Kreshimir Shantek
2002-Oct-21 09:50 UTC
[Shorewall-users] Server publishing with DNAT (part 2)?
I post this before, but I''ll still have a problem with server publishing. My network configuration:> ----------------------------------- > I have a problem with publishing a web server with shorewall. > I have: > > eth0, IP:192.168.100.1, NM:255.255.255.0 > eth1, IP:207.46.230.1, NM:255.255.255.0 > > web server IP: 192.168.100.2 > > I want to make web server visible at IP 207.46.230.1. > > /etc/shorewall/rules: > DNAT:info e1 e0:192.168.100.2 tcp 80 - 207.46.230.1 > > /etc/shorewall/masq > eth0 0.0.0.0/0 > > e0 is a zone associated with eth0, e1 is a zone associated with eth1 > > I can see a web server published at 207.46.230.1 form all PC-s > on 207.46.230.x subnet, but I can''t see it from the rest of teh internet. > > What might be a problem?>Your ISP is blocking incoming HTTP connections? > >-Tom >-- >Tom Eastep \ Shorewall - iptables made easy >AIM: tmeastep \ http://www.shorewall.net >ICQ: #60745924 \ teastep@shorewall.netNo, it seams I messed somthing with routes. I do this and that in meantime, and now I can''t see a published web at all. :| - I can ping the machine from anywhere - In log file I now geting FORWARD:REJECT entryes instead of DNAT: I was geting before. Btw. is it necessary to enable masquerading from eth1 to eth0 when I''m doing DNAT? Just in case, I enabled masquerading form anywhere to everywhere: /etc/shorewall/masq: eth0 0.0.0.0/0 eth1 0.0.0.0/0 -- Kreshimir Shantek, dipl.ing. Kresimir.Santek@InfoDom.hr (work) Kresimir.Santek@zg.tel.hr (home) www.mesopust.com/kshantek icq: 12895929 -------------------- H T h i n e t - - W e b M a i l -------------------- Ova poruka poslana je upotrebom HThinet WebMail usluge. https://webmail.hinet.hr
Kreshimir Shantek wrote:> I post this before, but I''ll still have a problem with > server publishing. My network configuration: > > >>----------------------------------- >>I have a problem with publishing a web server with shorewall. >>I have: >> >>eth0, IP:192.168.100.1, NM:255.255.255.0 >>eth1, IP:207.46.230.1, NM:255.255.255.0 >> >>web server IP: 192.168.100.2 >> >>I want to make web server visible at IP 207.46.230.1. >> >>/etc/shorewall/rules: >>DNAT:info e1 e0:192.168.100.2 tcp 80 - 207.46.230.1 >> >>/etc/shorewall/masq >>eth0 0.0.0.0/0 >> >>e0 is a zone associated with eth0, e1 is a zone associated with eth1 >> >>I can see a web server published at 207.46.230.1 form all PC-s >>on 207.46.230.x subnet, but I can''t see it from the rest of teh internet. >> >>What might be a problem? > > >>Your ISP is blocking incoming HTTP connections? >> >>-Tom >>-- >>Tom Eastep \ Shorewall - iptables made easy >>AIM: tmeastep \ http://www.shorewall.net >>ICQ: #60745924 \ teastep@shorewall.net > > > No, it seams I messed somthing with routes. > > I do this and that in meantime, and now I can''t see a > published web at all. :| > > - I can ping the machine from anywhere > - In log file I now geting FORWARD:REJECT entryes instead of DNAT: I was > geting before.Please see http://www.shorewall.net/FAQ.htm#faq17. Logging out of the FORWARD or INPUT chain almost always means that your zone definitions are incorrect (99% of the time, it is a problem with the hosts file and in most of those cases, an EMPTY hosts file is the correct hosts file).> > Btw. is it necessary to enable masquerading from eth1 to eth0 when I''m > doing DNAT? Just in case, I enabled masquerading form anywhere to everywhere: > > /etc/shorewall/masq: > eth0 0.0.0.0/0 > eth1 0.0.0.0/0 >NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO...... Put that back the way that it should be. It sounds like you keep fiddling with your configuration without a good idea of what you are doing and have it pretty well messed up. Port forwarding is really very simple and when it doesn''t work, there will be a simple answer. See my response this morning to the post entitled "Can Shorewall be configured to let Citrix g o (sic) thru" for some tips on diagnosing DNAT problems. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Kreshimir Shantek
2002-Oct-22 10:15 UTC
[Shorewall-users] Server publishing with DNAT (part 2)?
> Kreshimir Shantek wrote: > > I post this before, but I''ll still have a problem with > > server publishing. My network configuration: > > > > > >>----------------------------------- > >>I have a problem with publishing a web server with shorewall. > >>I have: > >> > >>eth0, IP:192.168.100.1, NM:255.255.255.0 > >>eth1, IP:207.46.230.1, NM:255.255.255.0 > >> > >>web server IP: 192.168.100.2 > >> > >>I want to make web server visible at IP 207.46.230.1. > >> > >>/etc/shorewall/rules: > >>DNAT:info e1 e0:192.168.100.2 tcp 80 - 207.46.230.1 > >> > >>/etc/shorewall/masq > >>eth0 0.0.0.0/0 > >> > >>e0 is a zone associated with eth0, e1 is a zone associated with eth1 > >> > >>I can see a web server published at 207.46.230.1 form all PC-s > >>on 207.46.230.x subnet, but I can''t see it from the rest of teh internet. > >> > > Please see http://www.shorewall.net/FAQ.htm#faq17. Logging out of the > FORWARD or INPUT chain almost always means that your zone definitions are > incorrect (99% of the time, it is a problem with the hosts file and in > most of those cases, an EMPTY hosts file is the correct hosts file).yes, my hosts file is empty...> > Btw. is it necessary to enable masquerading from eth1 to eth0 when I''m > > doing DNAT? Just in case, I enabled masquerading form anywhere toeverywhere:> > > > /etc/shorewall/masq: > > eth0 0.0.0.0/0 > > eth1 0.0.0.0/0 > > > > NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO...... > > Put that back the way that it should be. It sounds like you keep fiddling > with your configuration without a good idea of what you are doing and have > it pretty well messed up.yeap, I try with guessing when things not working and I don''t know why.... ok, I turned off masqerading except form my DMZ to outside world: eth0 eth1 $ETH1_IP eth0 ppp0 Now I thnik it''s time to say more about my configuration (I didn''t before because I wanted to keep thing simple): I have a 4 network interfaces, first conncted to DMZ, second to Internet provider #1, thirth to internet provider #2 (ppp with dynamic IP) and fourth to our partner company. I configured routing with load balacing between internet providers (I can send more about my configuration, I just don''t want to make a mail very long). Now the DNAT works occasionally, and after a while (few hours) it stop working. After reboot it sometimes work, sometimes don''t. I have a script where I define IP aliases and routing rules which I run from /etc/shorewall/start. Somehow I would be happier if I could run this script *before* shorewall starts. The questions are: Boot order (networking->my script->shorewall): Does it really matter? If it does (I suppose so), which startup script starts shorewall during boot? Maybe I should include a line for my script before shorewall? I''m doing DNAT on IP alias I define in my script. What if shorewall starts before the script?> Port forwarding is really very simple and when it doesn''t work, there will > be a simple answer. See my response this morning to the post entitled "Can > Shorewall be configured to let Citrix g o (sic) thru" for some tips on > diagnosing DNAT problems.ok, I''ll try it ... the thing works at the moment, I''ll try it when it stops working. At least I''m now sure that DNAT has nothing to do with masquerading. Thanks! -- Kreshimir Shantek, dipl.ing. Kresimir.Santek@InfoDom.hr (work) Kresimir.Santek@zg.tel.hr (home) www.mesopust.com/kshantek icq: 12895929 -------------------- H T h i n e t - - W e b M a i l -------------------- Ova poruka poslana je upotrebom HThinet WebMail usluge. https://webmail.hinet.hr
Kreshimir Shantek wrote:> > Now the DNAT works occasionally, and after a while (few hours) it stop > working. After reboot it sometimes work, sometimes don''t. >Given those symptoms, the problem is NOT with your Shorewall configuration. You don''t have two or more interfaces connected to the same hub/switch do you? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Kreshimir Shantek
2002-Oct-23 07:47 UTC
[Shorewall-users] Server publishing with DNAT (part 2)?
> > Now the DNAT works occasionally, and after a while (few hours) it stop > > working. After reboot it sometimes work, sometimes don''t. > Given those symptoms, the problem is NOT with your Shorewall > configuration. You don''t have two or more interfaces connected to the same > hub/switch do you?yeap, probably is not the shorewall... ..but the the guestion also was the boot order, is it relevant or not and which script actually starts the shorewall? What if I "ifconfig eth0 down". Will the shorewall continue to work normally on the other interfaces? What if I "ifconfig eth0 up" after a while? Will the shorewall work normally as before I did "ifconfig eth0 down"? What if I flush the routing table and restore it back after a while? -- Kreshimir Shantek, dipl.ing. Kresimir.Santek@InfoDom.hr (work) Kresimir.Santek@zg.tel.hr (home) www.mesopust.com/kshantek icq: 12895929 -------------------- H T h i n e t - - W e b M a i l -------------------- Ova poruka poslana je upotrebom HThinet WebMail usluge. https://webmail.hinet.hr
Kreshimir Shantek wrote:>>>Now the DNAT works occasionally, and after a while (few hours) it stop >>>working. After reboot it sometimes work, sometimes don''t. >> >>Given those symptoms, the problem is NOT with your Shorewall >>configuration. You don''t have two or more interfaces connected to the same >>hub/switch do you? > > > yeap, probably is not the shorewall... > > ..but the the guestion also was the boot order, is it > relevant or not and which script actually starts the shorewall? > > What if I "ifconfig eth0 down".Any aliases (addresses) that Shorewall has added to eth0 because of ADD_IP_ALIASES or ADD_SNAT_ALIASES will be lost. Any routes added through eth0 because of Proxy ARP will be lost. Any static ARP cache entries added to eth0 for Proxy ARP will be lost.> Will the shorewall continue to work normally on the other interfaces?It will continue to route normally to/from the other interfaces, yes.> What if I "ifconfig eth0 up" after a while?See above -- traffic from/to eth0 will continue but if you lost anything when you took the interface down, your gateway probably won''t work properly.> Will the shorewall work normally as before I did "ifconfig eth0 down"?Again, not if aliases, routes or ARP cache entries were lost. Also, if the IP address changed and eth0 is your external interface then DNAT will stop working if you have DETECT_DNAT_IPADDRS=Yes in /etc/shorewall/shorewall.conf.> What if I flush the routing table and restore it back after a while?Any routes that Shorewall added for Proxy ARP won''t be restored. In addition, certain features in Shorewall require that an interface be up prior to starting Shorewall. a) ''detect'' in the BROADCAST(S) column of /etc/shorewall/interfaces. b) DNAT rules if DETECT_DNAT_IPADDRS=Yes in /etc/shorewall/shorewall.conf c) Use of `find_interface_address <interface>` in extension scripts There may be others but those are the ones that come to mind. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Kreshimir Shantek
2002-Oct-24 14:48 UTC
[Shorewall-users] Server publishing with DNAT (part 2)?
> > What if I "ifconfig eth0 down". > Any aliases (addresses) that Shorewall has added to eth0 because of > ADD_IP_ALIASES or ADD_SNAT_ALIASES will be lost. Any routes added through > eth0 because of Proxy ARP will be lost. Any static ARP cache entries added > to eth0 for Proxy ARP will be lost. > In addition, certain features in Shorewall require that an interface be up > prior to starting Shorewall. > a) ''detect'' in the BROADCAST(S) column of /etc/shorewall/interfaces. > b) DNAT rules if DETECT_DNAT_IPADDRS=Yes in /etc/shorewall/shorewall.conf > c) Use of `find_interface_address <interface>` in extension scriptsThat''s excatly what I do: I have a script (because of load balancing) that: -add IP aliases -flushes routing tables -define my own routing tables and routes -define routing rules I dont''t use Proxy ARP, ADD_IP_ALIASES, ADD_SNAT_ALIASES & stuff because I do it in my script. I start that script form /etc/shorewall/start. That means it starts after Shorewall. I would like to start it before, how can I do that? In meantime I added one more etherent card (eth4) and connected it to it''s subnet. Now I have: eth0 -> connected to DMZ (ip: 192.168.100.1, nw: 192.168.100.x) eth1, ppp0 -> load balancing, conected to Internet provider #1 and Internet provider #2 (eth0 ip1: 207.46.230.1, eth0 ip2: 207.46.230.2) eth3 -> connected to LAN1 (ip: 192.168.112.101, nw: 192.168.112.x) eth4 -> connected to LAN2 (ip: 192.168.101.2, nw: 192.168.101.x) (zone e4) (eth2 is for PPPoE for ADSL) /etc/shorewall/rules DNAT:info e1 e0:192.168.100.2 tcp 80 - 207.46.230.2 DNAT:info e1 e4:192.168.101.5 tcp 80 - 207.46.230.1 First rule works fine, second don''t. Im log file I see DNAT entryes for booth rules (I suppose that means that''s not problem in shorewall)>From linux box I can ping machines on each subnet. >From each subnet I can ping linux box. >From some subnet I can ping some subnets, some can''t <- thats whats bothernigme, I suppose that''s something with routes... but may it be something else perhaps?. -- Kreshimir Shantek, dipl.ing. Kresimir.Santek@InfoDom.hr (work) Kresimir.Santek@zg.tel.hr (home) www.mesopust.com/kshantek icq: 12895929 -------------------- H T h i n e t - - W e b M a i l -------------------- Ova poruka poslana je upotrebom HThinet WebMail usluge. https://webmail.hinet.hr
Kreshimir Shantek wrote:> > I start that script form /etc/shorewall/start. That means it starts after > Shorewall. I would like to start it before, how can I do that?/etc/shorewall/init> > In meantime I added one more etherent card (eth4) and connected it to it''s > subnet. > > Now I have: > > eth0 -> connected to DMZ (ip: 192.168.100.1, nw: 192.168.100.x) > eth1, ppp0 -> load balancing, conected to Internet provider #1 and Internet > provider #2 (eth0 ip1: 207.46.230.1, eth0 ip2: 207.46.230.2) > eth3 -> connected to LAN1 (ip: 192.168.112.101, nw: 192.168.112.x) > eth4 -> connected to LAN2 (ip: 192.168.101.2, nw: 192.168.101.x) (zone e4) > > (eth2 is for PPPoE for ADSL) > > /etc/shorewall/rules > DNAT:info e1 e0:192.168.100.2 tcp 80 - 207.46.230.2 > DNAT:info e1 e4:192.168.101.5 tcp 80 - 207.46.230.1 > > First rule works fine, second don''t. > Im log file I see DNAT entryes for booth rules (I suppose that means that''s not > problem in shorewall)That''s correct -- both rules are working fine but something else in your setup isn''t. Have you checked the routing table on 192.168.101.5?> From linux box I can ping machines on each subnet. > From each subnet I can ping linux box. > From some subnet I can ping some subnets, some can''t <- thats whats bothernig > me, I suppose that''s something with routes... but may it be something else > perhaps?. >It could be routing since you are flushing the RT and adding all of your own routes. Could also be your firewall rules though. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Kreshimir Shantek
2002-Oct-24 18:45 UTC
[Shorewall-users] Server publishing with DNAT (part 2)?
> Kreshimir Shantek wrote: > > I start that script form /etc/shorewall/start. That means it starts after > > Shorewall. I would like to start it before, how can I do that? > > /etc/shorewall/initWon''t work... I have Shorewall version 1.3.5, initially, init file wasn''t there (in /etc/shorewall), I coppied start file into init, and delete line that calles my script from start.> > eth0 -> connected to DMZ (ip: 192.168.100.1, nw: 192.168.100.x) > > eth1, ppp0 -> load balancing, conected to Internet provider #1 and Internet > > provider #2 (eth0 ip1: 207.46.230.1, eth0 ip2: 207.46.230.2) > > eth3 -> connected to LAN1 (ip: 192.168.112.101, nw: 192.168.112.x) > > eth4 -> connected to LAN2 (ip: 192.168.101.2, nw: 192.168.101.x) (zone e4) > > (eth2 is for PPPoE for ADSL) > > > > /etc/shorewall/rules > > DNAT:info e1 e0:192.168.100.2 tcp 80 - 207.46.230.2 > > DNAT:info e1 e4:192.168.101.5 tcp 80 - 207.46.230.1 > > > > First rule works fine, second don''t. > > Im log file I see DNAT entryes for booth rules (I suppose that means that''snot> > problem in shorewall) > > That''s correct -- both rules are working fine but something else in your > setup isn''t. Have you checked the routing table on 192.168.101.5?I have a route for 192.168.101.x segment: 192.168.101.0/24 dev eth4 scope link I think that''s ok.> It could be routing since you are flushing the RT and adding all of your > own routes. Could also be your firewall rules though.I discovered a malfunctioned network card on one machines on one of the segments. After replacing a card I can ping everything from everywhere, as I expected. But I''m a little bit suspicious that malfunctioned network card on the other machine could cause such a mess - it didn''t report any error, I could saw a light on the hub and on the card, I just couldn''t ping that machine. -- Kreshimir Shantek, dipl.ing. Kresimir.Santek@InfoDom.hr (work) Kresimir.Santek@zg.tel.hr (home) www.mesopust.com/kshantek icq: 12895929 -------------------- H T h i n e t - - W e b M a i l -------------------- Ova poruka poslana je upotrebom HThinet WebMail usluge. https://webmail.hinet.hr
Kreshimir Shantek wrote:>>Kreshimir Shantek wrote: >> >>>I start that script form /etc/shorewall/start. That means it starts after >>>Shorewall. I would like to start it before, how can I do that? >> >>/etc/shorewall/init > > > Won''t work... I have Shorewall version 1.3.5, initially, init file wasn''t > there (in /etc/shorewall), I coppied start file into init, and delete > line that calles my script from start.I don''t know what you''re trying to say -- the ''start'' file wasn''t there either before you created it!!! Same goes for the ''init'' file - YOU have to create it.> > >>>eth0 -> connected to DMZ (ip: 192.168.100.1, nw: 192.168.100.x) >>>eth1, ppp0 -> load balancing, conected to Internet provider #1 and Internet >>>provider #2 (eth0 ip1: 207.46.230.1, eth0 ip2: 207.46.230.2) >>>eth3 -> connected to LAN1 (ip: 192.168.112.101, nw: 192.168.112.x) >>>eth4 -> connected to LAN2 (ip: 192.168.101.2, nw: 192.168.101.x) (zone e4) >>>(eth2 is for PPPoE for ADSL) >>> >>>/etc/shorewall/rules >>>DNAT:info e1 e0:192.168.100.2 tcp 80 - 207.46.230.2 >>>DNAT:info e1 e4:192.168.101.5 tcp 80 - 207.46.230.1 >>> >>>First rule works fine, second don''t. >>>Im log file I see DNAT entryes for booth rules (I suppose that means that''s >> > not > >>>problem in shorewall) >> >>That''s correct -- both rules are working fine but something else in your >>setup isn''t. Have you checked the routing table on 192.168.101.5? > > > I have a route for 192.168.101.x segment: > > 192.168.101.0/24 dev eth4 scope link > > I think that''s ok.Yes -- assuming that the default gateway on 192.168.101.5 is configured to be 192.168.101.2.> > >>It could be routing since you are flushing the RT and adding all of your >>own routes. Could also be your firewall rules though. > > > I discovered a malfunctioned network card on one machines on one of the > segments. > After replacing a card I can ping everything from everywhere, as I expected. > But I''m a little bit suspicious that malfunctioned network card on the > other machine could cause such a mess - it didn''t report any error, I > could saw a light on the hub and on the card, I just couldn''t ping that > machine. >A malfunctioning card can mess of the entire ethernet segment that it is connected to. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Kreshimir Shantek
2002-Oct-24 19:21 UTC
[Shorewall-users] Server publishing with DNAT (part 2)?
> > Won''t work... I have Shorewall version 1.3.5, initially, init file wasn''t > I don''t know what you''re trying to say -- the ''start'' file wasn''t there > either before you created it!!! Same goes for the ''init'' file - YOU have > to create it.sorry, it seams I thoght that start file was initaly there... .. btw. why don''t you include and empty start and init files in instalation with comment what are they for (like policy, rules and other stuff)?> > I have a route for 192.168.101.x segment: > > > > 192.168.101.0/24 dev eth4 scope link > > > > I think that''s ok. > > Yes -- assuming that the default gateway on 192.168.101.5 is configured to > be 192.168.101.2.Yes, you were right - the default gateway on 192.168.101.5 WASN''T 192.168.101.2. After I set it to 192.168.101.2, the thing works! But, why is that? The eth4 and 192.168.101.5 are on same subnet... why the gateway on 192.168.101.5 must be 192.168.101.2? Is there any other way to make thing working? What if I want to publish server that is not on the same segment with eth4? (i.e, I have: eth4<->router<->the_server_I_want_to_publish). -- Kreshimir Shantek, dipl.ing. Kresimir.Santek@InfoDom.hr (work) Kresimir.Santek@zg.tel.hr (home) www.mesopust.com/kshantek icq: 12895929 -------------------- H T h i n e t - - W e b M a i l -------------------- Ova poruka poslana je upotrebom HThinet WebMail usluge. https://webmail.hinet.hr
Kreshimir Shantek wrote:>>>Won''t work... I have Shorewall version 1.3.5, initially, init file wasn''t >> >>I don''t know what you''re trying to say -- the ''start'' file wasn''t there >>either before you created it!!! Same goes for the ''init'' file - YOU have >>to create it. > > > sorry, it seams I thoght that start file was initaly there... > .. btw. why don''t you include and empty start and init files in instalation > with comment what are they for (like policy, rules and other stuff)?I''m just lazy I guess.> > >>>I have a route for 192.168.101.x segment: >>> >>>192.168.101.0/24 dev eth4 scope link >>> >>>I think that''s ok. >> >>Yes -- assuming that the default gateway on 192.168.101.5 is configured to >>be 192.168.101.2. > > > Yes, you were right - the default gateway on 192.168.101.5 WASN''T 192.168.101.2. > After I set it to 192.168.101.2, the thing works! > > But, why is that? The eth4 and 192.168.101.5 are on same subnet... why > the gateway on 192.168.101.5 must be 192.168.101.2? Is there any other > way to make thing working? > > What if I want to publish server that is not on the same segment with eth4? > (i.e, I have: eth4<->router<->the_server_I_want_to_publish). >I suggest that you pick up a copy of a good basic text on addressing and routing and read it. My personal favorite is "IP Fundamentals - What Everyone Needs to Know About Addressing & Routing", Thomas A. Maufer, Prentice Hall, 1999, IBSN 0-13-975483-0. If you are going to administer a network, you need a basic understanding of how routing and addressing works. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net