chammer
n00b
Joined: 19 May 2003
Posts: 43
Location: Newport News, VA
|
 Posted: Sat Jan 31, 2004 10:13 pm Post subject: some problems with shorewall... |
 |
|
first off, here's my rules file:
| Code: |
# handle dns queries here on mercury:
ACCEPT net fw tcp 53
ACCEPT net fw tcp 53
ACCEPT net all tcp 53
ACCEPT net all udp 53
DNAT net loc:192.168.1.11 tcp 53
DNAT net loc:192.168.1.11 udp 53
# handle external ftp queries here locally:
ACCEPT net fw tcp 21
# keep ssh here locally for external hosts:
ACCEPT net fw tcp 22
# transparent proxy'ing for the lan:
DROP:warning net fw tcp 3128 3128
REDIRECT loc 3128 tcp 80 -
# forward vnc requests to orion:
DNAT net loc:192.168.1.1 tcp 5900
# the forwards for fshost on neptune:
DNAT net loc:192.168.1.4 tcp 81
DNAT net loc:192.168.1.4 tcp 23456
DNAT net loc:192.168.1.4 tcp 47624
DNAT net loc:192.168.1.4 tcp 2300:2400
DNAT net loc:192.168.1.4 tcp 4600:4799
DNAT net loc:192.168.1.4 tcp 8092:8094
# accept icmp pings
ACCEPT all fw icmp
|
having a few problems. first off, dns queries are not getting through unless i add all that junk AND a dnat entry. this doesnt seem correct to me but its the only combination i've found that allows the queries to get through (i run dns for my domain on .11 so it needs to be accessed by the world).
secondly i've tried that "hack" for 23456 and it doesnt work. i run a flight sim server (fshost) on .4 as you can see and all those ports need to be open...but they are all reporting closed when i nmap from an external box. since the hack doesnt work, i havent a clue what else to try to force these ports open.
all the other ports work as they should, using simple accept net fw tcp 21 and ftp from external hosts work as they should. the dnat net loc:192.168.1.1 tcp 5900 works flawlessly as well.
am i missing something? why cant dns be handled as simple as accept net fw tcp 53 and why no matter what i try cant i get 23456 open? 23456, however isnt the only one that needs to be open but its the one im working on right now. all the ones pointing to .4 need to be open.
.11 btw is the machine handling the routing. also, the .4 pointing to port 81 is also working flawlessly. so it seems all the other .4's are "broken".
im really lost here as i've gone through the manual, and im out of ideas. everything looks like it should work, but doesnt. and that stupid hack for dns, while it does work, it irritates me and i'd rather condense it into one line if possible.
i've also added .1 and .4 into the proxyarp file just incase that would help, but it seems to have no effect.
another quick question, should i just dump shorewall and do this through iptables directly? it would seem a lot easier i would think since i really dont understand what shorewall is doing behind the scenes.
i'd appreciate any help. thanks.
_________________
http://www.thezengarden.net
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc
echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D4D465452snlbxq' |dc |
|
Networking & Security
