Hi I would like to know what is the minimal setup of the config files to allow port forwarding from an external address (xxx.xxx.xxx.41) to an internal Address (10.40.0.201). i have these lines in my nat config file: xxx.xxx.xxx.41 eth0 10.40.0.201 no no xxx.xxx.xxx.42 eth0 10.40.0.201 no no xxx.xxx.xxx.43 eth0 10.40.0.201 no no I added this to the top of my rules config file: ACCEPT net loc:10.40.0.201 - xxx.xxx.xxx.41 I have the following in my masq config file: eth0 eth1 My interfaces config files has the following: net eth0 detect noping loc eth1 detect routestopped I am still unable to telnet to port 25 on xxx.xxx.xxx.41 which should connect to port 25 on 10.40.0.201 Please advise if i am missing anything and if there is anything else i can check Please advise if I may send any other config file info that may be missing above. Thank you Quentin
----- Original Message ----- From: <qtockar@myiafrica.com>> I would like to know what is the minimal setup of the config files toallow> port forwarding from an external address (xxx.xxx.xxx.41) to an internal > Address (10.40.0.201).Probably, if you want only port(25) forward from ip.ext to ip.int, put: ACCEPT net loc:ip.int:80 tcp 80 - ip.ext into rules config file. ------- Dario Lesca (d.lesca@osra.it)
----- Original Message ----- From: "Dario Lesca" <d.lesca@ivrea.osra.it> To: <shorewall-users@shorewall.net> Sent: Wednesday, March 27, 2002 6:24 AM Subject: Re: [Shorewall-users] Port Forwarding problem> ----- Original Message ----- > From: <qtockar@myiafrica.com> > > I would like to know what is the minimal setup of the config files to > allow > > port forwarding from an external address (xxx.xxx.xxx.41) to an internal > > Address (10.40.0.201). > > Probably, if you want only port(25) forward from ip.ext to ip.int, put: > > ACCEPT net loc:ip.int:80 tcp 80 - ip.ext > > into rules config file. >Port 25? That rule works well for port 80 :-) -Tom
Hi Dario I tried that but no luck I am still unable to Telnet onto port 25. I am testing from another machine which is on the same subnet as eth0. Is is true that the default IP on eth0 can''t be Natted? Any other ideas what might be wrong on my side Thanks Quentin
Quinton, ----- Original Message ----- From: <qtockar@myiafrica.com> To: <shorewall-users@shorewall.net> Sent: Wednesday, March 27, 2002 6:57 AM Subject: [Shorewall-users] RE: Port Forwarding problem> Hi Dario > > I tried that but no luck I am still unable to Telnet onto port 25. I am > testing from another machine which is on the same subnet as eth0. > > Is is true that the default IP on eth0 can''t be Natted? > > Any other ideas what might be wrong on my side >As I mentioned in my private message to you, you have a bewildering set of config files. a) You are trying to use many-to-one static NAT as shown by your /etc/shorewall/nat file. Static nat is one-to-one. b) YOU DO NOT NEED ANY ENTRIES IN THE NAT FILE TO FORWARD PORTS! You only need a rule such as Dario gave you; that is also described in FAQ #1 (http://www.shorwall.net/FAQ.htm#faq1). c) If you take the default set of config files that come with Shorewall and configure your /etc/shorewall/interfaces file as you have already done then adding a rule like Dario sent you is ALL YOU NEED to forward a port. d) You can not apply static nat to the default IP on your eth0 but you can forward ports using simple rules (again, refer to Dario''s post and FAQ #1); again, you don''t need to have entries in the nat file to forward ports. -Tom
----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net>> Port 25? That rule works well for port 80 :-)Ooppss! ... cut&past .... ;-) ------- Dario Lesca (d.lesca@osra.it)
Hi guys Thanks for the previous advice. I tried exactly that and still can''t connect. I can''t get my finger on what is missing. I added this line to the end of my rules config file: ACCEPT net loc:10.40.0.201:25 tcp 25 -xxx.xxx.xxx.40 and this is my interfaces config file: net eth0 detect loc eth1 detect That is all I changed from the default Installation.Anything else I can check? Thanks once again for your assistance regards Quentin
On Thu, 28 Mar 2002 12:14:45 +0200 "qtockar@myiafrica.com" <qtockar@myiafrica.com> wrote: q> Thanks for the previous advice. I tried exactly that and still can''t q> connect. I can''t get my finger on what is missing. I added this line to the q> end of my rules config file: q> q> ACCEPT net loc:10.40.0.201:25 tcp 25 -xxx.xxx.xxx.40 There should be space after "-", I think it is typo? I don''t remember your problem, but I''d suggest first checking another port (ssh for example), as your mail server could be listening only on local interface (as is by default in RH 7.x sendmail configuration). Regards, Nerijus
Hi Here is the log of the connection: Mar 28 12:21:41 fire kernel: Shorewall:all2all:REJECT:IN=eth1 OUTMAC=00:10:b5:07:5f:69:00:10:b5:79:76:7e:08:00 SRC=xxx.xxx.xxx.222 DST=xxx.xxx.xxx.40 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=1669 DF PROTO=TCP SPT=1212 DPT=25 WINDOW=16384 RES=0x00 SYN URGP=0 I see that it is rejecting this connection yet I have an ACCEPT rule for it in the rules file regards Quentin
----- Original Message ----- From: <qtockar@myiafrica.com> To: <shorewall-users@shorewall.net> Sent: Thursday, March 28, 2002 2:14 AM Subject: [Shorewall-users] RE:Port Forwarding Problem> Hi guys > > Thanks for the previous advice. I tried exactly that and still can''t > connect. I can''t get my finger on what is missing. I added this line tothe> end of my rules config file: > > ACCEPT net loc:10.40.0.201:25 tcp 25 -xxx.xxx.xxx.40 > > and this is my interfaces config file: > > net eth0 detect > loc eth1 detect > > That is all I changed from the default Installation.Anything else I can > check? >Are you running your mail server on RedHat? In the default configuration, RedHat listens on address 127.0.0.1. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net