thr3ads.net - Shorewall users - [Shorewall-users] DNAT problems [Jun 2003]

If this information is useful, please help other people find it:
Share via:

Graeme Boyle

2003-Jun-24 14:23 UTC

[Shorewall-users] DNAT problems

Hello all,

I am having problems making a DNAT configuration respond. I know that this
is something I''m getting wrong but I am currently stumped! Any
assistance is
greatly appreciated. Here are the details:

I have a firewall with three interfaces, eth0=net, eth1=lan and eth2=dmz. I
have installed Shorewall 1.4.5 as well as using the three_interfaces.tgz
setup files. Right now, I am trying to mirror how things are currently
working so that I can migrate servers to the DMZ at a later time. I am
trying to route web traffic from the Internet on port 443 (https) to a
server located internally on ip address 10.10.1.60. 

I created the following entry in the /etc/shorewall/nat file:
12.148.248.99   eth0    10.10.1.60      No      No

And then added the rule:
DNAT  net  loc:10.10.1.60  tcp  443  -  12.148.248.99

When trying to connect to the web server, the connection times out and on
the firewall is getting dropped. Here is the output from shorewall show log:

shorewall show log
Shorewall-1.4.5 Log at achilles.viisage.com - Mon Jun 23 17:18:31 EDT 2003

Counters reset Mon Jun 23 17:15:30 EDT 2003

Jun 23 17:06:01 all2all:REJECT:IN=eth1 OUT= SRC=10.10.2.32 DST=10.10.1.2
LEN=48 TOS=0x10 PREC=0x00 TTL=128 ID=61409 DF PROTO=TCP SPT=4837 DPT=21
WINDOW=65520 RES=0x00 SYN URGP=0 
Jun 23 17:06:02 all2all:REJECT:IN=eth1 OUT= SRC=10.10.2.32 DST=10.10.1.2
LEN=48 TOS=0x10 PREC=0x00 TTL=128 ID=61411 DF PROTO=TCP SPT=4837 DPT=21
WINDOW=65520 RES=0x00 SYN URGP=0 
Jun 23 17:06:02 all2all:REJECT:IN=eth1 OUT= SRC=10.10.2.32 DST=10.10.1.2
LEN=48 TOS=0x10 PREC=0x00 TTL=128 ID=61412 DF PROTO=TCP SPT=4837 DPT=21
WINDOW=65520 RES=0x00 SYN URGP=0 
Jun 23 17:13:34 net2all:DROP:IN=eth0 OUT= SRC=65.27.145.18 DST=12.148.248.68
LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=30737 DF PROTO=TCP SPT=4951 DPT=80
WINDOW=64240 RES=0x00 SYN URGP=0 
Jun 23 17:13:34 badpkt:DROP:IN=eth0 OUT= SRC=65.27.145.18
DST=255.255.255.255 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=30733 DF PROTO=TCP
SPT=4947 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402) 
Jun 23 17:13:34 net2all:DROP:IN=eth0 OUT=eth1 SRC=65.27.145.18
DST=10.10.1.60 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=30776 DF PROTO=TCP
SPT=1049 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 
Jun 23 17:13:34 net2all:DROP:IN=eth0 OUT= SRC=65.27.145.18
DST=12.148.248.126 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=30811 DF PROTO=TCP
SPT=1076 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 
Jun 23 17:13:34 badpkt:DROP:IN=eth0 OUT= SRC=65.27.145.18
DST=255.255.255.255 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=30812 DF PROTO=TCP
SPT=1077 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402) 
Jun 23 17:13:36 net2all:DROP:IN=eth0 OUT=eth1 SRC=65.27.145.18
DST=10.10.1.60 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=31488 DF PROTO=TCP
SPT=1049 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 
Jun 23 17:13:36 net2all:DROP:IN=eth0 OUT= SRC=65.27.145.18 DST=12.148.248.68
LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=31496 DF PROTO=TCP SPT=4951 DPT=80
WINDOW=64240 RES=0x00 SYN URGP=0 
Jun 23 17:13:36 badpkt:DROP:IN=eth0 OUT= SRC=65.27.145.18
DST=255.255.255.255 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=31530 DF PROTO=TCP
SPT=4947 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402) 
Jun 23 17:13:36 net2all:DROP:IN=eth0 OUT= SRC=65.27.145.18
DST=12.148.248.126 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=31555 DF PROTO=TCP
SPT=1076 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 
Jun 23 17:13:36 badpkt:DROP:IN=eth0 OUT= SRC=65.27.145.18
DST=255.255.255.255 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=31573 DF PROTO=TCP
SPT=1077 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402) 
Jun 23 17:15:35 badpkt:DROP:IN=eth0 OUT= SRC=12.101.124.7
DST=255.255.255.255 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=7013 DF PROTO=TCP
SPT=2121 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) 
Jun 23 17:16:21 net2all:DROP:IN=eth0 OUT=eth1 SRC=209.6.54.88 DST=10.10.1.60
LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=25690 DF PROTO=TCP SPT=32800 DPT=443
WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0 
Jun 23 17:16:24 net2all:DROP:IN=eth0 OUT=eth1 SRC=209.6.54.88 DST=10.10.1.60
LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=25691 DF PROTO=TCP SPT=32800 DPT=443
WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0 
Jun 23 17:16:30 net2all:DROP:IN=eth0 OUT=eth1 SRC=209.6.54.88 DST=10.10.1.60
LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=25692 DF PROTO=TCP SPT=32800 DPT=443
WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0 
Jun 23 17:16:42 net2all:DROP:IN=eth0 OUT=eth1 SRC=209.6.54.88 DST=10.10.1.60
LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=25693 DF PROTO=TCP SPT=32800 DPT=443
WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0 
Jun 23 17:17:06 net2all:DROP:IN=eth0 OUT=eth1 SRC=209.6.54.88 DST=10.10.1.60
LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=25694 DF PROTO=TCP SPT=32800 DPT=443
WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0 
Jun 23 17:17:54 net2all:DROP:IN=eth0 OUT=eth1 SRC=209.6.54.88 DST=10.10.1.60
LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=25695 DF PROTO=TCP SPT=32800 DPT=443
WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0 

Shorewall Version: 1.4.5

OS + Kernel: Linux achilles.viisage.com 2.4.18-14smp #1 SMP Wed Sep 4
12:34:47 EDT 2002 i686 i686 i386 GNU/Linux

Ip addr show:
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:02:b3:d1:5d:f1 brd ff:ff:ff:ff:ff:ff
    inet 12.148.248.68/26 brd 12.148.248.127 scope global eth0
    inet 12.148.248.99/26 brd 12.148.248.127 scope global secondary eth0
    inet 12.148.248.126/26 brd 12.148.248.127 scope global secondary eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:07:e9:06:5e:d7 brd ff:ff:ff:ff:ff:ff
    inet 10.10.1.2/22 brd 10.10.3.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:07:e9:06:5e:d6 brd ff:ff:ff:ff:ff:ff
    inet 192.168.21.1/24 brd 192.168.21.255 scope global eth2

Ip route show:
12.148.248.64/26 dev eth0  scope link 
192.168.21.0/24 dev eth2  scope link 
10.10.0.0/22 dev eth1  scope link 
127.0.0.0/8 dev lo  scope link 
default via 12.148.248.65 dev eth0 

Lsmod:
Module                  Size  Used by    Not tainted
ipt_ULOG                4904   0  (autoclean)
ipt_limit               1656   0  (autoclean)
ipt_multiport           1176   0  (autoclean)
loop                   12888   0  (unused)
ipt_TOS                 1656  12  (autoclean)
ipt_MASQUERADE          2296   0  (autoclean)
ipt_unclean             7736   2  (autoclean)
ipt_LOG                 4280   7  (autoclean)
ipt_state               1080  41  (autoclean)
iptable_mangle          2776   1  (autoclean)
ip_nat_irc              3696   0  (unused)
ip_nat_ftp              4464   0  (unused)
iptable_nat            21208   3  [ipt_MASQUERADE ip_nat_irc ip_nat_ftp]
ip_conntrack_irc        3616   0  [ip_nat_irc]
ip_conntrack_ftp        5312   0  [ip_nat_ftp]
ip_conntrack           23228   4  [ipt_MASQUERADE ipt_state ip_nat_irc
ip_nat_ftp iptable_nat ip_conntrack_irc ip_conntrack_ftp]
ip6_tables             16216   0 
autofs                 13700   0  (autoclean) (unused)
e1000                  56332   3 
ipt_REJECT              3736   4  (autoclean)
iptable_filter          2412   1  (autoclean)
ip_tables              15608  14  [ipt_ULOG ipt_limit ipt_multiport ipt_TOS
ipt_MASQUERADE ipt_unclean ipt_LOG ipt_state iptable_mangle iptable_nat
ipt_REJECT iptable_filter]
microcode               5184   0  (autoclean)
ext3                   73024   3 
jbd                    56752   3  [ext3]
ft                     97376   4 
sd_mod                 13552   8 
scsi_mod              110344   2  [ft sd_mod]

Thanks,

Graeme
-------------- next part --------------
[H[JShorewall-1.4.5 Status at achilles.viisage.com - Mon Jun 23 17:04:49 EDT
2003

Counters reset Mon Jun 23 17:03:21 EDT 2003

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
    0     0 eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
  249 26983 eth1_in    all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 eth2_in    all  --  eth2   *       0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
  104 11772 eth0_fwd   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
  232 20061 eth1_fwd   all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 eth2_fwd   all  --  eth2   *       0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
    0     0 fw2net     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
  104 37760 fw2loc     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
    0     0 fw2dmz     all  --  *      eth2    0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain all2all (6 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
  160 21407 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain badpkt (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG       !tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 4 level 6 prefix `Shorewall:badpkt:DROP:''
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 6 level 6 prefix `Shorewall:badpkt:DROP:''
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain common (5 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 icmpdef    icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:135
  104 10885 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpts:137:139
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:445
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:139
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:445
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:135
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:1900
   38 10018 DROP       all  --  *      *       0.0.0.0/0           
255.255.255.255
   18   504 DROP       all  --  *      *       0.0.0.0/0            224.0.0.0/4
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:113
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp spt:53 state NEW
    0     0 DROP       all  --  *      *       0.0.0.0/0           
12.148.248.127
    0     0 DROP       all  --  *      *       0.0.0.0/0            10.10.3.255
    0     0 DROP       all  --  *      *       0.0.0.0/0           
192.168.21.255

Chain dmz2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain dmz2loc (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain dmz2net (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:53
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain dynamic (6 references)
 pkts bytes target     prot opt in     out     source               destination

Chain eth0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
  104 11772 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 badpkt     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
unclean
  104 11772 net2loc    all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
    0     0 net2dmz    all  --  *      eth2    0.0.0.0/0            0.0.0.0/0

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 badpkt     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
unclean
    0     0 net2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain eth1_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
  232 20061 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
  232 20061 loc2net    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 loc2dmz    all  --  *      eth2    0.0.0.0/0            0.0.0.0/0

Chain eth1_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
  249 26983 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
  249 26983 loc2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain eth2_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 dmz2net    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 dmz2loc    all  --  *      eth1    0.0.0.0/0            0.0.0.0/0

Chain eth2_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 dmz2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2dmz (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2loc (1 references)
 pkts bytes target     prot opt in     out     source               destination
  104 37760 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2net (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:53
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain icmpdef (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain loc2dmz (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:22
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain loc2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
   89  5576 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:22
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:8118
  160 21407 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain loc2net (1 references)
 pkts bytes target     prot opt in     out     source               destination
  108  7845 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    1    48 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:22
  123 12168 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2all (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:''
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2dmz (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
    0     0 net2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
    0     0 net2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2loc (1 references)
 pkts bytes target     prot opt in     out     source               destination
   98 11411 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    1    43 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    1    78 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
    4   240 ACCEPT     tcp  --  *      *       12.148.248.98        10.10.1.60  
state NEW tcp dpt:443
    0     0 net2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain newnotsyn (14 references)
 pkts bytes target     prot opt in     out     source               destination
    1    43 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain reject (11 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with tcp-reset
  104 10885 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-port-unreachable
    0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-host-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-host-prohibited

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source               destination

Jun 23 15:47:57 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=209.6.54.68
DST=12.148.248.99 LEN=78 TOS=0x00 PREC=0x00 TTL=113 ID=14207 PROTO=ICMP TYPE=8
CODE=0 ID=768 SEQ=36407
Jun 23 15:48:57 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=209.6.54.68
DST=12.148.248.99 LEN=78 TOS=0x00 PREC=0x00 TTL=113 ID=14692 PROTO=ICMP TYPE=8
CODE=0 ID=768 SEQ=43063
Jun 23 15:49:57 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=209.6.54.68
DST=12.148.248.99 LEN=78 TOS=0x00 PREC=0x00 TTL=113 ID=15159 PROTO=ICMP TYPE=8
CODE=0 ID=768 SEQ=49719
Jun 23 15:50:57 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=209.6.54.68
DST=12.148.248.99 LEN=78 TOS=0x00 PREC=0x00 TTL=113 ID=15617 PROTO=ICMP TYPE=8
CODE=0 ID=768 SEQ=56375
Jun 23 15:51:57 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=209.6.54.68
DST=12.148.248.99 LEN=78 TOS=0x00 PREC=0x00 TTL=113 ID=16081 PROTO=ICMP TYPE=8
CODE=0 ID=768 SEQ=63031
Jun 23 15:52:57 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=209.6.54.68
DST=12.148.248.99 LEN=78 TOS=0x00 PREC=0x00 TTL=113 ID=16551 PROTO=ICMP TYPE=8
CODE=0 ID=768 SEQ=4152
Jun 23 15:53:57 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=209.6.54.68
DST=12.148.248.99 LEN=78 TOS=0x00 PREC=0x00 TTL=113 ID=17003 PROTO=ICMP TYPE=8
CODE=0 ID=768 SEQ=10808
Jun 23 15:54:21 net2all:DROP:IN=eth0 OUT=eth1 SRC=206.105.10.121 DST=10.10.1.60
LEN=404 TOS=0x00 PREC=0x00 TTL=52 ID=34284 PROTO=UDP SPT=4000 DPT=1434 LEN=384
Jun 23 15:59:41 net2all:DROP:IN=eth0 OUT=eth1 SRC=24.196.227.198 DST=10.10.1.60
LEN=404 TOS=0x00 PREC=0x00 TTL=115 ID=38363 PROTO=UDP SPT=1297 DPT=1434 LEN=384
Jun 23 16:16:32 net2all:DROP:IN=eth0 OUT= SRC=65.33.237.92 DST=12.148.248.68
LEN=404 TOS=0x00 PREC=0x00 TTL=112 ID=14552 PROTO=UDP SPT=4922 DPT=1434 LEN=384
Jun 23 16:28:10 badpkt:DROP:IN=eth0 OUT= SRC=12.81.90.229 DST=255.255.255.255
LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=3096 DF PROTO=TCP SPT=3191 DPT=445
WINDOW=8760 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Jun 23 16:28:18 badpkt:DROP:IN=eth0 OUT= SRC=12.81.90.229 DST=255.255.255.255
LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=3425 DF PROTO=TCP SPT=3454 DPT=445
WINDOW=8760 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Jun 23 16:49:16 net2all:DROP:IN=eth0 OUT=eth1 SRC=12.148.248.98 DST=10.10.1.60
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=5293 DF PROTO=TCP SPT=50355 DPT=443
WINDOW=5840 RES=0x00 SYN URGP=0
Jun 23 16:49:19 net2all:DROP:IN=eth0 OUT=eth1 SRC=12.148.248.98 DST=10.10.1.60
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=5294 DF PROTO=TCP SPT=50355 DPT=443
WINDOW=5840 RES=0x00 SYN URGP=0
Jun 23 16:49:25 net2all:DROP:IN=eth0 OUT=eth1 SRC=12.148.248.98 DST=10.10.1.60
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=5295 DF PROTO=TCP SPT=50355 DPT=443
WINDOW=5840 RES=0x00 SYN URGP=0
Jun 23 16:49:37 net2all:DROP:IN=eth0 OUT=eth1 SRC=12.148.248.98 DST=10.10.1.60
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=5296 DF PROTO=TCP SPT=50355 DPT=443
WINDOW=5840 RES=0x00 SYN URGP=0
Jun 23 16:50:01 net2all:DROP:IN=eth0 OUT=eth1 SRC=12.148.248.98 DST=10.10.1.60
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=5297 DF PROTO=TCP SPT=50355 DPT=443
WINDOW=5840 RES=0x00 SYN URGP=0
Jun 23 16:58:46 net2all:DROP:IN=eth0 OUT=eth1 SRC=12.222.35.70 DST=10.10.1.60
LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=20087 DF PROTO=TCP SPT=2872 DPT=80
WINDOW=16384 RES=0x00 SYN URGP=0
Jun 23 16:58:49 net2all:DROP:IN=eth0 OUT=eth1 SRC=12.222.35.70 DST=10.10.1.60
LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=20239 DF PROTO=TCP SPT=2872 DPT=80
WINDOW=16384 RES=0x00 SYN URGP=0
Jun 23 16:58:55 net2all:DROP:IN=eth0 OUT=eth1 SRC=12.222.35.70 DST=10.10.1.60
LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=20547 DF PROTO=TCP SPT=2872 DPT=80
WINDOW=16384 RES=0x00 SYN URGP=0

NAT Table

Chain PREROUTING (policy ACCEPT 184 packets, 24329 bytes)
 pkts bytes target     prot opt in     out     source               destination
    3   181 net_dnat   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    2   121 eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 1 packets, 60 bytes)
 pkts bytes target     prot opt in     out     source               destination
    7   394 eth0_out   all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    7   394 eth0_masq  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
    2   121 DNAT       all  --  *      *       0.0.0.0/0           
12.148.248.99      to:10.10.1.60

Chain eth0_masq (1 references)
 pkts bytes target     prot opt in     out     source               destination
    7   394 SNAT       all  --  *      *       10.10.0.0/22         0.0.0.0/0   
to:12.148.248.126

Chain eth0_out (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNAT       all  --  *      *       10.10.1.60           0.0.0.0/0   
to:12.148.248.99

Chain net_dnat (1 references)
 pkts bytes target     prot opt in     out     source               destination
    1    60 DNAT       tcp  --  *      *       12.148.248.98       
12.148.248.99      tcp dpt:443 to:10.10.1.60

Mangle Table

Chain PREROUTING (policy ACCEPT 626 packets, 62366 bytes)
 pkts bytes target     prot opt in     out     source               destination
  626 62366 pretos     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 253 packets, 27408 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 341 packets, 32311 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 104 packets, 37760 bytes)
 pkts bytes target     prot opt in     out     source               destination
  104 37760 outtos     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 443 packets, 69950 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain outtos (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:22 TOS set 0x10
  104 37760 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:20 TOS set 0x08
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:20 TOS set 0x08

Chain pretos (1 references)
 pkts bytes target     prot opt in     out     source               destination
  189 13061 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:22 TOS set 0x10
   87 10119 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:20 TOS set 0x08
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:20 TOS set 0x08

tcp      6 40 TIME_WAIT src=10.10.2.32 dst=206.46.170.10 sport=4831 dport=110
src=206.46.170.10 dst=12.148.248.126 sport=110 dport=4831 [ASSURED] use=1
unknown  2 599 src=10.1.1.2 dst=224.0.0.1 [UNREPLIED] src=224.0.0.1 dst=10.1.1.2
use=1
tcp      6 20 SYN_SENT src=10.10.2.37 dst=10.0.1.128 sport=1402 dport=6969
[UNREPLIED] src=10.0.1.128 dst=12.148.248.126 sport=6969 dport=1402 use=1
tcp      6 70 SYN_SENT src=10.10.2.37 dst=10.0.1.128 sport=1706 dport=6969
[UNREPLIED] src=10.0.1.128 dst=12.148.248.126 sport=6969 dport=1706 use=1
tcp      6 45 SYN_SENT src=10.10.2.37 dst=10.0.1.128 sport=1504 dport=6969
[UNREPLIED] src=10.0.1.128 dst=12.148.248.126 sport=6969 dport=1504 use=1
tcp      6 95 SYN_SENT src=10.10.2.37 dst=10.0.1.128 sport=1807 dport=6969
[UNREPLIED] src=10.0.1.128 dst=12.148.248.126 sport=6969 dport=1807 use=1
tcp      6 113 SYN_SENT src=10.10.2.37 dst=10.0.1.128 sport=1910 dport=6969
[UNREPLIED] src=10.0.1.128 dst=12.148.248.126 sport=6969 dport=1910 use=1
udp      17 29 src=10.10.5.1 dst=10.10.5.5 sport=514 dport=514 [UNREPLIED]
src=10.10.5.5 dst=10.10.5.1 sport=514 dport=514 use=1
udp      17 29 src=10.10.5.1 dst=10.10.5.32 sport=514 dport=514 [UNREPLIED]
src=10.10.5.32 dst=10.10.5.1 sport=514 dport=514 use=1
tcp      6 70110 ESTABLISHED src=209.6.54.205 dst=209.6.54.33 sport=139
dport=1615 [UNREPLIED] src=209.6.54.33 dst=209.6.54.205 sport=1615 dport=139
use=1
tcp      6 431954 ESTABLISHED src=10.10.2.32 dst=12.148.248.98 sport=4833
dport=22 src=12.148.248.98 dst=12.148.248.126 sport=22 dport=4833 [ASSURED]
use=1
tcp      6 80723 ESTABLISHED src=10.10.2.32 dst=10.10.2.1 sport=3059 dport=22
src=10.10.2.1 dst=10.10.2.32 sport=22 dport=3059 [ASSURED] use=1
tcp      6 80097 ESTABLISHED src=10.10.2.32 dst=10.10.2.1 sport=3338 dport=22
src=10.10.2.1 dst=10.10.2.32 sport=22 dport=3338 [ASSURED] use=1
tcp      6 431912 ESTABLISHED src=10.10.2.32 dst=10.10.1.2 sport=4200 dport=22
src=10.10.1.2 dst=10.10.2.32 sport=22 dport=4200 [ASSURED] use=1
tcp      6 431999 ESTABLISHED src=10.10.2.32 dst=10.10.1.2 sport=4201 dport=22
src=10.10.1.2 dst=10.10.2.32 sport=22 dport=4201 [ASSURED] use=1
tcp      6 431867 ESTABLISHED src=10.10.2.32 dst=216.136.226.117 sport=4353
dport=80 src=216.136.226.117 dst=12.148.248.126 sport=80 dport=4353 [ASSURED]
use=1
tcp      6 119 SYN_SENT src=12.148.248.98 dst=12.148.248.99 sport=50357
dport=443 [UNREPLIED] src=10.10.1.60 dst=12.148.248.98 sport=443 dport=50357
use=1
tcp      6 83374 ESTABLISHED src=10.10.2.7 dst=207.46.106.193 sport=3437
dport=1863 src=207.46.106.193 dst=12.148.248.126 sport=1863 dport=3437 [ASSURED]
use=1

Tom Eastep

2003-Jun-24 14:42 UTC

head link

[Shorewall-users] DNAT problems

On Mon, 23 Jun 2003 17:18:57 -0400, Graeme Boyle <gboyle@viisage.com> 
wrote:

>
> I created the following entry in the /etc/shorewall/nat file:
> 12.148.248.99   eth0    10.10.1.60      No      No
>
> And then added the rule:
> DNAT  net  loc:10.10.1.60  tcp  443  -  12.148.248.99
>
Two things:

a) Are you going to use port forwarding or static NAT? You are trying to 
use both at the same time.

b) The status output that you included shows that you don''t have the
DNAT
rule that you show above but that you rather have:

DNAT	net:12.148.248.98	loc:10.10.1.60	tcp	443	-	12.148.248.99

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Graeme Boyle

2003-Jun-25 06:07 UTC

head link

[Shorewall-users] DNAT problems

> >
> > I created the following entry in the /etc/shorewall/nat file:
> > 12.148.248.99   eth0    10.10.1.60      No      No
> >
> > And then added the rule:
> > DNAT  net  loc:10.10.1.60  tcp  443  -  12.148.248.99
> >
> 
> Two things:
> 
> a) Are you going to use port forwarding or static NAT? You 
> are trying to 
> use both at the same time.
I would like to use static NAT and then only allow traffic to specific ports
on these systems.
> 
> b) The status output that you included shows that you don''t 
> have the DNAT 
> rule that you show above but that you rather have:
> 
> DNAT	net:12.148.248.98	loc:10.10.1.60	tcp	443	
> -	12.148.248.99
> This may have been one of my access tests from a system outside the
firewall. This is not how I currently have the rule set. The current rule is


DNAT  net  loc:10.10.1.60  tcp  443     -       12.148.248.99

I have been looking at your configuration located at
http://www.shorewall.net/myfiles.htm but I am still not having any success
.... I think that I am completely turned around.

Graeme

Tom Eastep

2003-Jun-25 06:10 UTC

head link

[Shorewall-users] DNAT problems

On Wed, 25 Jun 2003, Graeme Boyle wrote:
> > >
> > > I created the following entry in the /etc/shorewall/nat file:
> > > 12.148.248.99   eth0    10.10.1.60      No      No
> > >
> > > And then added the rule:
> > > DNAT  net  loc:10.10.1.60  tcp  443  -  12.148.248.99
> > >
> >
> > Two things:
> >
> > a) Are you going to use port forwarding or static NAT? You
> > are trying to
> > use both at the same time.
>
> I would like to use static NAT and then only allow traffic to specific
ports
> on these systems.
>
> >
> > b) The status output that you included shows that you don''t
> > have the DNAT
> > rule that you show above but that you rather have:
> >
> > DNAT	net:12.148.248.98	loc:10.10.1.60	tcp	443
> > -	12.148.248.99
> >
> This may have been one of my access tests from a system outside the
> firewall. This is not how I currently have the rule set. The current rule
is
>
>
> DNAT  net  loc:10.10.1.60  tcp  443     -       12.148.248.99
>
Then you want:

ACCEPT	net	loc:10.10.1.60	tcp	443

Note that YOU MUST TEST THIS FROM A SYSTEM IN THE ''net''
ZONE!!!

> I have been looking at your configuration located at
> http://www.shorewall.net/myfiles.htm but I am still not having any success
> .... I think that I am completely turned around.
>
You should be looking at
http://www.shorewall.net/shorewall_setup_guide.htm

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Graeme Boyle

2003-Jun-25 14:00 UTC

head link

[Shorewall-users] DNAT problems

> > >
> > > Two things:
> > >
> > > a) Are you going to use port forwarding or static NAT? You are 
> > > trying to use both at the same time.
> >
> > I would like to use static NAT and then only allow traffic 
> to specific 
> > ports on these systems.
> >
> > >
> > > b) The status output that you included shows that you 
> don''t have the 
> > > DNAT rule that you show above but that you rather have:
> > >
> > > DNAT	net:12.148.248.98	loc:10.10.1.60	tcp	443
> > > -	12.148.248.99
> > >
> > This may have been one of my access tests from a system outside the 
> > firewall. This is not how I currently have the rule set. 
> The current 
> > rule is
> >
> >
> > DNAT  net  loc:10.10.1.60  tcp  443     -       12.148.248.99
> >
> 
> Then you want:
> 
> ACCEPT	net	loc:10.10.1.60	tcp	443
> 
> Note that YOU MUST TEST THIS FROM A SYSTEM IN THE ''net''
ZONE!!!
> 
> 
> > I have been looking at your configuration located at 
> > http://www.shorewall.net/myfiles.htm but I am still not having any 
> > success .... I think that I am completely turned around.
> >
> 
> You should be looking at 
> http://www.shorewall.net/shorewall_setup_guide> .htm
> 
> -Tom
I have gone through this document again, thank you. I think I have found the
problem but I do not have the resolution. The netmask for the "loc"
zone is
10.10.1.0/22 making the broadcast address 10.10.3.255. The internal
interface on the firewall is 10.10.1.2.

If I am try to NAT or DNAT traffic to the same subnet as the new firewall
(10.10.1.0), it fails. If I use the same commands/settings to go to a system
with an IP address in the 10.10.2.0 or 10.10.3.0 networks, the firewall
behaves as expected and traffic is routed through correctly.

Any ideas? I checked the default route on the destination system and it is
set to the new firewall.

Thanks in advance,

Graeme

Graeme Boyle

2003-Jun-25 14:09 UTC

head link

[Shorewall-users] DNAT problems

All,

Problem solved. I changed the "interfaces" file entry as follows:

Original: loc   eth1            10.10.3.255

Now: loc     eth1            detect

Everything is working!! Thanks Tom for your patience and advice.

Graeme
> 
> I have gone through this document again, thank you. I think I 
> have found the problem but I do not have the resolution. The 
> netmask for the "loc" zone is 10.10.1.0/22 making the 
> broadcast address 10.10.3.255. The internal interface on the 
> firewall is 10.10.1.2.
> 
> If I am try to NAT or DNAT traffic to the same subnet as the 
> new firewall (10.10.1.0), it fails. If I use the same 
> commands/settings to go to a system with an IP address in the 
> 10.10.2.0 or 10.10.3.0 networks, the firewall behaves as 
> expected and traffic is routed through correctly.
> 
> Any ideas? I checked the default route on the destination 
> system and it is set to the new firewall.
> 
> Thanks in advance,
> 
> Graeme
>

Tom Eastep

2003-Jun-25 14:45 UTC

head link

[Shorewall-users] DNAT problems

On Wed, 25 Jun 2003 17:08:04 -0400, Graeme Boyle <g.boyle3@verizon.net> 
wrote:
> All,
>
> Problem solved. I changed the "interfaces" file entry as follows:
>
> Original: loc   eth1            10.10.3.255
>
> Now: loc     eth1            detect
>
> Everything is working!! Thanks Tom for your patience and advice.
>
None of this is making much sense.

a) If the segment connected to eth1 is a /22 and the firewall''s address
is
10.10.1.2, then the (sub)network address is 10.10.0.0, not 10.10.1.0.
b) The third column of the ''interfaces'' file is used for
nothing more than
to suppress logging of broadcasts that arrive on the interface (avoids a 
lot of reports from newbies that their firewall is under attack). In other 
words, that setting can have no possible effect on NAT.

-Tom
> Graeme
>
>>
>> I have gone through this document again, thank you. I think I have
found
>> the problem but I do not have the resolution. The netmask for the
"loc"
>> zone is 10.10.1.0/22 making the broadcast address 10.10.3.255. The 
>> internal interface on the firewall is 10.10.1.2.
>>
>> If I am try to NAT or DNAT traffic to the same subnet as the new 
>> firewall (10.10.1.0), it fails. If I use the same commands/settings to 
>> go to a system with an IP address in the 10.10.2.0 or 10.10.3.0 
>> networks, the firewall behaves as expected and traffic is routed
through
>> correctly.
>>
>> Any ideas? I checked the default route on the destination system and it
>> is set to the new firewall.
>>
>> Thanks in advance,
>>
>> Graeme
>>
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
> http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>


-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Graeme Boyle

2003-Jun-26 10:32 UTC

head link

[Shorewall-users] DNAT problems

Okay, now I''m really stumpted! I agree with your comments below Tom,
and
trust me, this was working last night but now, I''m getting rejected
again.
>From Shorwall status ..tcp      6 86 SYN_SENT src=12.148.248.98 dst=12.148.248.99 sport=32904
dport=443 [UNREPLIED] src=10.10.1.60 dst=12.148.248.98 sport=443 dport=32904
use=1 
>From the client, the connection times out. This should not be thatdifficult, right!?! Could this be a DNS problem? Any ideas would be
appreciated as I''m supposed to put this system into production!

Thanks,

Graeme
> 
> None of this is making much sense.
> 
> a) If the segment connected to eth1 is a /22 and the
> firewall''s address is 
> 10.10.1.2, then the (sub)network address is 10.10.0.0, not 10.10.1.0.
> b) The third column of the ''interfaces'' file is used for 
> nothing more than 
> to suppress logging of broadcasts that arrive on the 
> interface (avoids a 
> lot of reports from newbies that their firewall is under 
> attack). In other 
> words, that setting can have no possible effect on NAT.
> 
> -Tom
>

Tom Eastep

2003-Jun-26 13:48 UTC

head link

[Shorewall-users] DNAT problems

On Thu, 2003-06-26 at 10:30, Graeme Boyle wrote:> Okay, now I''m really stumpted! I agree with your comments below
Tom, and
> trust me, this was working last night but now, I''m getting
rejected again.
> 
> >From Shorwall status ..
> tcp      6 86 SYN_SENT src=12.148.248.98 dst=12.148.248.99 sport=32904
> dport=443 [UNREPLIED] src=10.10.1.60 dst=12.148.248.98 sport=443
dport=32904
> use=1 
The above means that the request has been sent to the server on
10.10.1.60 and the server hasn''t replied.
> 
> >From the client, the connection times out. This should not be that
> difficult, right!?! Could this be a DNS problem?
If so, the problem is on the server (10.10.1.60). If it is having
problem doing a reverse lookup on 12.148.248.98 then you might see these
symptoms.

> Any ideas would be
> appreciated as I''m supposed to put this system into production!
> 
You don''t have more than one of your firewall''s interfaces
connected to
the same HUB/switch do you?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Graeme Boyle

2003-Jun-27 09:30 UTC

head link

[Shorewall-users] DNAT problems

Well, as in most cases, this turned out to be operator error.... be nice!
I''m sending this to the group, with the hope that my stupidity will
help
someone else out there! :-)

Here is what the problem was. Since I am running the new firewall in
parallel with the old one, the internal clients and servers were still
configured to use the old firewall as the default route. Therefore, I would
never receive the response (ACK) traffic on the new firewall''s LAN
interface. Once I changed the internal clients/servers to use the new
firewall as the default route, everything worked as expected. I tested this
a couple of times, changing the default route back and forth and I could
successfully "break" and "fix" the connection every time.

One good thing is that, I have honestly read the Shorewall documentation
throughly! 

Thanks again Tom,

Graeme

Tom Eastep

2003-Jun-27 09:40 UTC

head link

[Shorewall-users] DNAT problems

On Fri, 27 Jun 2003 12:28:45 -0400, Graeme Boyle <g.boyle3@verizon.net> 
wrote:

> Thanks again Tom,
Glad to hear that the problem is solved, Graeme.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

John Andersen

2003-Jun-27 16:24 UTC

head link

[Shorewall-users] DNAT problems

On Friday 27 June 2003 08:28 am, Graeme Boyle wrote:> Here is what the problem was. Since I am running the new firewall in
> parallel with the old one, the internal clients and servers were still
> configured to use the old firewall as the default route. 
Chuckle....  I did the EXACT same thing on my first install.

-- 
John Andersen - NORCOM
http://www.norcomsoftware.com/

Shorewall users - Jun 2003 - DNAT problems

[Shorewall-users] DNAT problems

[Shorewall-users] DNAT problems

[Shorewall-users] DNAT problems

[Shorewall-users] DNAT problems

[Shorewall-users] DNAT problems

[Shorewall-users] DNAT problems

[Shorewall-users] DNAT problems

[Shorewall-users] DNAT problems

[Shorewall-users] DNAT problems

[Shorewall-users] DNAT problems

[Shorewall-users] DNAT problems

[Shorewall-users] DNAT problems