Guest janmann Posted June 13, 2003 Report Share Posted June 13, 2003 Hallo! At first: Sorry for my englisch.It is not very good, but I´ll try to explain my problems. Last week I set up a Mandrake 9.1 machine, which acts as a router and a firewall. Everything works fine, except the fact that I can´t open port 4662 etc. to use mldonckey. Here is my policy from shorewall: Interface Zone name Broadcast address Options ppp+ net Automatic None eth0 masq Automatic None eth1 loc Automatic None Here are my rules from shorewall: Action Source Destination Protocol Source p Destination p ACCEPT Zone net Zone fw UDP Any 53,4661,4662,10000,4080,4001 ACCEPT Zone net Zone fw TCP Any 80,443,53,22,20,21,109,110,143,4661,4662,10000,4080,4001 ACCEPT Zone masq Zone fw UDP Any 53,139,4661,4662,10000,4080,4001 ACCEPT Zone masq Zone fw TCP Any 80,443,53,22,20,21,109,110,143,139,4661,4662,10000,4080,4001 ACCEPT Zone loc Zone fw UDP Any 53,139,4661,4662,10000,4080,4001 ACCEPT Zone loc Zone fw TCP Any 80,443,53,22,20,21,109,110,143,139,4661,4662,10000,4080,4001 ACCEPT Zone masq Zone fw TCP Any domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp,4662,4661 ACCEPT Zone masq Zone fw UDP Any domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp,4661,4662 ACCEPT Zone fw Zone masq TCP Any 631,515,137,138,139,4661,4662 ACCEPT Zone fw Zone masq UDP Any 631,515,137,138,139,4661,4662 ACCEPT Zone fw Zone masq UDP 137 1024: ACCEPT Zone masq Zone fw UDP 137 1024: Can anyone tell me where is the problem ? Normally I would think that these rules already open port 4662. Thank you Jan Quote Link to comment Share on other sites More sharing options...
MottS Posted June 13, 2003 Report Share Posted June 13, 2003 Hi man I have pretty much the same set up as you (eth0 is connected to an ADSL modem and eth1 to my LAN). Here is what I used to set eDonkey (pretty much like MLDonkey). eDonkey: http://www.mandrakeusers.org/viewtopic.php?t=4486 Shorewall: http://www.mandrakeusers.org/viewtopic.php?t=4731 BTW, your rules file is a mess man. Assuming you have the same set up as me (look above), put the following like in /etc/shorewall/rules and restart shorewall DNAT net masq:192.168.1.100 tcp 4662 - Replace 192.168.1.100 by the IP of the computer on which MLDonkey is running of course. HTH MOttS Quote Link to comment Share on other sites More sharing options...
Guest janmann Posted June 14, 2003 Report Share Posted June 14, 2003 Thanks MottS for your fast reply! I´ve testet it and it works.Here are my new rules (i hope this time you are not confused!): ############################################################################## #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST ACCEPT net fw udp 53,4661,4662,4672,10000,4080,4001 - ACCEPT net fw tcp 80,443,53,22,20,21,109,110,143,4661,4662,10000,4080,4001 - ACCEPT masq fw udp 53,139,4661,4662,10000,4080,4001 - ACCEPT masq fw tcp 80,443,53,22,20,21,109,110,143,139,4661,4662,10000,4080,4001 - ACCEPT loc fw udp 53,139,4661,4662,10000,4080,4001 - ACCEPT loc fw tcp 80,443,53,22,20,21,109,110,143,139,4661,4662,10000,4080,4001 - ACCEPT masq fw tcp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp,4662,4661 - ACCEPT masq fw udp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp,4661,4662 - ACCEPT fw masq tcp 631,515,137,138,139,4661,4662 - ACCEPT fw masq udp 631,515,137,138,139,4661,4662 - ACCEPT fw masq udp 1024: 137 ACCEPT masq fw udp 1024: 137 DNAT net masq:192.168.1.252 udp 4661,4662,4672 - DNAT net masq:192.168.1.252 tcp 4661,4662 - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE Unfortunately i run a dhcp-server and my network often gets a new IP! Is there´s a solution to this problem? Because I don´t want to change the rules everytime I get a new IP! According to my mandrake server: Is it possible to open the port 4662 for the server, itself?Or are they already open with the last two rules I added? I thought that these two rules only open the ports for my network, that means for my windows client and not for the server itself! How can I only open it for the server? Thanks for your help! Jan Quote Link to comment Share on other sites More sharing options...
MottS Posted June 14, 2003 Report Share Posted June 14, 2003 I understand your question BUT... It wouldn't work to open port 4662 on the server (more a router but whatever). This is because when you run eDonkey, you act like a server yourself. Peoples have to be able to connect to your server (eDonkey file sharing server) and this is done on port 4662. So you have to forward this port from the internet to the computer on which eDonkey is running to have a high ID (ie, people can connect to your server). Now, for your DHCP problem. Did you read the Shorewall FAQ we have here on this forum? http://www.mandrakeusers.org/viewtopic.php?t=4731 Look at the end of the file.. whatever here it is: Well, let's configure it so that it receives always the same IP from the firewall. First of all, you need to know the MAC address of the computer on the LAN. To know that, type ifconfig as root on the computer on the LAN (have no idea how to get that on the other OS). You will get something like this: Quote: eth0 Link encap:Ethernet HWaddr 00:50:BA:B4:00:3E inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1 RX packets:193712 errors:0 dropped:0 overruns:0 frame:0 TX packets:155603 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:206789603 (197.2 Mb) TX bytes:11783187 (11.2 Mb) Interrupt:10 Base address:0x4f00 The MAC address is the serie of numbers-letters at the right of HWaddr. So my card's MAC address is 00:50:BA:B4:00:3E. Now, add the next block in /etc/dhcpd.conf of the server as root. Replace my MAC address with yours! Code: host PC { hardware ethernet 00:50:ba:b4:00:3e; fixed-address 192.168.1.100; } Now, restart the DHCP server by typing as root: Code: service dhcpd restart This way, the computer having the MAC address 00:50:ba:b4:00:3e on the LAN should always receives 192.168.1.100 for IP. That simple things down for configuration, specially for DNAT rules (forwarding ports). Hope this helps MOttS Quote Link to comment Share on other sites More sharing options...
Guest janmann Posted June 14, 2003 Report Share Posted June 14, 2003 Thanks the problem with the dhcp server is solved! But unfortunately I think that i have not already understand the problem with the server! You said that I couldn´t open the port on the serverrouter itself? But how can I use a filesharing programm like Mldonckey on the server if I don´t have a network behind the firewall? :?: I have to forward this port (4662) from the internet to the computer on which eDonkey is running to get a high ID but what shall I do when this computer is the server itself? I hope you understand me. :roll: Do these two rules DNAT net masq:192.168.1.252 udp 4661,4662,4672 - DNAT net masq:192.168.1.252 tcp 4661,4662 - also serve for my routerserver to get a high id? Thanks Jan Quote Link to comment Share on other sites More sharing options...
MottS Posted June 14, 2003 Report Share Posted June 14, 2003 OH ok .. I understand your question now. I you would like your server to have a high ID, you would need the following line to be in /etc/shorewall/rules ACCEPT net fw udp 4661,4662,4672 - ACCEPT net fw tcp 4661,4662 - But the port cannot be opened on the server and forwarded on another computer on the LAN in the same time. You have to either forward the port OR open it on the server/router but both doesn't work. Is it what you are trying to do? .. just wondering. MOttS Quote Link to comment Share on other sites More sharing options...
Guest janmann Posted June 18, 2003 Report Share Posted June 18, 2003 Hallo MottS! Sorry for my late reply! The last two lines you postet are exactly the rules i meant. But.......... I tested them and they don´t work!Here are my new rules : ############################################################################## #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST ACCEPT net fw udp 53,10000,4080,4001 - ACCEPT net fw tcp 80,443,53,22,20,21,109,110,143,10000,4080,4001 - ACCEPT masq fw udp 53,139,10000,4080,4001 - ACCEPT masq fw tcp 80,443,53,22,20,21,109,110,143,139,10000,4080,4001 - ACCEPT loc fw udp 53,139,10000,4080,4001 - ACCEPT loc fw tcp 80,443,53,22,20,21,109,110,143,139,10000,4080,4001 - ACCEPT masq fw tcp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - ACCEPT masq fw udp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - ACCEPT fw masq tcp 631,515,137,138,139,4661,4662 - ACCEPT fw masq udp 631,515,137,138,139,4661,4662 - ACCEPT fw masq udp 1024: 137 ACCEPT masq fw udp 1024: 137 ACCEPT net fw udp 4661,4662,4672 - ACCEPT net fw tcp 4661,4662 - #DNAT net masq:192.168.1.252 udp 4661,4662,4672 #DNAT net masq:192.168.1.252 tcp 4661,4662 - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE Funily enough if i do a port scan my 4662 port is only open if i don´t comment out the last 2 DNAT rules. That´s very strange! Another problem i can´t handle is this one (taken from /var/log/messages): Jun 18 00:15:11 jan nmbd[2617]: [2003/06/18 00:15:11, 0] nmbd/nmbd_browsesync.c:find_domain_master_name_query_fail(358) Jun 18 00:15:11 jan nmbd[2617]: find_domain_master_name_query_fail: Jun 18 00:15:11 jan nmbd[2617]: Unable to find the Domain Master Browser name ARBEITSGRUPPE<1b> for the workgroup ARBEITSGRUPPE. Jun 18 00:15:11 jan nmbd[2617]: Unable to sync browse lists in this workgroup. Can this samba problem also be caused by my firewall? Thanks Jan Quote Link to comment Share on other sites More sharing options...
MottS Posted June 18, 2003 Report Share Posted June 18, 2003 Hi I tested them and they don´t work What do you expect them to do? If you use the ACCEPT rule, this only gonna open ports on your server. This will not forward the ports on your LAN and eDonkey will not work. However, if you are trying to run eDonkey on your server then it should works. To run eDonkey on the LAN you have to forward (DNAT) the ports. Funily enough if i do a port scan my 4662 port is only open if i don´t comment out the last 2 DNAT rules. That´s very strange! You have to open ports on your server (ACCEPT) or forward the ports on your LAN (DNAT) but not both. And either way, a port scan should give you an 'open' port with nmap (or whatever port scanner you are using). BTW, don't forget to restart Shorewall when you play with the config files! I don't understand what you are trying to do anymore with port 4662. What are you trying to do? For Samba to works between your LAN and your server (fw), you have to open port 137, 138 and 138 both directions (ie ACCEPT fw masq and ACCEPT masq fw). And again, what are you trying to acheives with Samba? Good luck! MOttS Quote Link to comment Share on other sites More sharing options...
Guest janmann Posted June 18, 2003 Report Share Posted June 18, 2003 HI! I wanted to run eDonkey on my server thats why i uncomment the DNAT rules but unfortunately I only got a low ID on my server. Maybe there is still a problem, because when I test my 4662 port on my server (http://www.thedonkeynetwork.com/connection_test) I get a reset signal which means that my port 4662 isn´t open! That´s all I want to do (the rest seems to be clear!).Sorry for my nasty questions! Quote Link to comment Share on other sites More sharing options...
MottS Posted June 18, 2003 Report Share Posted June 18, 2003 OK .. no prob for the question. I just didn't where you wanted to go since the DNAT rule was working .. anyway. Well, all you have to do is to put ACCEPT net fw udp 4661,4662,4672 - ACCEPT net fw tcp 4661,4662 - in your rules file, comment out the DNAT rules and restart Shorewall. I would clean your rules file though. You have multiple ACCEPT net fw line which may causes problems. I would put them all in one line (or two for tcp/udp ports). Same thing for ACCEPT net masq and all that. Then restart shorewall. I don't see why it wouldn't works really... it works on my server (only the donkey core .. no GUI) running MDK 9.0. MOttS Quote Link to comment Share on other sites More sharing options...
Guest janmann Posted June 19, 2003 Report Share Posted June 19, 2003 A neverending story! I cleaned my rules.But I´ve got still the same problem that i receive a low ID! Here are my new rules: ######################################################## #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST ACCEPT net fw udp 53,10000,4080,4001, 4661,4662,4672 - ACCEPT net fw tcp 80,443,53,22,20,21,109,110,143,10000,4080,4001, 4661,4662 - ACCEPT masq fw udp 53,139,10000,4080,4001 - ACCEPT masq fw tcp 80,443,53,22,20,21,109,110,143,139,10000,4080,4001 - ACCEPT loc fw udp 53,139,10000,4080,4001 - ACCEPT loc fw tcp 80,443,53,22,20,21,109,110,143,139,10000,4080,4001 - ACCEPT masq fw tcp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - ACCEPT masq fw udp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - ACCEPT fw masq tcp 631,515,137,138,139,4661,4662 - ACCEPT fw masq udp 631,515,137,138,139,4661,4662 - ACCEPT fw masq udp 1024: 137 ACCEPT masq fw udp 1024: 137 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE When I test my port 4662 (http://www.thedonkeynetwork.com/connection_test ) I still receive a reset signal! If your rules work is it possible to give them to me, so that i can test them? Or do you have a better idea? :roll: Thanks Jan Quote Link to comment Share on other sites More sharing options...
MottS Posted June 19, 2003 Report Share Posted June 19, 2003 Why do you have ACCEPT net fw udp 53,10000,4080,4001, 4661,4662,4672 - ACCEPT net fw tcp 80,443,53,22,20,21,109,110,143,10000,4080,4001, 4661,4662 - and ACCEPT fw masq tcp 631,515,137,138,139,4661,4662 - ACCEPT fw masq udp 631,515,137,138,139,4661,4662 - Are you trying to open port 4662 on your firewall and run the donkey on your lan? .. that is not going to work. Here is mine. Notice that I run the donkey on a computer on my lan (192.168.1.100). My server (fw) is a Linux box with no screen/keyboard/mouse. # ===============================POUR APACHE & FTP============================= ACCEPT net fw tcp 21,80 - # ===========================POUR LES PORTS LOCAUX ============================ ACCEPT masq fw tcp 21,22,5900,19150 - ACCEPT masq fw tcp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - ACCEPT masq fw udp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - # ====================TRANSFÉRER CES PORTS DU NET A MON ORDI=================== DNAT net masq:192.168.1.100 tcp 4662,6891:6900 - DNAT net masq:192.168.1.100 udp 4662 - I have the following setup NET|-----|LinuxBox|-----|HUB|-----|1 MAC & 1 dualboot machine In zones this is net|---------| fw |----------||----------|masq MOttS Quote Link to comment Share on other sites More sharing options...
Guest janmann Posted June 20, 2003 Report Share Posted June 20, 2003 Thanks for all this trouble! :roll: But finally after more than 2 hours "try and error" it works. And I have learned a lot about firewalls! Bye Jan Quote Link to comment Share on other sites More sharing options...
MottS Posted June 20, 2003 Report Share Posted June 20, 2003 GOOD GOOD!!! .. what was the problem then? MOttS Quote Link to comment Share on other sites More sharing options...
Guest janmann Posted June 20, 2003 Report Share Posted June 20, 2003 I tried to open port 4662 on my firewall and I also had this port open on my lan? That was not going to work. But now I´am happy! Ok thanks for all Jan Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.