----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Gary Gale" <gary@vicchi.org> Sent: Monday, March 11, 2002 11:48 AM Subject: Re: [Shorewall-users] Firewall and Port Forward Clash?> Gary, > > ----- Original Message ----- > From: "Gary Gale" <gary@vicchi.org> > To: "Shorewall Users List" <shorewall-users@shorewall.net> > Sent: Monday, March 11, 2002 11:02 AM > Subject: [Shorewall-users] Firewall and Port Forward Clash? > > > > > > But I digress; I''m able to successfully receive incoming connections on > > _some_ ports, such as port 25, but not on others, expecially port 80, > which > > is proving a bit of a hurdle where hosting a web site is concerned. > > > > I adopted by shorewall configuration from the sample "two interface" > scripts > > and thus far have only modified the contents of /etc/shorewall/params. > > > > The firewall box is dual NIC''d, the external NIC is DHCP controlled and > the > > internal NIC is 192.168.1.200. I''m only forwarding to a single host > > (192.168.1.1) for SMTP, HTTP and SSH services (I haven''t tested inbound > SSH > > connections yet so I can''t vouch for their validity). > > > > I can''t seem to access my web server on port 80 from internally, via my > > external IP or externally, say from work; only via the internalinterface.> > > > Am I missing something (likely) or has my cable ISP been sneaky and > blocked > > port 80? > > The part about not being able to access your server internally via the > external address is FAQ #2 - http://www.shorewall.net/FAQ.htm#faq2. > > I suspect that your ISP is blocking inbound port 80 so you may have to use > another port and forward that port to port 80. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net > > >
----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Gary Gale" <gary@vicchi.org> Sent: Monday, March 11, 2002 12:49 PM Subject: Re: [Shorewall-users] Firewall and Port Forward Clash?> You can also run tcpdump on your firewall while someone is trying toconnect> to your web server: > > tcpdump -ni ethX port 80 > > where ethX is your external interface. If you see packets from the clientto> your firewall''s port 80 then the problem is in or behind your firewall. If > you don''t see any such packets then your ISP is blocking them. > > Another thing that you can do is "shorewall show net" and see if thepacket> count is non-zero in the entry in the PREROUTING table for port 80 -- ifit> is zero after someone has tried to connect, your ISP is blocking thatport.> > -Tom > > ----- Original Message ----- > From: "Gary Gale" <gary@vicchi.org> > To: "Tom Eastep" <teastep@shorewall.net> > Sent: Monday, March 11, 2002 12:08 PM > Subject: Re: [Shorewall-users] Firewall and Port Forward Clash? > > > > Tom, > > > > thanks for the prompt response ... > > > > > > > > The part about not being able to access your server internally via the > > > external address is FAQ #2 - http://www.shorewall.net/FAQ.htm#faq2. > > > > I did see this when I was trying to RTFM but apparently it didn''t makethe> > right connections in the old brain cells so I totally misinterpretedit -> > I''ve since re-read this and now I see what you''re getting at. > > > > > I suspect that your ISP is blocking inbound port 80 so you may have to > use > > > another port and forward that port to port 80. > > > > > > > The strange thing is that I can''t find any reference to port blocking > tactics > > by my ISP on the official or unofficial FAQs. I''ll try and get acolleague> to > > probe my firewall from his ISP and see what he comes up with. If > BlueYonder > > _are_ blocking port 80 then I''ll try 8080 before going into real > > "non-standard" territory. > > > > Thanks also for the comments about the redundant UDP ports - I shouldhave> > known better but I guess I was fried from too much caffeine when I > modified > > /etc/shorewall/params that time! > > > > Finally, shorewall''s really impressed me - whilst my firewallingknowledge> is > > not so good (but you guessed that) I''m learning all the time here;you''ve> > done a great job on this; so I guess I''d just like to say "thanks". > > > > Gary > > > > -- > > > > Gary Gale / Vicchi.Org gary at vicchi dot org > > > > "There are two major products that come out of Berkeley; LSD > > and UNIX. We don''t believe this to be a coincidence." > > > > "The box said ''requires Windows 98 or better'' so I installed Linux." > > >