<html><div style=''background-color:''><P> </P><FONT size=2> <P>Ok take it easy on me it''s like 3am and I''ve been working on this problem all day. Here it goes I have successfully set up shorewall 1.3 and am using dnat to pass my smtp traffic from and external email server to an internal one. My problem is that I also need to use DNAT to access the webmail system located on the same server. The smtp traffic come across fine but nothing can get through on port 80. </P> <P> </P> <P>rules file</P> <P>DNAT net loc:192.168.1.10 tcp 80 - 192.168.25.11</P> <P>DNAT net loc:192.168.1.10 tcp smtp - </P> <P>*note that 192.168.25.11 is NAT''ed to a externally accessable ip address</P> <P>also the smtp dnat rule passes the email no problem</P> <P>list of ip addresses using ip address ls</P> <P>1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue </P> <P>link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00</P> <P>inet 127.0.0.1/8 brd 127.255.255.255 scope host lo</P> <P>2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100</P> <P>link/ether 00:50:bf:e8:9e:b9 brd ff:ff:ff:ff:ff:ff</P> <P>inet 192.168.25.1/24 brd 192.168.25.255 scope global eth0</P> <P>inet 192.168.25.11/32 scope global eth0</P> <P>3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100</P> <P>link/ether 00:e0:18:61:54:86 brd ff:ff:ff:ff:ff:ff</P> <P>inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1</P> <P>I have no other rules set up in the rules file and most of the rest of the configuration is default or at least the recommended configuration. Please let me know if anything else would be helpful in diagnosing my problem.</P> <P>B</P></FONT></div><br clear=all><hr>MSN Photos is the easiest way to share and print your photos: <a href=''http://g.msn.com/1HM1ENCA/c156??PI=44318''>Click Here</a><br></html>
On Fri, 28 Jun 2002, Big Brother wrote:> > > > Ok take it easy on me it''s like 3am and I''ve been working on this problem all day. Here it goes I have > successfully set up shorewall 1.3 and am using dnat to pass my smtp traffic from and external email > server to an internal one. My problem is that I also need to use DNAT to access the webmail system > located on the same server. The smtp traffic come across fine but nothing can get through on port 80. > > > > rules file > > DNAT net loc:192.168.1.10 tcp 80 - 192.168.25.11 > > DNAT net loc:192.168.1.10 tcp smtp - > > *note that 192.168.25.11 is NAT''ed to a externally accessable ip addressThen the rule that you want is: DNAT net loc:192.168.25.11 tcp 80> > I have no other rules set up in the rules file and most of the rest of the configuration is default or > at least the recommended configuration. Please let me know if anything else would be helpful in > diagnosing my problem.The above rule should fix you up. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Fri, 28 Jun 2002, Big Brother wrote:> > > > Ok take it easy on me it''s like 3am and I''ve been working on this problem > all day. Here it goes I have successfully set up shorewall 1.3 and am > using dnat to pass my smtp traffic from and external email server to an > internal one. My problem is that I also need to use DNAT to access the > webmail system located on the same server. The smtp traffic come across > fine but nothing can get through on port 80. >Please disregard me earlier post -- I wasn''t awake yet myself. If I understand correctly, 192.168.25.11 is NAT''ed by some external router to an internet-accessible IP. Furthermore, from a system outside your local network, you are unable to connect to that external IP''s TCP port 80. Is that correct?> > > rules file > > DNAT net loc:192.168.1.10 tcp 80 - 192.168.25.11 > > DNAT net loc:192.168.1.10 tcp smtp - > > *note that 192.168.25.11 is NAT''ed to a externally accessable ip address >The rule that you have set up is correct.> also the smtp dnat rule passes the email no problem > > list of ip addresses using ip address ls > > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > > inet 127.0.0.1/8 brd 127.255.255.255 scope host lo > > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 > > link/ether 00:50:bf:e8:9e:b9 brd ff:ff:ff:ff:ff:ff > > inet 192.168.25.1/24 brd 192.168.25.255 scope global eth0 > > inet 192.168.25.11/32 scope global eth0 >Duh -- there''s the external IP address.> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 > > link/ether 00:e0:18:61:54:86 brd ff:ff:ff:ff:ff:ff > > inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1 > > I have no other rules set up in the rules file and most of the rest of > the configuration is default or at least the recommended configuration. > Please let me know if anything else would be helpful in diagnosing my > problem.Please confirm that: a) You are trying to connect from OUTSIDE your local network. b) Your ISP does not block incoming connection requests on TCP port 80. You can confirm this yourself by trying to connect to that port then look at the output from "shorewall show nat". If you don''t see any packet count for the DNAT rule for TCP port 80, then your firewall isn''s seeing the connection requests. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net