RE: [Leaf-user] Bering and Port Forwarding
Thanks Tom - my replies are below. If you (or anyone else) can suggest anything else I might try, that would be great :) -Original Message- From: [EMAIL PROTECTED] On Mon, 8 Apr 2002, [EMAIL PROTECTED] wrote: /etc/Shorewall/params contains mostly the default options, except: Loc_tcp_ports1=80,3389 (=www and Win2k Terminal Services) server1=192.168.1.2 (=my webserver's internal address) When Shorewall starts, the Rule outputs are: Accept fw net tcp 53 Accept fw net udp 53 Accept net fw tcp 22 Reject net fw tcp 113 Accept loc fw tcp 22,80 Accept loc fw udp 53 Accept net loc:192.168.1.2 tcp 80,3389 - all Accept fw loc icmp 8 Accept loc fw icmp 8 I can access the Weblet (and ssh if I put sshd on) internally, as I'd expect. If I do a port scan from grc.com, AUTH shows up as closed rather than stealthed, which I'd also expect. However, HTTP shows up as stealthed, which I don't understand. Your Shorewall setup looks correct -- a) When you attempt the port scan, does Shorewall report anything about TCP port 80 in /var/log/messages? Yep. GRC's port scan probes the following ports: 21,23,25,79,80,110,113,135,139,143,443,445,5000. The first time I tried a portscan, there were messages in /var/log/messages for destination ports 5000,445,443,143,139 (in that order). Each message is reporting a dropped packet from the Net2all rule. A subsequent portscan only resulted in a message for the port 5000 attempt - still dropped from the Net2all rule. b) After the port scan, if you do shorewall show nat, does the packet count for the port 80 DNAT rule show a non-zero packet count? How about the port 80 rule in shorewall show net2loc? Shorewall show nat shows a packet count of 20 for the port 80 DNAT rule. Shorewall show net2loc shows a packet count of 109 for state NEW tcp dpt:80 If neither of these packet counts is non-zero, your ISP is most likely dropping SYN TCP packets with destination port 80. I know this isn't the case because I've had a webserver running here up until last week. Cheers Richard ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Bering and Port Forwarding - RESOLVED!
I've just figured out what I was doing wrong. I feel about 3 inches high right about now. Due to trying several different LEAF/LRP images, I had set my webserver's default gateway to 192.168.1.1, whereas the firewall's internal address is 192.168.1.254. The upshot of which is that the webserver won't reply to any requests from the internet, because it's default gateway doesn't exist. A portscan won't pick the port up as open, because there's never going to be so much as an ACK in response. D'oh! Much thanks to those who have helped to troubleshoot :) Cheers Richard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Richard Busby Sent: Tuesday, 9 April 2002 7:15 p.m. To: Tom Eastep Cc: [EMAIL PROTECTED] Subject: RE: [Leaf-user] Bering and Port Forwarding Thanks Tom - my replies are below. If you (or anyone else) can suggest anything else I might try, that would be great :) -Original Message- From: [EMAIL PROTECTED] On Mon, 8 Apr 2002, [EMAIL PROTECTED] wrote: /etc/Shorewall/params contains mostly the default options, except: Loc_tcp_ports1=80,3389 (=www and Win2k Terminal Services) server1=192.168.1.2 (=my webserver's internal address) When Shorewall starts, the Rule outputs are: Accept fw net tcp 53 Accept fw net udp 53 Accept net fw tcp 22 Reject net fw tcp 113 Accept loc fw tcp 22,80 Accept loc fw udp 53 Accept net loc:192.168.1.2 tcp 80,3389 - all Accept fw loc icmp 8 Accept loc fw icmp 8 I can access the Weblet (and ssh if I put sshd on) internally, as I'd expect. If I do a port scan from grc.com, AUTH shows up as closed rather than stealthed, which I'd also expect. However, HTTP shows up as stealthed, which I don't understand. Your Shorewall setup looks correct -- a) When you attempt the port scan, does Shorewall report anything about TCP port 80 in /var/log/messages? Yep. GRC's port scan probes the following ports: 21,23,25,79,80,110,113,135,139,143,443,445,5000. The first time I tried a portscan, there were messages in /var/log/messages for destination ports 5000,445,443,143,139 (in that order). Each message is reporting a dropped packet from the Net2all rule. A subsequent portscan only resulted in a message for the port 5000 attempt - still dropped from the Net2all rule. b) After the port scan, if you do shorewall show nat, does the packet count for the port 80 DNAT rule show a non-zero packet count? How about the port 80 rule in shorewall show net2loc? Shorewall show nat shows a packet count of 20 for the port 80 DNAT rule. Shorewall show net2loc shows a packet count of 109 for state NEW tcp dpt:80 If neither of these packet counts is non-zero, your ISP is most likely dropping SYN TCP packets with destination port 80. I know this isn't the case because I've had a webserver running here up until last week. Cheers Richard ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Bering and Port Forwarding - RESOLVED!
On Tue, 9 Apr 2002, Richard Busby wrote: I've just figured out what I was doing wrong. I feel about 3 inches high right about now. Due to trying several different LEAF/LRP images, I had set my webserver's default gateway to 192.168.1.1, whereas the firewall's internal address is 192.168.1.254. It's amazing how often that configuration snafu occurs -- always a good idea to confirm that your server can reach the internet before attempting port forwarding. Thanks for the update, -Tom -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Bering and Port Forwarding
On Mon, 8 Apr 2002, [EMAIL PROTECTED] wrote: As a kinda-newbie to Linux I've started using the Bering Firewall and I'm having some difficulty getting port forwarding working. Outgoing connections work fine - I can browse the net, send and receive my pop3 mail, etc. I just can't get Shorewall to allow traffic inwards to a webserver and Win2k terminal server. I'm using 2 Ethernet cards: Eth0 is a 3Com 509, Eth1 is a Realtek PCI card using ne2k-pci. Eth0 has a staticIP. dhcpd and dnscache are both working. /etc/shorewall/policy has been left as default /etc/shorewall/rules has been left as default - it's getting the values for the port forwarding from the variables set up in /params /etc/Shorewall/params contains mostly the default options, except: Loc_tcp_ports1=80,3389 (=www and Win2k Terminal Services) server1=192.168.1.2 (=my webserver's internal address) When Shorewall starts, the Rule outputs are: Accept fw net tcp 53 Accept fw net udp 53 Accept net fw tcp 22 Reject net fw tcp 113 Accept loc fw tcp 22,80 Accept loc fw udp 53 Accept net loc:192.168.1.2 tcp 80,3389 - all Accept fw loc icmp 8 Accept loc fw icmp 8 I can access the Weblet (and ssh if I put sshd on) internally, as I'd expect. If I do a port scan from grc.com, AUTH shows up as closed rather than stealthed, which I'd also expect. However, HTTP shows up as stealthed, which I don't understand. Your Shorewall setup looks correct -- a) When you attempt the port scan, does Shorewall report anything about TCP port 80 in /var/log/messages? b) After the port scan, if you do shorewall show nat, does the packet count for the port 80 DNAT rule show a non-zero packet count? How about the port 80 rule in shorewall show net2loc? If neither of these packet counts is non-zero, your ISP is most likely dropping SYN TCP packets with destination port 80. -Tom -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
