On 6/25/2018 2:56 PM, Bern D wrote: > Hi, > I use Ubuntu server 18.04 which is configured as a home router, gate, > firewall. > My ISP give me local IP address 192.168.15.145 which is seen from the > internet as public address 46.xxx.xxxx.xxxx. > I can login on my Ubuntu server (SSH) from local LAN or WLAN hosts > (using 10.10.10.1 and port 2225) > but cannot login using public address 46.xxx.xxx.xxxx from my LAN/WLAN. > At the same time I can login to my server using address 46.xxx.xxx.xxxx > from other devices (eg my phone or tablet connected to GSM/LTE network). > How to change Shorewall configuration to enabe SSH access to my public > address 46.xxx.xxxx.xxxx from the local hosts? > See my current Shorewall configuration files below. > > etc/shorewall/zones > ############################################################################### > > #ZONE TYPE OPTIONS IN OUT > # OPTIONS OPTIONS > fw firewall > net ipv4 > loc ipv4 > road ipv4 > > etc/shorewall/policy > ############################################################################### > > #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST > loc net ACCEPT > loc $FW ACCEPT > $FW net ACCEPT > $FW loc ACCEPT > road loc ACCEPT > loc road ACCEPT > road $FW ACCEPT > net all DROP info > # THE FOLLOWING POLICY MUST BE LAST > all all REJECT info > > etc/shorewall/interfaces > ############################################################################### > > ?FORMAT 1 > ############################################################################### > > #ZONE INTERFACE BROADCAST OPTIONS > net enp1s0 detect tcpflags,logmartians,nosmurfs > loc enp3s0f1 detect dhcp > loc wlp4s0 detect dhcp,maclist,wait=10 > road tun0 detect > > etc/shorewall/snat > ########################################################################################################################################### > > #ACTION SOURCE DEST PROTO PORT IPSEC > MARK USER SWITCH ORIGDEST PROBABILITY > # > SNAT(192.168.15.145) 10.10.10.0/24,\ > 10.10.11.0/24 enp1s0 > > etc/shorewall/rules > ###################################################################################################################################################################################################### > > #ACTION SOURCE DEST PROTO DEST SOURCE > ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS > SWITCH HELPER > # PORT PORT(S) DEST LIMIT GROUP > > ?SECTION ALL > ?SECTION ESTABLISHED > ?SECTION RELATED > ?SECTION INVALID > ?SECTION UNTRACKED > ?SECTION NEW > > # Don't allow connection pickup from the net > # > Invalid(DROP) net all tcp > # > # Accept DNS connections from the firewall to the network > # > #DNS(ACCEPT) $FW net > # > # Accept SSH connections from the local network for administration > # > SSH(ACCEPT) loc $FW > # > # Allow Ping from the local network > # > Ping(ACCEPT) loc $FW > > # > # Drop Ping from the "bad" net zone.. and prevent your log from being > flooded.. > # > > Ping(DROP) net $FW > > ACCEPT $FW loc icmp > ACCEPT $FW net icmp > # > # > ACCEPT net $FW tcp 6535 > ACCEPT net $FW udp 6534 > ACCEPT net $FW tcp 1007 > ACCEPT net $FW tcp 2225 >
Third time's a charm. Did you read: http://shorewall.org/FAQ.htm#PortForwarding -Matt -- Matt Darfeuille ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
