LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 12-12-2009, 10:49 PM   #1
Synt4x_3rr0r
Member
 
Registered: Nov 2005
Location: Sweden
Distribution: Arch Linux 64bit with Gnome
Posts: 138

Rep: Reputation: 15
Shorewall: port forwarding problem, port is closed even after forwarding


I have just set up shorewall on my router running Arch Linux. The external network is on eth0 and the internal network on eth1.
I have set it up for masquerading and that works fine and I can open ports to the firewall. But I'm having trouble with port forwarding to my internal machines.

The problem I have is that when port 22350 is forwarded to 192.168.1.3 on my local network, checking the port with nmap from a remote computer gives me:
Code:
PORT      STATE  SERVICE
22350/tcp closed unknown
This is what nmap says without any forwarding rule on the port:
Code:
PORT      STATE  SERVICE
22350/tcp filtered unknown
So it appears that what the rule is actually doing is closing the port for some reason.
And before you ask, yes, the torrent application is running.

I feel like I have tried everything I can but obviously there is something I have missed. Anyone know?
Here are my configs:

In my /etc/shorewall/zones i have this:
Code:
#
# Shorewall version 4 - Zones File
#
# For information about this file, type "man shorewall-zones"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-zones.html
#
###############################################################################
#ZONE	TYPE		OPTIONS		IN			OUT
#					OPTIONS			OPTIONS
fw	firewall
net     ipv4
loc     ipv4
/etc/shorewall/interfaces:
Code:
#
# Shorewall version 4 - Interfaces File
#
# For information about entries in this file, type "man shorewall-interfaces"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-interfaces.html
#
###############################################################################
#ZONE	INTERFACE	BROADCAST	OPTIONS
net     eth0            detect
loc     eth1            detect
/etc/shorewall/masq:
Code:
#
# Shorewall version 4 - Masq file
#
# For information about entries in this file, type "man shorewall-masq"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-masq.html
#
###############################################################################
#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC MARK	USER/
#											GROUP
eth0                    eth1
/etc/shorewall/policy:
Code:
#
# Shorewall version 4 - Policy File
#
# For information about entries in this file, type "man shorewall-policy"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-policy.html
#
###############################################################################
#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
#				LEVEL	BURST		MASK
$FW     net     ACCEPT
$FW     loc     ACCEPT
loc     net     ACCEPT
loc     $FW     ACCEPT
net     all     DROP            info
all     all     REJECT          info
/etc/shorewall/rules:
Code:
#
# Shorewall version 4 - Rules File
#
# For information on the settings in this file, type "man shorewall-rules"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
####################################################################################################################################################
#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
#							PORT	PORT(S)		DEST		LIMIT		GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
COMMENT Torrent Ports
DNAT            net             loc:192.168.1.3 tcp     22350
DNAT            net             loc:192.168.1.3 udp     22350
DNAT            net             loc:192.168.1.7 tcp     2002
DNAT            net             loc:192.168.1.7 udp     2002
COMMENT SSH
ACCEPT          net             $FW             tcp     2223
ACCEPT          net             $FW             udp     2223
COMMENT Webserver & FTP
ACCEPT          net             $FW             tcp     80,21
ACCEPT          net             $FW             tcp     11000:11020
COMMENT Webmin
ACCEPT          net             $FW             tcp     9999
Oh and here is my iptables -vL output on the firewall/router in case that helps:
Code:
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  109  6561 dynamic    all  --  any    any     anywhere             anywhere            state INVALID,NEW 
 3730  361K net2fw     all  --  eth0   any     anywhere             anywhere            
 7973 8462K loc2fw     all  --  eth1   any     anywhere             anywhere            
    8   400 ACCEPT     all  --  lo     any     anywhere             anywhere            
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    0     0 Reject     all  --  any    any     anywhere             anywhere            
    0     0 LOG        all  --  any    any     anywhere             anywhere            LOG level info prefix `Shorewall:INPUT:REJECT:' 
    0     0 reject     all  --  any    any     anywhere             anywhere            [goto] 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   63  3346 dynamic    all  --  any    any     anywhere             anywhere            state INVALID,NEW 
   66  3729 net2loc    all  --  eth0   eth1    anywhere             anywhere            
   66  3374 loc2net    all  --  eth1   eth0    anywhere             anywhere            
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    0     0 Reject     all  --  any    any     anywhere             anywhere            
    0     0 LOG        all  --  any    any     anywhere             anywhere            LOG level info prefix `Shorewall:FORWARD:REJECT:' 
    0     0 reject     all  --  any    any     anywhere             anywhere            [goto] 

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2631  970K fw2net     all  --  any    eth0    anywhere             anywhere            
 6912  612K fw2loc     all  --  any    eth1    anywhere             anywhere            
    8   400 ACCEPT     all  --  any    lo      anywhere             anywhere            
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    0     0 Reject     all  --  any    any     anywhere             anywhere            
    0     0 LOG        all  --  any    any     anywhere             anywhere            LOG level info prefix `Shorewall:OUTPUT:REJECT:' 
    0     0 reject     all  --  any    any     anywhere             anywhere            [goto] 

Chain Drop (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   51  3081            all  --  any    any     anywhere             anywhere            
    0     0 reject     tcp  --  any    any     anywhere             anywhere            tcp dpt:auth /* Auth */ 
   51  3081 dropBcast  all  --  any    any     anywhere             anywhere            
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp fragmentation-needed /* Needed ICMP types */ 
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp time-exceeded /* Needed ICMP types */ 
   24  1401 dropInvalid  all  --  any    any     anywhere             anywhere            
    0     0 DROP       udp  --  any    any     anywhere             anywhere            multiport dports loc-srv,microsoft-ds /* SMB */ 
    0     0 DROP       udp  --  any    any     anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn /* SMB */ 
    0     0 DROP       udp  --  any    any     anywhere             anywhere            udp spt:netbios-ns dpts:1024:65535 /* SMB */ 
    0     0 DROP       tcp  --  any    any     anywhere             anywhere            multiport dports loc-srv,netbios-ssn,microsoft-ds /* SMB */ 
    0     0 DROP       udp  --  any    any     anywhere             anywhere            udp dpt:1900 /* UPnP */ 
   15   876 dropNotSyn  tcp  --  any    any     anywhere             anywhere            
    0     0 DROP       udp  --  any    any     anywhere             anywhere            udp spt:domain /* Late DNS Replies */ 

Chain Reject (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0            all  --  any    any     anywhere             anywhere            
    0     0 reject     tcp  --  any    any     anywhere             anywhere            tcp dpt:auth /* Auth */ 
    0     0 dropBcast  all  --  any    any     anywhere             anywhere            
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp fragmentation-needed /* Needed ICMP types */ 
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp time-exceeded /* Needed ICMP types */ 
    0     0 dropInvalid  all  --  any    any     anywhere             anywhere            
    0     0 reject     udp  --  any    any     anywhere             anywhere            multiport dports loc-srv,microsoft-ds /* SMB */ 
    0     0 reject     udp  --  any    any     anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn /* SMB */ 
    0     0 reject     udp  --  any    any     anywhere             anywhere            udp spt:netbios-ns dpts:1024:65535 /* SMB */ 
    0     0 reject     tcp  --  any    any     anywhere             anywhere            multiport dports loc-srv,netbios-ssn,microsoft-ds /* SMB */ 
    0     0 DROP       udp  --  any    any     anywhere             anywhere            udp dpt:1900 /* UPnP */ 
    0     0 dropNotSyn  tcp  --  any    any     anywhere             anywhere            
    0     0 DROP       udp  --  any    any     anywhere             anywhere            udp spt:domain /* Late DNS Replies */ 

Chain dropBcast (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   21  1512 DROP       all  --  any    any     anywhere             anywhere            ADDRTYPE match dst-type BROADCAST 
    6   168 DROP       all  --  any    any     anywhere             BASE-ADDRESS.MCAST.NET/4 

Chain dropInvalid (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    6   240 DROP       all  --  any    any     anywhere             anywhere            state INVALID 

Chain dropNotSyn (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN 

Chain dynamic (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain fw2loc (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 6912  612K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            

Chain fw2net (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 2365  954K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
  266 15812 ACCEPT     all  --  any    any     anywhere             anywhere            

Chain loc2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 7973 8462K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            

Chain loc2net (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   63  3186 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    3   188 ACCEPT     all  --  any    any     anywhere             anywhere            

Chain logdrop (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere            

Chain logreject (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  any    any     anywhere             anywhere            

Chain net2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 3625  355K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpts:ircd:6668 /* IRC */ 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:2223 /* SSH */ 
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:2223 /* SSH */ 
    5   300 ACCEPT     tcp  --  any    any     anywhere             anywhere            multiport dports www,ftp /* Webserver & FTP */ 
   44  2640 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpts:11000:11020 /* Webserver & FTP */ 
    5   300 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:9999 /* Webmin */ 
   51  3081 Drop       all  --  any    any     anywhere             anywhere            
   18  1161 LOG        all  --  any    any     anywhere             anywhere            LOG level info prefix `Shorewall:net2fw:DROP:' 
   18  1161 DROP       all  --  any    any     anywhere             anywhere            

Chain net2loc (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    6   571 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
   50  2480 ACCEPT     tcp  --  any    any     anywhere             192.168.1.3         tcp dpt:22350 /* Torrent Ports */ 
   10   678 ACCEPT     udp  --  any    any     anywhere             192.168.1.3         udp dpt:22350 /* Torrent Ports */ 
    0     0 ACCEPT     tcp  --  any    any     anywhere             192.168.1.7         tcp dpt:2002 /* Torrent Ports */ 
    0     0 ACCEPT     udp  --  any    any     anywhere             192.168.1.7         udp dpt:2002 /* Torrent Ports */ 
    0     0 Drop       all  --  any    any     anywhere             anywhere            
    0     0 LOG        all  --  any    any     anywhere             anywhere            LOG level info prefix `Shorewall:net2loc:DROP:' 
    0     0 DROP       all  --  any    any     anywhere             anywhere            

Chain reject (10 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere            ADDRTYPE match src-type BROADCAST 
    0     0 DROP       all  --  any    any     BASE-ADDRESS.MCAST.NET/4  anywhere            
    0     0 DROP       igmp --  any    any     anywhere             anywhere            
    0     0 REJECT     tcp  --  any    any     anywhere             anywhere            reject-with tcp-reset 
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-port-unreachable 

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain smurfs (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  any    any     0.0.0.0              anywhere            
    0     0 LOG        all  --  any    any     anywhere             anywhere            ADDRTYPE match src-type BROADCAST LOG level info prefix `Shorewall:smurfs:DROP:' 
    0     0 DROP       all  --  any    any     anywhere             anywhere            ADDRTYPE match src-type BROADCAST 
    0     0 LOG        all  --  any    any     BASE-ADDRESS.MCAST.NET/4  anywhere            LOG level info prefix `Shorewall:smurfs:DROP:' 
    0     0 DROP       all  --  any    any     BASE-ADDRESS.MCAST.NET/4  anywhere
Sorry for all the CODE boxes, but there are a lot of settings that I feel are important to include here.
If there's any other info that I forgot that is important to solve this problem then please tell me what you need.
And if you have any other tips on how to better configure shorewall on a two-interface router, I will be happy to hear them too.
 
Old 12-13-2009, 03:50 PM   #2
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Shorewall - is tool for build a rules for iptables.

If I'm right, please post here output for "iptables-save"
 
Old 12-13-2009, 04:36 PM   #3
Synt4x_3rr0r
Member
 
Registered: Nov 2005
Location: Sweden
Distribution: Arch Linux 64bit with Gnome
Posts: 138

Original Poster
Rep: Reputation: 15
Thanks for your reply. I just solved the issue though, and I'm quite embarrassed to say that the problem was caused by this line in rtorrent.rc:

bind = 192.168.1.1

So rtorrent was just listening on the wrong network all along... Oh well. :P

In my previous post there was also another problem in the rules file. rtorrent runs on the gateway itself, but in my post i had forwarded it to another computer. Another embarrassing mistake. So there was not really a problem in the first place.

Last edited by Synt4x_3rr0r; 12-13-2009 at 04:39 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Shorewall Port Forwarding efm Linux - Networking 2 12-01-2010 12:22 AM
Shorewall : So simple , yet so hard (Help with port forwarding) Wynand1 Linux - Networking 1 05-09-2006 12:33 AM
Shorewall port forwarding problem kresho Linux - Networking 0 01-26-2006 07:53 AM
MNF and Shorewall port forwarding apoc63 Linux - Networking 2 05-18-2005 10:39 AM
Shorewall - Port forwarding BrianNJ Linux - Networking 0 05-24-2004 08:00 AM


All times are GMT -5. The time now is 04:19 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration