-----Original Message----- From: Giorgio Boscatto [mailto:giorgio.boscatto@tin.it] Sent: giovedì 11 agosto 2005 0.58 To: ''shorewall-users@lists.sourceforge.net'' Cc: Marco Padovan (marco.padovan@performing.it) Subject: FW: DNAT configuration problem Hi, I''m using a Mandrake 10.1 linux distribution on a machine that works as a proxy-firewall for the our company internet access (not MNF). All works fine except that the website is not visible from the internet. The address of the machine with the website is 192.168.2.5 and is located into the lan (It''a a windows 2003 machine that works also as domain controller and DNS server). We have a ADSL router that works as gateway to the internet, this router is linked to the proxy-firewall with a Ethernet interface (eth1). The second Ethernet card (eth0) of the proxy-firewall is linked to a switch that serves the internal lan with all windows machines. With the actual configuration (see the attached files) the website is not visible from the outside. Seems that the DNAT rule is ignored (probably is not correct or there is another configuration entry that block the traffic). We''re asking you a help if is possible. Thanks in advance, Giorgio Boscatto System Architect giorgio.boscatto@performing.it Via T. da Cazzaniga, 9/6 - 20121 Milano tel.+39-02-62694596 - fax +39-02-62911619 www.performing.it
>With the actual configuration (see the attached files) the website is not >visible from the outside. Seems that the DNAT rule is ignored (probably is >not correct or there is another configuration entry that block the traffic). >We''re asking you a help if is possible. >Thanks in advance,Thanks for the status, that is helpful, but could you post your config files, please. Jerry ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Here are all the configuration files and the new status. In the archiev there aer also the files contained in the folder /usr/share/shorewall. The rfc1918 file has not been copied ni the /etc/shorewall folder because the norfc1918 option has been disabled from all the interfaces. Thanks, Giorgio -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Jerry Vonau Sent: martedì 16 agosto 2005 16.20 To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] DNAT configuration problem>With the actual configuration (see the attached files) the website is not >visible from the outside. Seems that the DNAT rule is ignored (probably is >not correct or there is another configuration entry that block thetraffic).>We''re asking you a help if is possible. >Thanks in advance,Thanks for the status, that is helpful, but could you post your config files, please. Jerry ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Thanks, here are all the configuration files of the /etc/shorewall folder. I''ve also included the new status due to some changes that I''ve done for testing purpose. Giorgio -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Jerry Vonau Sent: martedì 16 agosto 2005 16.20 To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] DNAT configuration problem>With the actual configuration (see the attached files) the website is not >visible from the outside. Seems that the DNAT rule is ignored (probably is >not correct or there is another configuration entry that block thetraffic).>We''re asking you a help if is possible. >Thanks in advance,Thanks for the status, that is helpful, but could you post your config files, please. Jerry ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Jerry Vonau wrote:>>With the actual configuration (see the attached files) the website is not >>visible from the outside. Seems that the DNAT rule is ignored (probably is >>not correct or there is another configuration entry that block the traffic). >>We''re asking you a help if is possible. >>Thanks in advance, > > Thanks for the status, that is helpful, but could you post your config files, please. >And please perform the DNAT diagnostic procedures detailed in Shorewall FAQs 1a and 1b. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>Thanks, here are all the configuration files of the /etc/shorewall folder. >I''ve also included the new status due to some changes that I''ve done for >testing purpose. > >GiorgioIn rules you have this: DNAT net loc:192.168.1.1 tcp www,ftp - 192.168.1.1 if your webserver is at 192.168.2.5 then this should be: DNAT net loc:192.168.2.5 tcp www,ftp Jerry ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Yes, the DNAT rule was incorrect, but the original test has been made with the correct settings. I''ve solved the problem (thanks also to Andrea Galmacci). The following two rows in the rules file was incorrect: ACCEPT loc:192.168.2.5 net tcp www,ftp ACCEPT loc:192.168.2.5 net udp www,ftp To be honest I didn''t understand very well the reason why, but I suppose that in some way they creat a conflict with the DNAT rule. Thank you very much for the support, Giorgio -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Jerry Vonau Sent: martedì 16 agosto 2005 23.09 To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] DNAT configuration problem>Thanks, here are all the configuration files of the /etc/shorewall folder. >I''ve also included the new status due to some changes that I''ve done for >testing purpose. > >GiorgioIn rules you have this: DNAT net loc:192.168.1.1 tcp www,ftp - 192.168.1.1 if your webserver is at 192.168.2.5 then this should be: DNAT net loc:192.168.2.5 tcp www,ftp Jerry ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf