Arch Linux

brando56894

Member

From: NYC

Registered: 2008-08-03

Posts: 681

Port Forwarding With Shorewall

I have Shorewall setup on my router, but even though I've read on how to set up port forwarding it doesn't seem to work.

Here's my /etc/shorewall/rules.conf

#
# Shorewall version 4.0 - Sample Rules File for two-interface configuration.
# Copyright (C) 2006,2007 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-rules"
######################################################################################################################################################################################################
#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
#							PORT	PORT(S)		DEST		LIMIT		GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION INVALID
#SECTION UNTRACKED
SECTION NEW

#       Don't allow connection pickup from the net
#
Invalid(DROP)	net		all		tcp
#
#	Accept DNS connections from the firewall to the network
#
DNS(ACCEPT)	$FW		net
#
#	Accept SSH connections from the local network for administration
#
SSH(ACCEPT)	loc		$FW
SSH(ACCEPT)	net		$FW		TCP	   3000
#
#	Allow Ping from the local network
#
Ping(ACCEPT)	loc		$FW

#
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
#

Ping(DROP)	net		$FW

ACCEPT		$FW		loc		icmp
ACCEPT		$FW		net		icmp
#


# Accept DNS connections from the local network to the firewall
#

DNS(ACCEPT)     loc              $FW


# Allow Webmin access from local net 
#
ACCEPT	 	loc	 	 $FW	 	tcp	   80


# Allow Transmission Traffic

DNAT  net    loc:192.168.1.100:51413    tcp       51413
DNAT  net    loc:192.168.1.100:32000    tcp       32000
DNAT  net    loc:192.168.1.114:6881      tcp       6881
DNAT  net    loc:192.168.1.114:8881      udp      8881
DNAT  net    loc:192.168.1.1:80             tcp      1017

Here's my /etc/shorewall/policy in case it's needed

#
# Shorewall version 4.0 - Sample Policy File for two-interface configuration.
# Copyright (C) 2006 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-policy"
###############################################################################
#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST

$FW		net		ACCEPT		info
loc		net		ACCEPT           info
net		all		REJECT		info
# THE FOLLOWING POLICY MUST BE LAST
all		all		REJECT		info

SSH works internally, but not externally, and ping works both inside and outside of the network, web browsing also works fine. I just can't seem to get to anything inside the network from outside of the network. What am I doing wrong?

Last edited by brando56894 (2014-04-02 04:04:34)

Tarqi

Member

From: Ixtlan

Registered: 2012-11-27

Posts: 179

Website

Re: Port Forwarding With Shorewall

This line:

SSH(ACCEPT)	net		$FW		TCP	   3000

looks suspicious. Use either SSH(ACCEPT) (which is a macro, pointing to port 22) or the target protocol/port.

For your DNAT issue, see this page.

Last edited by Tarqi (2014-04-01 16:57:12)

---

Knowing others is wisdom, knowing yourself is enlightenment. ~Lao Tse

brando56894

Member

From: NYC

Registered: 2008-08-03

Posts: 681

Re: Port Forwarding With Shorewall

I've gotten it to partially work by not specifying destination ports. Plex now connects and can be seen from my.plexapp.com although I still can't get to SSH or anything else to actually work.

##############################
###### Port Forwarding #######
##############################

#ACTION   SOURCE  	DEST                                          	PROTO      	DEST PORT(S)
#DNAT     net     	loc:<server local ip address>[:<server port>] 	<protocol> 	<port>

DNAT  	  net    	loc:192.168.1.100:51413    			tcp       	#51413
DNAT  	  net    	loc:192.168.1.100:32400    			tcp       	#32400
DNAT  	  net    	loc:192.168.1.114:6881      			tcp       	#6881
DNAT  	  net    	loc:192.168.1.114:8881      			udp      	#8881
DNAT  	  net    	loc:192.168.1.1:80             			tcp      	1017
DNAT        net         loc:192.168.1.100:8081                       tcp           8081

For SSH do you mean something like this?

#	Accept SSH connections from the local network for administration
#
SSH(ACCEPT)	loc		$FW
ACCEPT     	net		$FW		TCP	   3000

Tarqi

Member

From: Ixtlan

Registered: 2012-11-27

Posts: 179

Website

Re: Port Forwarding With Shorewall

I assume your $FW is connected directly to the internet. I also assume, your SSHD is running on port 3000. So if you want to connect to it from the internet or the lan, remove both lines and just place

ACCEPT     	all		$FW		TCP	   3000

instead of it.

DNAT explanation:

DNAT  	  net    	loc:192.168.1.1:80             			tcp      	1017

will forward tcp port 1017 on the firewall to 192.168.1.1 port 80. This should work with every service. However, since you are using bittorrent, you might need to forward port-ranges instead of a single port.

Last edited by Tarqi (2014-04-01 19:03:12)

---

Knowing others is wisdom, knowing yourself is enlightenment. ~Lao Tse

brando56894

Member

From: NYC

Registered: 2008-08-03

Posts: 681

Re: Port Forwarding With Shorewall

Thanks for the explanation. I've done that but it doesn't seem to be working. I'm testing everything from my Note 3 so it's definitely outside of my network, my external address pings but not will connect to it, even SSH.

I sent you a link showing my network map so you can get a feel for how I have everything set up.

Here's my rules once again

# For information about entries in this file, type "man shorewall-rules"
######################################################################################################################################################################################################
#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
#							PORT	PORT(S)		DEST		LIMIT		GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION INVALID
#SECTION UNTRACKED
SECTION NEW

#
#       Don't allow connection pickup from the net
#
Invalid(DROP)	net		all		tcp

#
#	Accept DNS connections from the firewall to the network
#
DNS(ACCEPT)	$FW		net

#
#	Accept SSH connections from the local network and internet for administration
#
ACCEPT     	all		$FW		TCP	   3000

#
#	Allow Ping from the local network
#
Ping(ACCEPT)	loc		$FW

#
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
#
Ping(DROP)	net		$FW
ACCEPT		$FW		loc		icmp
ACCEPT		$FW		net		icmp

#
# Accept DNS connections from the local network to the firewall
#
DNS(ACCEPT)     loc              $FW


# Allow Webmin access from local net 
#
ACCEPT	 	loc	 	 $FW	 	tcp	   80



##############################
###### Port Forwarding #######
##############################

#ACTION   SOURCE  	DEST                                          	PROTO      	DEST PORT(S)
#DNAT     net     	loc:<server local ip address>[:<server port>] 	<protocol> 	<port>

DNAT  	  net    	loc:192.168.1.100:51413    			tcp       	#51413
DNAT  	  net    	loc:192.168.1.100:32400    			tcp       	#32400
DNAT  	  net    	loc:192.168.1.114:6881      			tcp       	#6881
DNAT  	  net    	loc:192.168.1.114:8881      			udp      	#8881
DNAT  	  net    	loc:192.168.1.1:80             			tcp      	1017
DNAT        net         loc:192.168.1.100:8081                       tcp           8081

Tarqi

Member

From: Ixtlan

Registered: 2012-11-27

Posts: 179

Website

Re: Port Forwarding With Shorewall

I am sorry, but the picture you sent me is broken. And it would be nice if you would put it on an image hoster and link to it here, so everyone who is interested in the problem can stay in touch

Last edited by Tarqi (2014-04-01 21:19:25)

---

Knowing others is wisdom, knowing yourself is enlightenment. ~Lao Tse

brando56894

Member

From: NYC

Registered: 2008-08-03

Posts: 681

Re: Port Forwarding With Shorewall

Here ya go

*removed*

Last edited by brando56894 (2014-04-02 03:50:51)

Tarqi

Member

From: Ixtlan

Registered: 2012-11-27

Posts: 179

Website

Re: Port Forwarding With Shorewall

Ok, a couple of things:
a) Your Arch Box is not connected directly to the internet, so you need to setup your cable modem for transparent bridging or as a dmz.
b) Your SSHD on your arch box is running on port 3031, not 3000.

First, try to reach the Arch Box from outside by configuring the comcast modem and shorewall.
Then we will look for the DNAT Issues.

EDIT: Maybe i missunderstood something: The IP on your Arch Box is the internal one? And it has an external too? So setup SSH first please.

Edit2: Again, Two-Interface is a very good and simple example for your setup. Be sure to have at least edited

/etc/shorewall/interfaces
/etc/shorewall/zones
/etc/shorewall/masq
/etc/shorewall/policy
/etc/shorewall/rules

Edit3: Your diagram is incomplete, since it's at least missing the DNS on the firewall. Please be more accurate.

Last edited by Tarqi (2014-04-01 23:07:55)

---

Knowing others is wisdom, knowing yourself is enlightenment. ~Lao Tse

Tarqi

Member

From: Ixtlan

Registered: 2012-11-27

Posts: 179

Website

Re: Port Forwarding With Shorewall

Even if the forum policy is more to give people the possibility to help themself, I'd like to post a (hopfully) working configuration for the case above, so everyone trying to use shorewall get an idea how it works.

If someone finds errors please let me know, so I can correct this post. Thanks.

/etc/shorewall/interfaces

# change interface to your external iface
net     eth0    dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0

# change interface to your internal iface
# if running a dhcp server on your internal interface add ",dhcp" to the following line
# if the interface is a bridge add ",bridge" to the following line
loc     eth1    nets=(192.168.1.0/24),tcpflags,nosmurfs,routefilter,logmartians

/etc/shorewall/zones

fw      firewall
net     ipv4
loc     ipv4

/etc/shorewall/masq

# change interface to your internal iface
eth1    192.168.1.0/24

/etc/shorewall/policy

$FW     all     ACCEPT			# FW may talk to everyone
loc     net     ACCEPT			# LAN may talk to the internet
net     all     DROP            info	# Drop everything not in rules file
# THE FOLLOWING POLICY MUST BE LAST
all     all     REJECT          info

/etc/shorewall/rules

SECTION NEW
### FIREWALL INCOMING ###
# MISC
Invalid(DROP)   net     all             		tcp             # prevent connection pickup
Ping(DROP)      net     $FW                             		# no ping from outside allowed

# ALL -> FW
ACCEPT		all	$FW				tcp	3031	# SSH from internet and LAN

# LOC -> FW
Ping(ACCEPT)	loc	$FW						# Ping from LAN to FW
DNS(ACCEPT)     loc     $FW                                             # DNS from LAN to FW
HTTP(ACCEPT)	loc	$FW						# Webmin access from LAN to FW

### FIREWALL OUTGOING ###
# not needed, because everything allowed in policy file

### DNAT RULES ###
# leaved out rules not found in network diagram
# add them using the same scheme
DNAT  	  	net    	loc:192.168.1.100:32400		tcp	32400
DNAT      	net	loc:192.168.1.100:8081		tcp 	8081
# the following may not work, as it redirects to the FW itself
DNAT		net    	loc:192.168.1.1:80		tcp	1017

Last edited by Tarqi (2014-04-01 23:40:46)

---

Knowing others is wisdom, knowing yourself is enlightenment. ~Lao Tse

brando56894

Member

From: NYC

Registered: 2008-08-03

Posts: 681

Re: Port Forwarding With Shorewall

Wow thanks for all that! I haven't tested out your settings yet but I'll compare them to mine to see where they differ.

I've updated the map as much as I can, now I'll try to explain it as much as possible.

192.168.1.1 (Charin) is an Odroid-U2 running Arch Linux and is acting as my router. extern0 connects to my Arris Cable Modem that Comcast gave me and is set to DHCP, intern0 connects to my unmanaged switch (and the rest of the network) and is set to the static IP of 192.168.1.1, it is running SSHd on port 3001 (this was a typo I don't know why it said 3031), DNSmasq on port 53, NTPd on whatever port it defaults to, and webmin on port 80. I use webmin as the GUI for it and would like it to be accessible from the internet on port 1017, as my ISP won't allow port 80.

192.168.1.114 (Ra) is my personal PC that runs Arch. I used to run all sorts of things on it, now I just want SSH to be accessible from the internet on port 3000.

192.168.1.100 (N4520) is my Network Attached Storage that runs a bunch of services, all of which I like to be accessible from the internet.

Edit: Got Plex to be visible outside of the network and Sick Beard is also accessible, I don't think the others are for some reason. Can't tell because my cell signal kept dropping down to EDGE (2G)

Last edited by brando56894 (2014-04-02 04:07:27)

Tarqi

Member

From: Ixtlan

Registered: 2012-11-27

Posts: 179

Website

Re: Port Forwarding With Shorewall

So I think you have now enough information how to setup your firewall the right way. Use the example from my previous post and you will be fine. If in doubt, see the links I gave you in this thread. When ready, please report your solution here and edit your first post to set it as solved. Good luck

---

Knowing others is wisdom, knowing yourself is enlightenment. ~Lao Tse