Hello, I am using shorewall for 2 years, few days ago my rules file stopped working. My rules: f.e. ports redirection, accepts are no working. First idea was shorewall restart: don''t solve problem, so i have upgraded shorewall to version 4.2 and also it doesn''t solve the problem :( When I do shorewall restart i can see all my rules starting, but is is not working, what is going on ? Few important rules from rules file: REJECT net $FW tcp 901 DROP net fw icmp 8 REJECT net fw tcp 139 DNAT net loc:192.168.0.22:3389 tcp 3389 DNAT net loc:192.168.0.22:3389 udp 3389 ACCEPT loc:192.168.0.22 net tcp 3389 ACCEPT loc:192.168.0.22 net udp 3389 DNAT net loc:192.168.0.22:13393 tcp 13393 DNAT net loc:192.168.0.22:13393 udp 13393 DNAT net loc:192.168.0.22:5671 tcp 5671 DNAT net loc:192.168.0.22:5671 udp 5671 ACCEPT loc:192.168.0.22 net tcp 5671 ACCEPT loc:192.168.0.22 net udp 5671 DNAT net loc:192.168.0.22:5681 tcp 5681 DNAT net loc:192.168.0.22:5681 udp 5681 DNAT net loc:192.168.0.22:5681 tcp 5691 DNAT net loc:192.168.0.22:5681 udp 5691 ACCEPT loc:192.168.0.22 net tcp 5681 ACCEPT loc:192.168.0.22 net udp 5681 ACCEPT loc:192.168.0.22 net tcp 5691 ACCEPT loc:192.168.0.22 net udp 5691 REJECT loc net tcp 8074 - REJECT net loc tcp 8074 - REJECT loc net udp 8074 - REJECT net loc udp 8074 - REJECT loc net tcp 1000:8073 REJECT loc net tcp 8073:60000 REJECT loc net udp 1000:8073 REJECT loc net udp 8073:60000 Rules are not working on all local computers in office (also on my 192.168.0.22), shorewall is on a linux gateway to internet, for example I can''t login from other network to my remote desktop on local IP 192.168.0.22 (poort:3389), it was also working for 2 years time, I was loging from my home to office local comp:192.168.0.22 and working. -------------------------------------------------------------------- -------------------------------------------------------------------- root@bramka:/etc/shorewall# cat tcdevices | grep -v ^# eth1 4000kbit 500kbit -------------------------------------------------------------------- -------------------------------------------------------------------- root@bramka:/etc/shorewall# cat interfaces | grep -v ^# net eth1 83.14.53.15 #blacklist ## adres sieci .8 loc eth0 192.168.0.255 #maclist #dhcp,maclist#,routeback -------------------------------------------------------------------- -------------------------------------------------------------------- root@bramka:/etc/shorewall# cat masq | grep -v ^# eth1 eth0 -------------------------------------------------------------------- -------------------------------------------------------------------- root@bramka:/etc/shorewall# cat policy | grep -v ^# loc net ACCEPT ### net loc ACCEPT ### loc fw ACCEPT fw loc ACCEPT net fw ACCEPT ### fw net ACCEPT ### fw fw ACCEPT info net all DROP info all all REJECT info -------------------------------------------------------------------- -------------------------------------------------------------------- root@bramka:/etc/shorewall# cat zones | grep -v ^# net net loc loc dmz dmz -------------------------------------------------------------------- -------------------------------------------------------------------- Some parts of shorewall.conf file: LOGTAGONLY=No IPTABLESPATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/sh SUBSYSLOCK=/var/lock/subsys/shorewall STATEDIR=/var/lib/shorewall CONFIG_PATH=/etc/shorewall:/usr/share/shorewall FW=fw IP_FORWARDING=On ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No RETAIN_ALIASES=No TC_ENABLED=Internal CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=Yes CLAMPMSS=No ROUTE_FILTER=No DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 NEWNOTSYN=Yes ADMINISABSENTMINDED=Yes BLACKLISTNEWONLY=Yes DELAYBLACKLISTLOAD=No DISABLE_IPV6=Yes BRIDGING=No DYNAMIC_ZONES=No PKTTYPE=Yes DROPINVALID=No RFC1918_STRICT=No MACLIST_TTL=60 SAVE_IPSETS=No CROSSBEAM=No CROSSBEAM_BACKBONE=eth0 BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP That rules was working for a long time, but no more from few days/week. Maybe it is a problem with iptables ? -- Maciek ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Hi,
I see you hard coded your external & internal interface public IP
address. Is there any chance your public IP got changed ( I mean if you
are a DHCP client to your router ? ).
Based on your situation if you haven''t touched any rule and all of
a sudden things stopped working. I would validate your IP information of
both the interfaces first.
Chakri
Maciej wrote:> Hello,
>
> I am using shorewall for 2 years, few days ago my rules file stopped
> working. My rules: f.e. ports redirection, accepts are no working. First
> idea was shorewall restart: don''t solve problem, so i have
upgraded
> shorewall to version 4.2 and also it doesn''t solve the problem :(
>
> When I do shorewall restart i can see all my rules starting, but is
> is not working, what is going on ?
>
> Few important rules from rules file:
>
> REJECT net $FW tcp 901
> DROP net fw icmp 8
> REJECT net fw tcp 139
> DNAT net loc:192.168.0.22:3389 tcp 3389
> DNAT net loc:192.168.0.22:3389 udp 3389
> ACCEPT loc:192.168.0.22 net tcp 3389
> ACCEPT loc:192.168.0.22 net udp 3389
> DNAT net loc:192.168.0.22:13393 tcp 13393
> DNAT net loc:192.168.0.22:13393 udp 13393
> DNAT net loc:192.168.0.22:5671 tcp 5671
> DNAT net loc:192.168.0.22:5671 udp 5671
> ACCEPT loc:192.168.0.22 net tcp 5671
> ACCEPT loc:192.168.0.22 net udp 5671
> DNAT net loc:192.168.0.22:5681 tcp 5681
> DNAT net loc:192.168.0.22:5681 udp 5681
> DNAT net loc:192.168.0.22:5681 tcp 5691
> DNAT net loc:192.168.0.22:5681 udp 5691
> ACCEPT loc:192.168.0.22 net tcp 5681
> ACCEPT loc:192.168.0.22 net udp 5681
> ACCEPT loc:192.168.0.22 net tcp 5691
> ACCEPT loc:192.168.0.22 net udp 5691
> REJECT loc net tcp 8074 -
> REJECT net loc tcp 8074 -
> REJECT loc net udp 8074 -
> REJECT net loc udp 8074 -
> REJECT loc net tcp 1000:8073
> REJECT loc net tcp 8073:60000
> REJECT loc net udp 1000:8073
> REJECT loc net udp 8073:60000
>
> Rules are not working on all local computers in office (also on my
> 192.168.0.22), shorewall is on a linux gateway to internet, for example I
> can''t login from other network to my remote desktop on local IP
> 192.168.0.22 (poort:3389), it was also working for 2 years time, I was
> loging from my home to office local comp:192.168.0.22 and working.
>
>
> --------------------------------------------------------------------
> --------------------------------------------------------------------
>
> root@bramka:/etc/shorewall# cat tcdevices | grep -v ^#
> eth1 4000kbit 500kbit
>
> --------------------------------------------------------------------
> --------------------------------------------------------------------
>
> root@bramka:/etc/shorewall# cat interfaces | grep -v ^#
> net eth1 83.14.53.15 #blacklist ## adres sieci
.8
> loc eth0 192.168.0.255 #maclist
#dhcp,maclist#,routeback
>
>
> --------------------------------------------------------------------
> --------------------------------------------------------------------
>
> root@bramka:/etc/shorewall# cat masq | grep -v ^#
> eth1 eth0
>
> --------------------------------------------------------------------
> --------------------------------------------------------------------
>
> root@bramka:/etc/shorewall# cat policy | grep -v ^#
> loc net ACCEPT ###
> net loc ACCEPT ###
> loc fw ACCEPT
> fw loc ACCEPT
> net fw ACCEPT ###
> fw net ACCEPT ###
> fw fw ACCEPT info
> net all DROP info
> all all REJECT info
>
> --------------------------------------------------------------------
> --------------------------------------------------------------------
> root@bramka:/etc/shorewall# cat zones | grep -v ^#
> net net
> loc loc
> dmz dmz
>
> --------------------------------------------------------------------
> --------------------------------------------------------------------
> Some parts of shorewall.conf file:
>
> LOGTAGONLY=No
> IPTABLES>
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
> SHOREWALL_SHELL=/bin/sh
> SUBSYSLOCK=/var/lock/subsys/shorewall
> STATEDIR=/var/lib/shorewall
> CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
> FW=fw
> IP_FORWARDING=On
> ADD_IP_ALIASES=Yes
> ADD_SNAT_ALIASES=No
> RETAIN_ALIASES=No
> TC_ENABLED=Internal
> CLEAR_TC=Yes
> MARK_IN_FORWARD_CHAIN=Yes
> CLAMPMSS=No
> ROUTE_FILTER=No
> DETECT_DNAT_IPADDRS=No
> MUTEX_TIMEOUT=60
> NEWNOTSYN=Yes
> ADMINISABSENTMINDED=Yes
> BLACKLISTNEWONLY=Yes
> DELAYBLACKLISTLOAD=No
> DISABLE_IPV6=Yes
> BRIDGING=No
> DYNAMIC_ZONES=No
> PKTTYPE=Yes
> DROPINVALID=No
> RFC1918_STRICT=No
> MACLIST_TTL=60
> SAVE_IPSETS=No
> CROSSBEAM=No
> CROSSBEAM_BACKBONE=eth0
> BLACKLIST_DISPOSITION=DROP
> MACLIST_DISPOSITION=REJECT
> TCP_FLAGS_DISPOSITION=DROP
>
> That rules was working for a long time, but no more from few
> days/week. Maybe it is a problem with iptables ?
>
>
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
Hello, Thanks for your answer. My local and external IP is still the same also I don''t have dhcp, IPs are stable. For example Also rules for P2P netrork (port redirection to my locak IP) are not working, nothing from rules file :/ ---------------------------------------------------- ATRAKCYJNE NIERUCHOMOŚCI W ZAKOPANEM !!! Apartamenty, Domy, Działki, Pensjonaty, Hotele, Lokale użytkowe... Kliknij: http://klik.wp.pl/?adr=www.bachledanieruchomosci.pl&sid=528 ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Maciej wrote:> Hello, > > Thanks for your answer. My local and external IP is still the same also > I don''t have dhcp, IPs are stable. For example Also rules for P2P > netrork (port redirection to my locak IP) are not working, nothing from > rules file :/Then please send us the output of ''shorewall dump'' collected as described at http://www.shorewall.net/support.htm#Guidelines. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Hello,> Then please send us the output of ''shorewall dump'' collected as > described at http://www.shorewall.net/support.htm#Guidelines.I''ve tried to do connection from 77.88.136.100 to 83.14.52.12 (it is local 192.168.0.22) and also to 84.14.53.14 (by nat it is my internal 192.168.0.42). Earlier it was working, not now :( I''ve attached my dump file. Please help me. I''ve now cut my rules file to most importat rules, only for windows remote desktop: #user1 ACCEPT net loc:192.168.0.42 tcp 1:65535 ACCEPT net loc:192.168.0.42 udp 1:65535 ACCEPT loc:192.168.0.42 net tcp 1:65535 ACCEPT loc:192.168.0.42 net udp 1:65535 #user2 DNAT net loc:192.168.0.22:3389 tcp 3389 DNAT net loc:192.168.0.22:3389 udp 3389 ACCEPT loc:192.168.0.22 net tcp 3389 ACCEPT loc:192.168.0.22 net udp 3389 -- best wishes from Poland, Maciej Kurkiewicz ICQ: 3385742 ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Hello
And more informations:
I''ve restarted shorewall and I''ve tried to connect to
83.14.53.12
(from other network with external 77.88.136.100, it was always
working)
root@bramka:/etc/shorewall# shorewall show nat
Shorewall 4.2.0 NAT Table at bramka - Thu Nov 6 20:03:39 CET 2008
Counters reset Thu Nov 6 20:02:21 CET 2008
Chain PREROUTING (policy ACCEPT 1875 packets, 195K bytes)
pkts bytes target prot opt in out source destination
240 23212 net_dnat all -- eth1 * 0.0.0.0/0 0.0.0.0/0
238 23108 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 268 packets, 22466 bytes)
pkts bytes target prot opt in out source destination
485 27178 eth1_out all -- * eth1 0.0.0.0/0 0.0.0.0/0
464 26136 eth1_masq all -- * eth1 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain eth1_in (1 references)
pkts bytes target prot opt in out source destination
104 13988 DNAT all -- * * 0.0.0.0/0 83.14.53.14
to:192.168.0.42
Chain eth1_masq (1 references)
pkts bytes target prot opt in out source destination
464 26136 MASQUERADE all -- * * 192.168.0.0/24 0.0.0.0/0
Chain eth1_out (1 references)
pkts bytes target prot opt in out source destination
21 1042 SNAT all -- * * 192.168.0.42 0.0.0.0/0
to:83.14.53.14
Chain net_dnat (1 references)
pkts bytes target prot opt in out source destination
2 104 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:3389 to:192.168.0.22:3389
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:3389 to:192.168.0.22:3389
I''ve tried conect also from other networks where it is always working,
it isn''t now :(
--
best wishes from Poland,
Maciej Kurkiewicz
ICQ: 3385742
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
viuwier wrote:> Hello > > And more informations: > > I''ve restarted shorewall and I''ve tried to connect to 83.14.53.12There is no DNAT rule for packets addressed to 82.14.53 12 -- only for 83.14.53.14. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Hello, And sth more, sorry for lots of messages ;) I can see something interesting in: /var/log/syslog kernel: Ingress scheduler: Classifier actions prefered over netfilter It is listed on the same time when I am trying to connect to my remote desktop. -- best wishes from Poland, Maciej Kurkiewicz ICQ: 3385742 ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
viuwier wrote:> Hello, > > And sth more, sorry for lots of messages ;) > > I can see something interesting in: /var/log/syslog > kernel: Ingress scheduler: Classifier actions prefered over netfilter > > It is listed on the same time when I am trying to connect to my > remote desktop. >That has nothing to do with any connection problems. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Witaj Tom, Dnia 6 listopada 2008 (20:53:16) Na temat "[Shorewall-users] rules file is not working" begin message:> viuwier wrote: >> Hello >> >> And more informations: >> >> I''ve restarted shorewall and I''ve tried to connect to 83.14.53.12> There is no DNAT rule for packets addressed to 82.14.53 12 -- only for > 83.14.53.14.Yes, I''ve changed it and tried to connect to 53.14, I have few IP adresses, but aso it is no working, now I have in rules only: #Maciek rules: DNAT net loc:192.168.0.42:3389 tcp 3389 - DNAT net loc:192.168.0.42:3389 udp 3389 - ACCEPT loc:192.168.0.42 net tcp 3389 - ACCEPT loc:192.168.0.42 net udp 3389 - -- best wishes from Poland, Maciej Kurkiewicz ICQ: 3385742 ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
viuwier wrote:> Witaj Tom, > > Dnia 6 listopada 2008 (20:53:16) > Na temat "[Shorewall-users] rules file is not working" > begin message: > >> viuwier wrote: >>> Hello >>> >>> And more informations: >>> >>> I''ve restarted shorewall and I''ve tried to connect to 83.14.53.12 > >> There is no DNAT rule for packets addressed to 82.14.53 12 -- only for >> 83.14.53.14. > > Yes, I''ve changed it and tried to connect to 53.14, I have few IP > adresses, but aso it is no working, now I have in rules only: > > #Maciek rules: > DNAT net loc:192.168.0.42:3389 tcp 3389 - > DNAT net loc:192.168.0.42:3389 udp 3389 - > > ACCEPT loc:192.168.0.42 net tcp 3389 - > ACCEPT loc:192.168.0.42 net udp 3389 - > >tcp 6 103 SYN_SENT src=77.88.136.100 dst=83.14.53.12 sport=49212 dport=3389 [UNREPLIED] src=192.168.0.22 dst=77.88.136.100 sport=3389 dport=49212 use=1 The firewall has sent the SYN packet to 192.168.0.22 who has not responded. You must be changing things faster than I can read your posts since you will notice that the port was being forward to .22 in the dump you sent while now you claim to be forwarding the connections to .42. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Hello Tom> The firewall has sent the SYN packet to 192.168.0.22 who has not > responded. You must be changing things faster than I can read your posts > since you will notice that the port was being forward to .22 in the dump > you sent while now you claim to be forwarding the connections to .42.Sorry for changing, thanks for your help ! Now my rules file: #Maciek rules: DNAT net loc:192.168.0.42:3389 tcp 3389 - DNAT net loc:192.168.0.42:3389 udp 3389 - ACCEPT loc:192.168.0.42 net tcp 3389 - ACCEPT loc:192.168.0.42 net udp 3389 - Now there is nothing in nat file. And I''ve tried to connect to 83.14.53.12 (it is my gateway to local network with computer 192.168.0.42), connection no working: root@bramka:/etc/shorewall# shorewall show nat Shorewall 4.2.0 NAT Table at bramka - Thu Nov 6 21:13:40 CET 2008 Counters reset Thu Nov 6 21:12:47 CET 2008 Chain PREROUTING (policy ACCEPT 464 packets, 36501 bytes) pkts bytes target prot opt in out source destination 85 6586 net_dnat all -- eth1 * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 2 packets, 105 bytes) pkts bytes target prot opt in out source destination 343 19963 eth1_masq all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain eth1_masq (1 references) pkts bytes target prot opt in out source destination 343 19963 MASQUERADE all -- * * 192.168.0.0/24 0.0.0.0/0 Chain net_dnat (1 references) pkts bytes target prot opt in out source destination 1 52 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389 to:192.168.0.42:3389 0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3389 to:192.168.0.42:3389 My new dup file is attached. Earlier it was always working :( P.S. By mistake I''ve replied on your e-mail adress, sory for that. -- best wishes from Poland, Maciej Kurkiewicz ICQ: 3385742 ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Hello,
And today the same ot the same shorewall settings, can''t connect to
3389.
root@bramka:/# shorewall show nat
Shorewall 4.2.0 NAT Table at bramka - Fri Nov 7 11:23:12 CET 2008
Counters reset Fri Nov 7 11:18:21 CET 2008
Chain PREROUTING (policy ACCEPT 2536 packets, 209K bytes)
pkts bytes target prot opt in out source destination
133 8304 net_dnat all -- eth1 * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 13 packets, 1084 bytes)
pkts bytes target prot opt in out source destination
1741 108K eth1_masq all -- * eth1 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 11 packets, 979 bytes)
pkts bytes target prot opt in out source destination
Chain eth1_masq (1 references)
pkts bytes target prot opt in out source destination
1738 108K MASQUERADE all -- * * 192.168.0.0/24 0.0.0.0/0
Chain net_dnat (1 references)
pkts bytes target prot opt in out source destination
1 52 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:3389 to:192.168.0.42:3389
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:3389 to:192.168.0.42:3389
And now file status attached.
--
Maciej K. aka Sesjusz
www.mkhobby.com
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
Viuwier wrote:> Hello, > > And today the same ot the same shorewall settings, can''t connect to > 3389. > > root@bramka:/# shorewall show nat > Shorewall 4.2.0 NAT Table at bramka - Fri Nov 7 11:23:12 CET 2008 > > Counters reset Fri Nov 7 11:18:21 CET 2008 > > Chain PREROUTING (policy ACCEPT 2536 packets, 209K bytes) > pkts bytes target prot opt in out source destination > 133 8304 net_dnat all -- eth1 * 0.0.0.0/0 0.0.0.0/0 > > Chain POSTROUTING (policy ACCEPT 13 packets, 1084 bytes) > pkts bytes target prot opt in out source destination > 1741 108K eth1_masq all -- * eth1 0.0.0.0/0 0.0.0.0/0 > > Chain OUTPUT (policy ACCEPT 11 packets, 979 bytes) > pkts bytes target prot opt in out source destination > > Chain eth1_masq (1 references) > pkts bytes target prot opt in out source destination > 1738 108K MASQUERADE all -- * * 192.168.0.0/24 0.0.0.0/0 > > Chain net_dnat (1 references) > pkts bytes target prot opt in out source destination > 1 52 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389 to:192.168.0.42:3389 > 0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3389 to:192.168.0.42:3389 > > > And now file status attached.Please follow the Port Forwarding troubleshooting tips in Shorewall FAQs 1a and 1b and stop posting these dumps too the list. WE CAN''T HELP YOU UNTIL YOU HELP YOURSELF. From the dumps, it looks like the firewall is behaving correctly! Do you have ANY evidence that the problem is even in your firewall? Or did you just start madly changing the firewall configuration when things suddenly didn''t work? -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/