[Shorewall-users] How to setup on shorewall several iptables rules related with symetric NAT, masquarading and port forwarding?

[email protected] Tue, 06 Jul 2010 07:24:57 -0700

Hi,

i have the following topology on our server where we installed
shorewall:


eth0 - public ip address: 1.2.3.4
tap0 - interface that we add to bridge br0 and br0 have ip: 10.1.1.1

the point of doing this is this article:

http://www.virtualbox.org/wiki/Advanced_Networking_Linux


The guest machine on virtualbox have bridged interface to br0 on host
machine.

We have installed sipxecs on this guest and we need to do symetric nat
and port forwarding to guest machine.

I need to forward the traffic from eth0 ( from server public ip
address ) to guest that has ip address 10.1.1.2 for following ports:

5060 udp, 5060 tcp, 5080 udp, 5080 tcp, range 30000-31000 udp, and port
81 on host to be forwarded to  8443 on guest.

For now i use iptables and this the result from iptables-save command:

# Generated by iptables-save v1.3.5 on Mon Jul  5 15:41:00 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j LOG --log-level debug
-A FORWARD -j LOG --log-level debug
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m state --state NEW -m tcp -d 10.1.1.2 --dport 5060
-j ACCEPT
-A FORWARD -d 10.1.1.2 -p udp --dport 5060 -j ACCEPT 
-A FORWARD -d 10.1.1.2 -p udp --dport 5080 -j ACCEPT 
-A FORWARD -d 10.1.1.2 -p udp --dport 30000:31000 -j ACCEPT
-A FORWARD -d 10.1.1.2 -p tcp -m tcp --dport 8443 -j ACCEPT
-A FORWARD -i eth0 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -o eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT 
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT 
-A RH-Firewall-1-INPUT -p esp -j ACCEPT 
-A RH-Firewall-1-INPUT -p ah -j ACCEPT 
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j
ACCEPT 
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5666
-j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j
ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j
ACCEPT 
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j
ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8443
-j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8080
-j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 82 -j
ACCEPT 
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 1194
-j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j
ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j
ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j
ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j
ACCEPT 
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited 
COMMIT
# Completed on Mon Jul  5 15:41:00 2010
# Generated by iptables-save v1.3.5 on Mon Jul  5 15:41:00 2010
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p udp -d 87.xxx.xxx.43 --dport 5060 -j DNAT
--to-destination 10.1.1.2
-A PREROUTING -p tcp -d 87.xxx.xxx.43 --dport 5060 -j DNAT
--to-destination 10.1.1.2:5060
-A PREROUTING -p udp -d 87.xxx.xxx.43 --dport 5080 -j DNAT
--to-destination 10.1.1.2:5080
-A PREROUTING -p udp -d 87.xxx.xxx.43 --dport 30000:31000 -j DNAT
--to-destination 10.1.1.2
-A PREROUTING -p tcp -d 87.xxx.xxx.43 --dport 81 -j DNAT
--to-destination 10.1.1.2:8443
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Jul  5 15:41:00 2010


I have done this until now:

/etc/shorewall/interfaces:
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0            detect
tcpflags,logmartians,nosmurfs,blacklist
vpn     br0             detect
tcpflags,logmartians,nosmurfs,blacklist,routeback



/etc/shorewall/zones
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv4
vpn     ipv4

/etc/shorwall/masq
#INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S)
IPSEC   MARK
eth0                    br0

/etc/shorewall/policy
#SOURCE         DEST            POLICY          LOG
LIMIT:BURST
#                                               LEVEL

# Policies for traffic originating from the local LAN/VPN (vpn)
vpn             net             ACCEPT
vpn             $FW             ACCEPT
vpn             all             REJECT          info

# Policies for traffic originating from the firewall ($FW)
$FW             net             ACCEPT
$FW             vpn             ACCEPT
$FW             all             REJECT          info

# Policies for traffic originating from the Internet zone (net)
net             $FW             DROP
net             vpn             DROP            info
net             all             DROP            info

# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info


/etc/shorewall/rules:
############################################################################################################################
#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE
ORIGINAL        RATE            USER/   MARK
#                                                       PORT    PORT(S)
DEST            LIMIT           GROUP
#SECTION ESTABLISHED
#SECTION RELATED

SSH/ACCEPT      net             $FW
HTTP/ACCEPT     net             $FW
HTTPS/ACCEPT    net             $FW

Ping/ACCEPT     net             $FW
ACCEPT          $FW             vpn             icmp
ACCEPT          $FW             net             icmp

# DNS Ports
ACCEPT          net             $FW             tcp     53
ACCEPT          net             $FW             udp     53

# LDAP Port
ACCEPT          net:212.227.137.253     $FW     tcp     389

# FTP Port
ACCEPT          net                     $FW     tcp     21

# NRPE Port
ACCEPT          net:212.227.52.184      $FW     tcp     5666

# Tomcat HTTP, HTTPS
ACCEPT          net                     $FW     tcp     8080
ACCEPT          net                     $FW     tcp     8443

# OpenVPN
ACCEPT          net                     $FW     udp     1194

# Specific Ports Forwarded to SIPX
DNAT            net             vpn:10.1.1.2:8443       tcp     81

DNAT            net             vpn:10.1.1.2:5060       tcp     5060
DNAT            net             vpn:10.1.1.2:5060       udp     5060

DNAT            net             vpn:10.1.1.2:5080       tcp     5080
DNAT            net             vpn:10.1.1.2:5080       udp     5080

DNAT            net             vpn:10.1.1.2    udp     30000:31000



With iptables configurations i'm able to register to our sipxecs
installation on the guest, but with the shorewall configuration i have
done, i cannot register to the sipxecs. Probably i miss something or i
have configured shorewall wrong. If i access
http://mypublic.domain.tld:81, then it looks ok and i can access the
guest machine. It looks the port is forwarded properly.

The question is what i have done wrong that our voip phone cannot
register?

Probably DNAT rules are not correct. Please help me to solve this
problem.

Thanks in advanced!


------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] How to setup on shorewall several iptables rules related with symetric NAT, masquarading and port forwarding?

Reply via email to