SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have 3 comp. at home. Slack is a dchp server and roter, my comp. and my brother has one. I vae set up shorewall, but, on the computer of my brother the ports staied closed.
settings:
ZONES
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
RULES
#################################################################################################### #########
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
ACCEPT all all icmp 0,3,8,11
ACCEPT fw net icmp
ACCEPT net fw tcp www,https,smtp,pop3,pop3s,imap2,imaps,submission,2869
ACCEPT net fw udp 1900
ACCEPT loc fw tcp 7000
ACCEPT net fw tcp 7000
ACCEPT fw net tcp 7000
ACCEPT loc all tcp ssh
ACCEPT net loc:192.168.2.194 tcp 7000:8000
DNAT net loc:192.168.2.196 tcp 7002
DNAT net loc:192.168.2.196 tcp 6881:6999
DNAT net loc:192.168.2.196 tcp 7000:8000
DNAT net loc:192.168.2.196 tcp 2869
DNAT net loc:192.168.2.196 udp 1900
DNAT net loc:192.168.2.196 tcp 7003
DNAT net loc:192.168.2.194 tcp 6881:6999
DNAT net loc:192.168.2.194 tcp 7000:8000
DNAT net loc:192.168.2.194 tcp 7001
DNAT net loc:192.168.2.194 tcp 8888
DNAT net loc:192.168.2.194 tcp 8081
DNAT net loc:192.168.2.194 udp 8081
NAT
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
# INTERFACES
xxx.xxx.75.142 eth1 192.168.2.194 yes yes
xxx.xxx.75.142 eth1 192.168.2.196 yes yes
POLICY
###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
fw net ACCEPT
fw loc ACCEPT
net all DROP info
all all REJECT
loc net ACCEPT
loc fw ACCEPT
#LAST LINE -- DO NOT REMOVE
MASQ
###############################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth1 eth0
On my computer (192.168.2.196) most ports work, but not all. On my brothers (192.168.2.194) none of the work.
Any sugestions, and if anybody knows is there is a never version of shorewall.
I have:
Shorewall-3.4.4 Status at skubi - Sun Jan 20 15:28:59 CET 2008
Shorewall is running
State:Started (Fri Feb 5 23:43:14 CET 1999)
It seems to me that you need to trim down your configuration a bit. There are rules that are not needed as the default policy allows it already. It is wise to keep the rules to a minimum, as it gets easier to deal with if you need to troubleshoot it. Also, my understanding of DNAT is to forward traffic to a specific host when called for. But in your rules section there are DNAT rules to several hosts. How can shorewall tell which is which? Perhaps something like this could work:
Code:
ACCEPT loc net tcp 6881-7003
ACCEPT net loc tcp 6881-7003
I`m not 100% sure but I dont think you can DNAT all those ports to more that one host. Seems to me like these ports are for filsharing, games and the like, and you need them to be accessible on the local side by any computer that might sit there. If so I`d go for a general ACCEPT rule like above. Also worth mentioning is to set a log level of "debug" on every rule that you have to begin with. Then tell shorewall.conf to write logs to its own file such as /var/log/shorewall/shorewall.log and follow it in real-time with
Code:
tail -f /var/log/shorewall/shorewall.log
This will give you more info to work with when troubleshooting shorewall.
Hope it works out.
Ok i managed to make torrents working. Nice. I use port 7001 or 7002.
I have another question. If anybody knows. I have a webcam, and have a program for web cam. It uses port TCP 8888 and TCP 8081 and UDP 8081. Does anybody know how to add it to shorewall, beacuse under DNAT it does not work.
I tryes DNAT loc:192.168.2.194 net 8888
and the same with redirect and things like that, but i am without ideas, i alwasy get an error, and it stops firewall.
So any ideas how to addit, so i could acces it form the internet. So my friends could see me.
And For live messenger sharing, what ports to open.
The reason your firewall does not start again is that you write the rule the wrong way. Try this for the webcam:
DNAT net loc:192.168.2.194 tcp 8888
If this is not enough you could try to add similar rules for the other ports you mention, take one at a time.
If you want to allow incoming traffic on that port to reach more than one computer on the lan side you could try ACCEPT instead of DNAT.
I googled your question with: "Live messenger ports" and found this:
Windows Live Messenger is an updated version of MSN Messenger and uses similar ports. As part of a forum to Microsoft's web site and other web sites (e.g. www.cyberphaze.net - not currently online) it seems that Windows Live Messenger uses:
Messenger server: port 1493, 1542, 1863, 1963, 80 TCP and 443 TCP
File Transfer/Sharing Folders: local: 1544 and 6891 - in fact 6720-65535 TCP from one source
Messenger Update: remote: 80 local: 1457
Remote Assistance If available): 3389 TCP
Audio: local: , 1556, 11771, 13803 and generally 5004-65535 UDP
Remote Desktop and whiteboard: local/remote: 389, 522, 1503, 1720, and 1731
Launching Games: 80
Video Conference: TCP 9000-9999, 5004-65535 UDP + 80
Sign-In: remote: 443 local: 1484, 2400
Note - blocking TCP port 80 will stop users accessing web sites using Internet Explorer and other browsers.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.