Re: [Shorewall-users] Shorewall Disobeying rules?

colony.three--- via Shorewall-users Wed, 05 Aug 2020 09:32:18 -0700

Thank you Tom, but actually there is a DNS ACCEPT rule.

I didn't make this clear enough but I am trying to dnat from net to local, for 
example incoming port 51554 to local 10.2.20.51:554 .  Here are my rules:


# Cameras
ACCEPT          net:10.2.1.4    $FW             tcp     50554   -
DNAT            net     local:10.2.20.50:554    tcp     50554   -
ACCEPT          net             $FW             tcp     51554   -
DNAT            net     local:10.2.20.51:554    tcp     51554   -
ACCEPT          net:10.2.1.4    $FW             udp     50554   -
DNAT            net     local:10.2.20.50:554    udp     50554   -
ACCEPT          net:10.2.1.4    $FW             udp     51554   -
DNAT            net     local:10.2.20.51:554    udp     51554   -
ACCEPT          net:10.2.1.4    $FW             tcp     50443   -
DNAT            net     local:10.2.20.50:443    tcp     50443   -
ACCEPT          local           $FW             udp     domain,ntp      -

ACCEPT          net             $FW             tcp     51443   -
DNAT            net     local:10.2.20.51:443    tcp     51443   -

ACCEPT          net             $FW             tcp     5180    -
DNAT            net     local:10.2.20.51:80     tcp     5180    -


As a test I also tried incoming 5180 to local 10.2.20.51:80 but that doesn't 
work in a browser.  tcpdump shows traffic on both interfaces but a browser 
can't get a connexion. Here's what happens:

# tcpdump 'tcp port 5180' -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
19:13:30.083040 IP andromeda2.darkmtter.org.38466 > 10.2.1.106.5180: Flags [S], 
seq 4088927536, win 29200, options [mss 1460,nop,wscale 7], length 0
19:13:30.083860 IP 10.2.1.106.5180 > andromeda2.darkmtter.org.38466: Flags 
[S.], seq 2964644306, ack 4088927537, win 14600, options [mss 1460,nop,wscale 
4], length 0
19:13:30.084728 IP andromeda2.darkmtter.org.38466 > 10.2.1.106.5180: Flags [.], 
ack 1, win 229, length 0
19:13:30.085209 IP andromeda2.darkmtter.org.38466 > 10.2.1.106.5180: Flags 
[P.], seq 1:316, ack 1, win 229, length 315
19:13:30.085840 IP 10.2.1.106.5180 > andromeda2.darkmtter.org.38466: Flags [.], 
ack 316, win 980, length 0
19:13:30.087748 IP 10.2.1.106.5180 > andromeda2.darkmtter.org.38466: Flags 
[P.], seq 1:286, ack 316, win 980, length 285
19:13:30.088661 IP andromeda2.darkmtter.org.38466 > 10.2.1.106.5180: Flags [.], 
ack 286, win 237, length 0
19:13:30.089035 IP andromeda2.darkmtter.org.38466 > 10.2.1.106.5180: Flags 
[F.], seq 316, ack 286, win 237, length 0
19:13:30.123597 IP 10.2.1.106.5180 > andromeda2.darkmtter.org.38466: Flags [.], 
ack 317, win 980, length 0
19:13:30.942376 IP 10.2.1.106.5180 > andromeda2.darkmtter.org.38466: Flags 
[F.], seq 286, ack 317, win 980, length 0
19:13:30.944365 IP andromeda2.darkmtter.org.38466 > 10.2.1.106.5180: Flags [.], 
ack 287, win 237, length 0
^C
11 packets captured
11 packets received by filter
0 packets dropped by kernel

# tcpdump 'tcp port 80' -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
19:13:59.521650 IP andromeda2.darkmtter.org.38474 > 10.2.20.51.http: Flags [S], 
seq 3884695726, win 29200, options [mss 1460,nop,wscale 7], length 0
19:13:59.522504 IP 10.2.20.51.http > andromeda2.darkmtter.org.38474: Flags 
[S.], seq 3405756270, ack 3884695727, win 14600, options [mss 1460,nop,wscale 
4], length 0
19:13:59.523379 IP andromeda2.darkmtter.org.38474 > 10.2.20.51.http: Flags [.], 
ack 1, win 229, length 0
19:13:59.523848 IP andromeda2.darkmtter.org.38474 > 10.2.20.51.http: Flags 
[P.], seq 1:316, ack 1, win 229, length 315: HTTP: GET / HTTP/1.1
19:13:59.524422 IP 10.2.20.51.http > andromeda2.darkmtter.org.38474: Flags [.], 
ack 316, win 980, length 0
19:13:59.527942 IP 10.2.20.51.http > andromeda2.darkmtter.org.38474: Flags 
[P.], seq 1:286, ack 316, win 980, length 285: HTTP: HTTP/1.1 302 Moved 
Temporarily
19:13:59.529091 IP andromeda2.darkmtter.org.38474 > 10.2.20.51.http: Flags [.], 
ack 286, win 237, length 0
19:13:59.529487 IP andromeda2.darkmtter.org.38474 > 10.2.20.51.http: Flags 
[F.], seq 316, ack 286, win 237, length 0
19:13:59.565954 IP 10.2.20.51.http > andromeda2.darkmtter.org.38474: Flags [.], 
ack 317, win 980, length 0
19:13:59.651925 IP 10.2.20.51.http > andromeda2.darkmtter.org.38474: Flags 
[F.], seq 286, ack 317, win 980, length 0
19:13:59.652996 IP andromeda2.darkmtter.org.38474 > 10.2.20.51.http: Flags [.], 
ack 287, win 237, length 0
^C
11 packets captured
11 packets received by filter
0 packets dropped by kernel
#




‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, August 5, 2020 9:09 AM, Tom Eastep <teas...@shorewall.net> wrote:

> On 8/5/20 8:03 AM, colony.three--- via Shorewall-users wrote:
>
> > I have struggled for days to make this work but admit I am soundly defeated.
> > My goal is to dnat two cameras through an Odroid N2+.  But I can't even
> > get a basic ACCEPT to work on ports 80 or 443.  I can't understand what
> > is wrong.  Dump is attached.  Sure hope the boss is still around.
> > [Tue Jan 30 17:39:29 2018] net-fw DROP IN=eth0 OUT=
> > MAC=00:1e:06:42:5b:57:fc:aa:14:71:ef:47:08:00 SRC=10.2.1.4
> > DST=10.2.1.106 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=8197 DF PROTO=TCP
> > SPT=28086 DPT=51554 WINDOW=29200 RES=0x00 SYN URGP=0
> > [Tue Jan 30 17:39:30 2018] local-fw REJECT IN=eth1 OUT=
> > MAC=00:e0:4c:68:00:9e:dc:9f:db:1a:a0:1a:08:00 SRC=10.2.20.31
> > DST=10.2.20.1 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=10986 DF PROTO=UDP
> > SPT=53625 DPT=53 LEN=45
> > [Tue Jan 30 17:39:30 2018] local-fw REJECT IN=eth1 OUT=
> > MAC=00:e0:4c:68:00:9e:dc:9f:db:1a:a0:1a:08:00 SRC=10.2.20.31
> > DST=10.2.20.1 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=10987 DF PROTO=UDP
> > SPT=57493 DPT=53 LEN=45
> > [Tue Jan 30 17:39:30 2018] local-fw REJECT IN=eth1 OUT=
> > MAC=00:e0:4c:68:00:9e:dc:9f:db:1a:a0:1a:08:00 SRC=10.2.20.31
> > DST=10.2.20.1 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=10988 DF PROTO=UDP
> > SPT=40352 DPT=53 LEN=45
> > [Tue Jan 30 17:39:31 2018] net-fw DROP IN=eth0 OUT=
> > MAC=00:1e:06:42:5b:57:fc:aa:14:71:ef:47:08:00 SRC=10.2.1.4
> > DST=10.2.1.106 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=10546 DF PROTO=TCP
> > SPT=28190 DPT=51554 WINDOW=29200 RES=0x00 SYN URGP=0
> > [Tue Jan 30 17:39:32 2018] net-fw DROP IN=eth0 OUT=
> > MAC=00:1e:06:42:5b:57:fc:aa:14:71:ef:47:08:00 SRC=10.2.1.4
> > DST=10.2.1.106 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=10547 DF PROTO=TCP
> > SPT=28190 DPT=51554 WINDOW=29200 RES=0x00 SYN URGP=0
> > [Tue Jan 30 17:39:32 2018] local-fw REJECT IN=eth1 OUT=
> > MAC=00:e0:4c:68:00:9e:00:1f:54:45:be:07:08:00 SRC=10.2.20.51
> > DST=10.2.20.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=44808 DF PROTO=UDP
> > SPT=48844 DPT=53 LEN=52
> > [Tue Jan 30 17:39:32 2018] local-fw REJECT IN=eth1 OUT=
> > MAC=00:e0:4c:68:00:9e:00:1f:54:45:be:07:08:00 SRC=10.2.20.51
> > DST=10.2.20.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=44809 DF PROTO=UDP
> > SPT=60419 DPT=53 LEN=52
> > [Tue Jan 30 17:39:32 2018] local-fw REJECT IN=eth1 OUT=
> > MAC=00:e0:4c:68:00:9e:00:1f:54:45:be:07:08:00 SRC=10.2.20.51
> > DST=10.2.20.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=44810 DF PROTO=UDP
> > SPT=45791 DPT=53 LEN=52
> > [Tue Jan 30 17:39:32 2018] local-fw REJECT IN=eth1 OUT=
> > MAC=00:e0:4c:68:00:9e:00:1f:54:45:be:07:08:00 SRC=10.2.20.51
> > DST=10.2.20.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=44811 DF PROTO=UDP
> > SPT=32787 DPT=53 LEN=52
> > [Tue Jan 30 17:39:34 2018] net-fw DROP IN=eth0 OUT=
> > MAC=01:00:5e:00:00:01:00:eb:d5:61:fb:60:08:00 SRC=0.0.0.0 DST=224.0.0.1
> > LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
> > [Tue Jan 30 17:39:34 2018] net-fw DROP IN=eth0 OUT=
> > MAC=01:00:5e:00:00:01:00:eb:d5:61:fb:60:08:00 SRC=0.0.0.0 DST=224.0.0.1
> > LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
> > [Tue Jan 30 17:39:34 2018] net-fw DROP IN=eth0 OUT=
> > MAC=00:1e:06:42:5b:57:fc:aa:14:71:ef:47:08:00 SRC=10.2.1.4
> > DST=10.2.1.106 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=10548 DF PROTO=TCP
> > SPT=28190 DPT=51554 WINDOW=29200 RES=0x00 SYN URGP=0
> > [Tue Jan 30 17:39:38 2018] net-fw DROP IN=eth0 OUT=
> > MAC=00:1e:06:42:5b:57:fc:aa:14:71:ef:47:08:00 SRC=10.2.1.4
> > DST=10.2.1.106 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=10549 DF PROTO=TCP
> > SPT=28190 DPT=51554 WINDOW=29200 RES=0x00 SYN URGP=0
> > [Tue Jan 30 17:39:39 2018] local-fw REJECT IN=eth1 OUT=
> > MAC=00:e0:4c:68:00:9e:00:1f:54:45:be:07:08:00 SRC=10.2.20.51
> > DST=10.2.20.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=44884 DF PROTO=UDP
> > SPT=56118 DPT=53 LEN=52
> > [Tue Jan 30 17:39:39 2018] local-fw REJECT IN=eth1 OUT=
> > MAC=00:e0:4c:68:00:9e:00:1f:54:45:be:07:08:00 SRC=10.2.20.51
> > DST=10.2.20.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=44885 DF PROTO=UDP
> > SPT=47795 DPT=53 LEN=52
> > [Tue Jan 30 17:39:39 2018] local-fw REJECT IN=eth1 OUT=
> > MAC=00:e0:4c:68:00:9e:00:1f:54:45:be:07:08:00 SRC=10.2.20.51
> > DST=10.2.20.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=44886 DF PROTO=UDP
> > SPT=60806 DPT=53 LEN=52
> > [Tue Jan 30 17:39:39 2018] local-fw REJECT IN=eth1 OUT=
> > MAC=00:e0:4c:68:00:9e:00:1f:54:45:be:07:08:00 SRC=10.2.20.51
> > DST=10.2.20.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=44887 DF PROTO=UDP
> > SPT=53807 DPT=53 LEN=52
> > [Tue Jan 30 17:39:45 2018] local-fw REJECT IN=eth1 OUT=
> > MAC=00:e0:4c:68:00:9e:dc:9f:db:1a:a0:1a:08:00 SRC=10.2.20.31
> > DST=10.2.20.1 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=25988 DF PROTO=UDP
> > SPT=60181 DPT=53 LEN=45
> > [Tue Jan 30 17:39:45 2018] local-fw REJECT IN=eth1 OUT=
> > MAC=00:e0:4c:68:00:9e:dc:9f:db:1a:a0:1a:08:00 SRC=10.2.20.31
> > DST=10.2.20.1 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=25989 DF PROTO=UDP
> > SPT=51672 DPT=53 LEN=45
> > [Tue Jan 30 17:39:45 2018] local-fw REJECT IN=eth1 OUT=
> > MAC=00:e0:4c:68:00:9e:dc:9f:db:1a:a0:1a:08:00 SRC=10.2.20.31
> > DST=10.2.20.1 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=25990 DF PROTO=UDP
> > SPT=54680 DPT=53 LEN=45
> > [Tue Jan 30 17:39:46 2018] net-fw DROP IN=eth0 OUT=
> > MAC=00:1e:06:42:5b:57:fc:aa:14:71:ef:47:08:00 SRC=10.2.1.4
> > DST=10.2.1.106 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=10550 DF PROTO=TCP
> > SPT=28190 DPT=51554 WINDOW=29200 RES=0x00 SYN URGP=0
> > [Tue Jan 30 17:39:49 2018] local-fw REJECT IN=eth1 OUT=
> > MAC=00:e0:4c:68:00:9e:00:1f:54:45:be:07:08:00 SRC=10.2.20.51
> > DST=10.2.20.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=45506 DF PROTO=UDP
> > SPT=38509 DPT=53 LEN=52
> > [Tue Jan 30 17:39:49 2018] local-fw REJECT IN=eth1 OUT=
> > MAC=00:e0:4c:68:00:9e:00:1f:54:45:be:07:08:00 SRC=10.2.20.51
> > DST=10.2.20.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=45507 DF PROTO=UDP
> > SPT=35424 DPT=53 LEN=52
> > [Tue Jan 30 17:39:49 2018] local-fw REJECT IN=eth1 OUT=
> > MAC=00:e0:4c:68:00:9e:00:1f:54:45:be:07:08:00 SRC=10.2.20.51
> > DST=10.2.20.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=45508 DF PROTO=UDP
> > SPT=38172 DPT=53 LEN=52
> > [Tue Jan 30 17:39:49 2018] local-fw REJECT IN=eth1 OUT=
> > MAC=00:e0:4c:68:00:9e:00:1f:54:45:be:07:08:00 SRC=10.2.20.51
> > DST=10.2.20.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=45509 DF PROTO=UDP
> > SPT=60454 DPT=53 LEN=52
>
> The messages above (with the exception of the first one) are the result
> of there being no DNS ACCEPT rule from local to fw. There is a DNAT rule
> from net->local -- I assume that is the camera rule, but there has been
>
> no traffic incoming to TCP port 5180 since the firewall was reloaded.
> The dates in the dump are not credible since the firewall script was
> just compiled (Aug 2 13:56:35 PDT 2020), but the current date is shown
> as January 30, 2018 (also shown in the messages above). I am guessing
> that this box is running Shorewall-lite and the firewall script was
> created on another system? If so, it looks like the firewall has been up
> for 18+ minutes but the packet counter on the DNAT rule is still at
> zero. The firewall can't route packets that are not sent to it.
>
> -Tom
>
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Tom Eastep \ Q: What do you get when you cross a mobster
> Shoreline, \ with an international standard?
> Washington, USA \ A: Someone who makes you an offer you
> http://shorewall.org \ can't understand
> \________________________________________
>
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users




_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Shorewall Disobeying rules?

Reply via email to