I have just set up shorewall on my router running Arch Linux. The external network is on eth0 and the internal network on eth1.
I have set it up for masquerading and that works fine and I can open ports to the firewall. But I'm having trouble with port forwarding to my internal machines.
The problem I have is that when port 22350 is forwarded to 192.168.1.3 on my local network, checking the port with nmap from a remote computer gives me:
Code:
PORT STATE SERVICE
22350/tcp closed unknown
This is what nmap says without any forwarding rule on the port:
Code:
PORT STATE SERVICE
22350/tcp filtered unknown
So it appears that what the rule is actually doing is closing the port for some reason.
And before you ask, yes, the torrent application is running.
I feel like I have tried everything I can but obviously there is something I have missed. Anyone know?
Here are my configs:
In my /etc/shorewall/zones i have this:
Code:
#
# Shorewall version 4 - Zones File
#
# For information about this file, type "man shorewall-zones"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-zones.html
#
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
/etc/shorewall/interfaces:
Code:
#
# Shorewall version 4 - Interfaces File
#
# For information about entries in this file, type "man shorewall-interfaces"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-interfaces.html
#
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect
loc eth1 detect
/etc/shorewall/masq:
Code:
#
# Shorewall version 4 - Masq file
#
# For information about entries in this file, type "man shorewall-masq"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-masq.html
#
###############################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/
# GROUP
eth0 eth1
/etc/shorewall/policy:
Code:
#
# Shorewall version 4 - Policy File
#
# For information about entries in this file, type "man shorewall-policy"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-policy.html
#
###############################################################################
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
# LEVEL BURST MASK
$FW net ACCEPT
$FW loc ACCEPT
loc net ACCEPT
loc $FW ACCEPT
net all DROP info
all all REJECT info
/etc/shorewall/rules:
Code:
#
# Shorewall version 4 - Rules File
#
# For information on the settings in this file, type "man shorewall-rules"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
####################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
COMMENT Torrent Ports
DNAT net loc:192.168.1.3 tcp 22350
DNAT net loc:192.168.1.3 udp 22350
DNAT net loc:192.168.1.7 tcp 2002
DNAT net loc:192.168.1.7 udp 2002
COMMENT SSH
ACCEPT net $FW tcp 2223
ACCEPT net $FW udp 2223
COMMENT Webserver & FTP
ACCEPT net $FW tcp 80,21
ACCEPT net $FW tcp 11000:11020
COMMENT Webmin
ACCEPT net $FW tcp 9999
Oh and here is my iptables -vL output on the firewall/router in case that helps:
Code:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
109 6561 dynamic all -- any any anywhere anywhere state INVALID,NEW
3730 361K net2fw all -- eth0 any anywhere anywhere
7973 8462K loc2fw all -- eth1 any anywhere anywhere
8 400 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 Reject all -- any any anywhere anywhere
0 0 LOG all -- any any anywhere anywhere LOG level info prefix `Shorewall:INPUT:REJECT:'
0 0 reject all -- any any anywhere anywhere [goto]
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
63 3346 dynamic all -- any any anywhere anywhere state INVALID,NEW
66 3729 net2loc all -- eth0 eth1 anywhere anywhere
66 3374 loc2net all -- eth1 eth0 anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 Reject all -- any any anywhere anywhere
0 0 LOG all -- any any anywhere anywhere LOG level info prefix `Shorewall:FORWARD:REJECT:'
0 0 reject all -- any any anywhere anywhere [goto]
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2631 970K fw2net all -- any eth0 anywhere anywhere
6912 612K fw2loc all -- any eth1 anywhere anywhere
8 400 ACCEPT all -- any lo anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 Reject all -- any any anywhere anywhere
0 0 LOG all -- any any anywhere anywhere LOG level info prefix `Shorewall:OUTPUT:REJECT:'
0 0 reject all -- any any anywhere anywhere [goto]
Chain Drop (2 references)
pkts bytes target prot opt in out source destination
51 3081 all -- any any anywhere anywhere
0 0 reject tcp -- any any anywhere anywhere tcp dpt:auth /* Auth */
51 3081 dropBcast all -- any any anywhere anywhere
0 0 ACCEPT icmp -- any any anywhere anywhere icmp fragmentation-needed /* Needed ICMP types */
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded /* Needed ICMP types */
24 1401 dropInvalid all -- any any anywhere anywhere
0 0 DROP udp -- any any anywhere anywhere multiport dports loc-srv,microsoft-ds /* SMB */
0 0 DROP udp -- any any anywhere anywhere udp dpts:netbios-ns:netbios-ssn /* SMB */
0 0 DROP udp -- any any anywhere anywhere udp spt:netbios-ns dpts:1024:65535 /* SMB */
0 0 DROP tcp -- any any anywhere anywhere multiport dports loc-srv,netbios-ssn,microsoft-ds /* SMB */
0 0 DROP udp -- any any anywhere anywhere udp dpt:1900 /* UPnP */
15 876 dropNotSyn tcp -- any any anywhere anywhere
0 0 DROP udp -- any any anywhere anywhere udp spt:domain /* Late DNS Replies */
Chain Reject (3 references)
pkts bytes target prot opt in out source destination
0 0 all -- any any anywhere anywhere
0 0 reject tcp -- any any anywhere anywhere tcp dpt:auth /* Auth */
0 0 dropBcast all -- any any anywhere anywhere
0 0 ACCEPT icmp -- any any anywhere anywhere icmp fragmentation-needed /* Needed ICMP types */
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded /* Needed ICMP types */
0 0 dropInvalid all -- any any anywhere anywhere
0 0 reject udp -- any any anywhere anywhere multiport dports loc-srv,microsoft-ds /* SMB */
0 0 reject udp -- any any anywhere anywhere udp dpts:netbios-ns:netbios-ssn /* SMB */
0 0 reject udp -- any any anywhere anywhere udp spt:netbios-ns dpts:1024:65535 /* SMB */
0 0 reject tcp -- any any anywhere anywhere multiport dports loc-srv,netbios-ssn,microsoft-ds /* SMB */
0 0 DROP udp -- any any anywhere anywhere udp dpt:1900 /* UPnP */
0 0 dropNotSyn tcp -- any any anywhere anywhere
0 0 DROP udp -- any any anywhere anywhere udp spt:domain /* Late DNS Replies */
Chain dropBcast (2 references)
pkts bytes target prot opt in out source destination
21 1512 DROP all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST
6 168 DROP all -- any any anywhere BASE-ADDRESS.MCAST.NET/4
Chain dropInvalid (2 references)
pkts bytes target prot opt in out source destination
6 240 DROP all -- any any anywhere anywhere state INVALID
Chain dropNotSyn (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
Chain dynamic (2 references)
pkts bytes target prot opt in out source destination
Chain fw2loc (1 references)
pkts bytes target prot opt in out source destination
6912 612K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- any any anywhere anywhere
Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
2365 954K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
266 15812 ACCEPT all -- any any anywhere anywhere
Chain loc2fw (1 references)
pkts bytes target prot opt in out source destination
7973 8462K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- any any anywhere anywhere
Chain loc2net (1 references)
pkts bytes target prot opt in out source destination
63 3186 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
3 188 ACCEPT all -- any any anywhere anywhere
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- any any anywhere anywhere
Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
3625 355K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpts:ircd:6668 /* IRC */
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:2223 /* SSH */
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:2223 /* SSH */
5 300 ACCEPT tcp -- any any anywhere anywhere multiport dports www,ftp /* Webserver & FTP */
44 2640 ACCEPT tcp -- any any anywhere anywhere tcp dpts:11000:11020 /* Webserver & FTP */
5 300 ACCEPT tcp -- any any anywhere anywhere tcp dpt:9999 /* Webmin */
51 3081 Drop all -- any any anywhere anywhere
18 1161 LOG all -- any any anywhere anywhere LOG level info prefix `Shorewall:net2fw:DROP:'
18 1161 DROP all -- any any anywhere anywhere
Chain net2loc (1 references)
pkts bytes target prot opt in out source destination
6 571 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
50 2480 ACCEPT tcp -- any any anywhere 192.168.1.3 tcp dpt:22350 /* Torrent Ports */
10 678 ACCEPT udp -- any any anywhere 192.168.1.3 udp dpt:22350 /* Torrent Ports */
0 0 ACCEPT tcp -- any any anywhere 192.168.1.7 tcp dpt:2002 /* Torrent Ports */
0 0 ACCEPT udp -- any any anywhere 192.168.1.7 udp dpt:2002 /* Torrent Ports */
0 0 Drop all -- any any anywhere anywhere
0 0 LOG all -- any any anywhere anywhere LOG level info prefix `Shorewall:net2loc:DROP:'
0 0 DROP all -- any any anywhere anywhere
Chain reject (10 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere ADDRTYPE match src-type BROADCAST
0 0 DROP all -- any any BASE-ADDRESS.MCAST.NET/4 anywhere
0 0 DROP igmp -- any any anywhere anywhere
0 0 REJECT tcp -- any any anywhere anywhere reject-with tcp-reset
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Chain smurfs (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- any any 0.0.0.0 anywhere
0 0 LOG all -- any any anywhere anywhere ADDRTYPE match src-type BROADCAST LOG level info prefix `Shorewall:smurfs:DROP:'
0 0 DROP all -- any any anywhere anywhere ADDRTYPE match src-type BROADCAST
0 0 LOG all -- any any BASE-ADDRESS.MCAST.NET/4 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'
0 0 DROP all -- any any BASE-ADDRESS.MCAST.NET/4 anywhere
Sorry for all the CODE boxes, but there are a lot of settings that I feel are important to include here.
If there's any other info that I forgot that is important to solve this problem then please tell me what you need.
And if you have any other tips on how to better configure shorewall on a two-interface router, I will be happy to hear them too.