup server; my phone quit; download
of Debian is so slow it's going to take 12 hours; and this is my
only day off. It's hard to think at this point.
With which problem?

- hard drive
- X apps
- camera
- download speed
- vague 'port forwarding' problem

There are so many.

For 'port forwarding', I suggest that you look at the troubleshooting
instructions in Shorewall FAQs 1a and 1b. I wrote Shorewall and there is
nothing that I can add to the instructions in those two FAQs.

-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Tom Eastep
2011-03-07 15:55:39 UTC
Permalink
Post by C***@quantum-sci.com
I have a backup server, hex, which also has security cameras on eth2.
eth1 is the LAN.
I want to take a given security camera at IP 10.5.12.40 on eth2 (cam)
and present it to the LAN as 192.168.1.4:80. So in Shorewall rules I
DNAT net $FW:10.5.12.40 tcp www
ACCEPT net:192.168.1.1 cam tcp www -
Of course cam is defined in interfaces, zones, and policy. But when
I point my browser at 192.168.1.4 nothing happens. No dmesg firewall
messages, but also nothing else. What am I doing wrong?
Although I responded to your latest post last night, I took another look
at your problem this morning.

First of all, your rules are wrong. You want a single rule:

DNAT net cam:10.5.12.40 tcp www

That assumes that 'cam' is defined to be the zone consisting of hosts
attached to eth2; e.g., the following in /etc/shorewall/interfaces:

cam eth2 - ...

Secondly, your camera probably doesn't have a default route defined; in
fact, it is probably incapable of having a default route and can only
communicate with other hosts on its own LAN.

In the latter case, you need this entry in /etc/shorewall/masq:

eth2:10.5.12.40 0.0.0.0/0

-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
C***@quantum-sci.com
2011-03-17 16:05:45 UTC
Permalink
Post by Tom Eastep
DNAT net cam:10.5.12.40 tcp www
Thanks, but it's not working. Everything's set like you say, but when I try from another machine:
[515690.154919] Shorewall:FORWARD:DROP:IN=eth0 OUT=eth0 SRC=192.168.1.1 DST=10.5.12.40 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=32540 DF PROTO=TCP SPT=59797 DPT=80 WINDOW=4380 RES=0x00 SYN URGP=0

For some reason it's not masquerading through the camera server.
Post by Tom Eastep
That assumes that 'cam' is defined to be the zone consisting of hosts
cam eth2 - ...
Ya have that. Using tcpflags as only option. Only the one IP camera is on this interface ATM.
Post by Tom Eastep
Secondly, your camera probably doesn't have a default route defined; in
fact, it is probably incapable of having a default route and can only
communicate with other hosts on its own LAN.
eth2:10.5.12.40 0.0.0.0/0
Thank you. This seems to be setting it to masquerade requests from any machine on the LAN on any port, specifically to one camera. How would I craft it if multiple cams on eth2?

What I want to do is route all requests that are to 192.168.1.4:10080 to 10.5.12.40:80. The camera is on eth2, and 192.168.1.4 is my LAN on eth0.

I'd like the LAN to access the camera even though it's on a different interface and IP, but machines accessing it are vetted and the server is protected by Shorewall. I could set different cameras to different ports.
Tom Eastep
2011-03-17 16:51:04 UTC
Permalink
Post by C***@quantum-sci.com
Post by Tom Eastep
DNAT net cam:10.5.12.40 tcp www
Thanks, but it's not working. Everything's set like you say, but
when I try from another machine: [515690.154919]
Shorewall:FORWARD:DROP:IN=eth0 OUT=eth0 SRC=192.168.1.1
DST=10.5.12.40 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=32540 DF PROTO=TCP
SPT=59797 DPT=80 WINDOW=4380 RES=0x00 SYN URGP=0
For some reason it's not masquerading through the camera server.
Your routing is wrong. Note that it is trying to route the packet back
out of eth0.
Post by C***@quantum-sci.com
Post by Tom Eastep
That assumes that 'cam' is defined to be the zone consisting of
hosts attached to eth2; e.g., the following in
cam eth2 - ...
Ya have that. Using tcpflags as only option. Only the one IP camera
is on this interface ATM.
How have you configured eth2?
Post by C***@quantum-sci.com
Post by Tom Eastep
Secondly, your camera probably doesn't have a default route
defined; in fact, it is probably incapable of having a default
route and can only communicate with other hosts on its own LAN.
eth2:10.5.12.40 0.0.0.0/0
Thank you. This seems to be setting it to masquerade requests from
any machine on the LAN on any port, specifically to one camera. How
would I craft it if multiple cams on eth2?
Then just remove the :10.4.12.40 part.
Post by C***@quantum-sci.com
What I want to do is route all requests that are to 192.168.1.4:10080
to 10.5.12.40:80. The camera is on eth2, and 192.168.1.4 is my LAN
on eth0.
Shorewall does not handle routing. You must configure that using your
distributions network configuration tools. It will happen automatically
if you configure eth2 to have an address beginning with 10.4.12. and a
net mask of 255.255.255.0.
Post by C***@quantum-sci.com
I'd like the LAN to access the camera even though it's on a different
interface and IP, but machines accessing it are vetted and the server
is protected by Shorewall. I could set different cameras to
different ports.
Let's get one working first. And if you have additional problems, please
include the output of 'shorewall dump' as an attachment to your report.

-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
C***@quantum-sci.com
2011-03-17 17:49:58 UTC
Permalink
Post by Tom Eastep
Your routing is wrong. Note that it is trying to route the packet back
out of eth0.
How have you configured eth2?
Noticed that, but don't know why. (Debian Testing) I've deinstalled network-manager and manually edit /etc/network/interfaces like I always have:
allow-hotplug eth2
iface eth2 inet static
address 10.5.42.4
netmask 255.255.255.0
network 10.5.42.0
broadcast 10.5.42.255

# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.5.42.0 * 255.255.255.0 U 0 0 0 eth2
localnet * 255.255.255.0 U 0 0 0 eth0
default hex.darkmatt 0.0.0.0 UG 0 0 0 eth0
Post by Tom Eastep
Let's get one working first. And if you have additional problems, please
include the output of 'shorewall dump' as an attachment to your report.
Attached.
Tom Eastep
2011-03-17 18:09:56 UTC
Permalink
Post by C***@quantum-sci.com
Post by Tom Eastep
Your routing is wrong. Note that it is trying to route the packet back
out of eth0.
How have you configured eth2?
allow-hotplug eth2
iface eth2 inet static
address 10.5.42.4
netmask 255.255.255.0
network 10.5.42.0
broadcast 10.5.42.255
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.5.42.0 * 255.255.255.0 U 0 0 0 eth2
localnet * 255.255.255.0 U 0 0 0 eth0
default hex.darkmatt 0.0.0.0 UG 0 0 0 eth0
Post by Tom Eastep
Let's get one working first. And if you have additional problems, please
include the output of 'shorewall dump' as an attachment to your report.
Attached.
The camera is at 10.5.42.40 but your DNAT rule says 10.5.12.40.

-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
C***@quantum-sci.com
2011-03-17 22:07:38 UTC
Permalink
Post by Tom Eastep
The camera is at 10.5.42.40 but your DNAT rule says 10.5.12.40.
Oh, FFS. Don't tell me it's that particular...

OK, so I believe that all the ports the camera presents are now on 192.168.1.4. Is there a way to map the ports the camera presents, to different ports on 192.168.1.4?

BTW, I'm about 2 miles from you. (123rd St & Lakeshore, Lake Shity)
Tom Eastep
2011-03-17 23:20:40 UTC
Permalink
Post by C***@quantum-sci.com
Post by Tom Eastep
The camera is at 10.5.42.40 but your DNAT rule says 10.5.12.40.
Oh, FFS. Don't tell me it's that particular...
:-)
Post by C***@quantum-sci.com
OK, so I believe that all the ports the camera presents are now on
192.168.1.4. Is there a way to map the ports the camera presents, to
different ports on 192.168.1.4?
Yes -- see Shorewall FAQ 1c.
Post by C***@quantum-sci.com
BTW, I'm about 2 miles from you. (123rd St & Lakeshore, Lake Shity)
Cool.

-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
C***@quantum-sci.com
2011-03-25 16:34:39 UTC
Permalink
This is a little off topic, but I haven't been able to find an answer elsewhere. I need to run a command on another machine on my LAN. I have a backup server which does weekly rsync backups of the other machines. But when the time comes for it to be backed up I do an rsync push to one of the other machines. When that's done I must initiate a BTRFS snapshot of this machine's backup on that remote machine.

So from my backup server I need to run a command on another machine, hopefully securely. Anyone know a way? Backup server has root privs on all machines with public key. I understand the risks, and have been careful with security on this machine.
Stealth
2011-03-25 17:34:53 UTC
Permalink
A ssh command ?
Post by C***@quantum-sci.com
This is a little off topic, but I haven't been able to find an answer elsewhere. I need to run a command on another machine on my LAN. I have a backup server which does weekly rsync backups of the other machines. But when the time comes for it to be backed up I do an rsync push to one of the other machines. When that's done I must initiate a BTRFS snapshot of this machine's backup on that remote machine.
So from my backup server I need to run a command on another machine, hopefully securely. Anyone know a way? Backup server has root privs on all machines with public key. I understand the risks, and have been careful with security on this machine.
------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software
be a part of the solution? Download the Intel(R) Manageability Checker
today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
C***@quantum-sci.com
2011-03-25 18:02:59 UTC
Permalink
Post by Stealth
A ssh command ?
Post by C***@quantum-sci.com
This is a little off topic, but I haven't been able to find an answer elsewhere. I need to run a command on another machine on my LAN. I have a backup server which does weekly rsync backups of the other machines. But when the time comes for it to be backed up I do an rsync push to one of the other machines. When that's done I must initiate a BTRFS snapshot of this machine's backup on that remote machine.
So from my backup server I need to run a command on another machine, hopefully securely. Anyone know a way? Backup server has root privs on all machines with public key. I understand the risks, and have been careful with security on this machine.
Continue reading on narkive:
Loading...