Quote:
Originally Posted by Skubi
My internet works on local computers (behind firewall), but i can`t get the firewall to forward ports, so I could use dc++ and utorrent and things like that.
any ideas?
P.S. i could have some lines too mush, beacuse i was trying other things. So if there is anything too much let me know.
|
DNAT rules are used for port forwarding. You already have one good DNAT rule to forward TCP port 7000 to your inside PC.
Code:
DNAT net loc:192.168.2.196 tcp 7000
You need to add addition DNAT rules for each protocol you want forwarded to your PC. To do this, you need to read the program documenation to find out what protocol and port(s) it uses. Bittorrent clients typically use one or more TCP (and sometimes UDP) ports in the range 6881-6999. I use Azureus, which lets you hard code a single port number to use, for example 6882. I don't know about utorrent, but hopefully it has a similar feature. If you want to forward TCP port 6882, you need to add:
Code:
DNAT net loc:192.168.2.196 tcp 6882
Then add another line for DC++ (I can't tell from the documentation if it uses port 612, 1412 or both)
BTW, you could optimize your shorewall config a little bit.
1) I recommend you remove the line "ACCEPT loc all all" from the rules file and add the line "loc all ACCEPT" to the top of the policy file.
2) I recommend you change the "net all DROP" policy line to "net all DROP info", at least while you are trying to troubleshoot firewall rules. You'll get lots of garbage too, but you can remove the "info" later.
3) The rule "ACCEPT net all tcp 80" can be removed. All it does is open up port 80 on the firewall to the Internet, and you do that more clearly in the later rule "ACCEPT net fw tcp ssh,[b]www[/b[,https,...".
4) I recommend you change the rule "ACCEPT net fw icmp 8" to "ACCEPT all all icmp 0,3,8,11". It'll make your life easier. BTW, 0,3,8,11 mean "echo reply, destination unreachable, echo request and time exceeded".
5) The rule "ACCEPT net fw udp https" can be removed. HTTPS doesn't use UDP at all.
6) The rule "DNAT fw loc:192.168.2.196 tcp 7000" is meaningless. The firewall doesn't need NAT to access inside machines.
Good Luck!