I got a litel problem, i try to forward port 8080 to a apache server on VMware. I can see that to connection comes to the VMware computer with tcpdump but nothing gets back the connection timesout. I think that this is a error that have to do with VMware but i better ask if you know something about this. I can connect to the apache server from the internal nerwork if i use the local adress, so the server is "accessible"(?). I have searched the maillist and found some problems with apache but not the same as i got, and i have not found that i need to make any special settings on my apache config. If you have it on you webpage i need to get new glasses :) The setup looks like this: Internet < Firewall > 192.168.0.1 < LAN > 192.168.0.2 < This is the computer that run VMware, Windows 2000 as host system. The network is bridged. > 192.168.0.3 < The computer that runs in VMware > I hope you get that. The rule i use looks like this: DNAT net loc:192.168.0.3 tcp 80 /Rickard Eriksson
On Tue, 2003-07-15 at 15:02, Rickard Eriksson wrote:> > Internet < Firewall > 192.168.0.1 < LAN > 192.168.0.2 < This is the > computer that run VMware, Windows 2000 as host system. The network is > bridged. > 192.168.0.3 < The computer that runs in VMware > > > I hope you get that. > > The rule i use looks like this: > DNAT net loc:192.168.0.3 tcp 80 >Has the OS running in the VM been configured to use the Firewall''s internal interface as its default gateway? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:>On Tue, 2003-07-15 at 15:02, Rickard Eriksson wrote: > > > >>Internet < Firewall > 192.168.0.1 < LAN > 192.168.0.2 < This is the >>computer that run VMware, Windows 2000 as host system. The network is >>bridged. > 192.168.0.3 < The computer that runs in VMware > >> >>I hope you get that. >> >>The rule i use looks like this: >>DNAT net loc:192.168.0.3 tcp 80 >> >> >> > >Has the OS running in the VM been configured to use the Firewall''s >internal interface as its default gateway? > >-Tom > >Yes, it works to connect to the internet from that "computer" to.
Rodolfo J. Paiz wrote:> At 7/16/2003 00:02 +0200, you wrote: > >> The rule i use looks like this: >> DNAT net loc:192.168.0.3 tcp 80 > > > If the network in VMware is bridged, the guest computer will act just > like any other computer on the same network. So, if you can reach > Apache at 192.168.0.3 from another computer on the same network, you > should also be able to reach it by outside. > > Can the VMware computer connect to the outside world? Can it browse > web pages, ping other computers, etc? > > Also, are you sure that DNAT rule is correct, and that it is the only > Shorewall rule you need? > >Yes, i can ping it and so on, it works perfect in the local network, thats why i don''t know what can be wrong. There shall only be one rule or?
On Tue, 2003-07-15 at 15:20, Rickard Eriksson wrote:> > > Yes, it works to connect to the internet from that "computer" to.And a reverse DNS lookup from the VM of the IP address of your HTTP client succeeds? Do you see anything logged by Apache in either it''s access or error logs? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
At 7/15/2003 16:15 -0700, you wrote:>And a reverse DNS lookup from the VM of the IP address of your HTTP >client succeeds? Do you see anything logged by Apache in either it''s >access or error logs?Tom, could you take a look at my other post, the one which suggests a different DNAT rule? I don''t think his rule is correct, but I have never used DNAT before and certainly cannot be sure that my suggestion is any better. -- Rodolfo J. Paiz rpaiz@simpaticus.com
On Tue, 15 Jul 2003 17:22:13 -0600, Rodolfo J. Paiz <rpaiz@simpaticus.com> wrote:> At 7/15/2003 16:15 -0700, you wrote: >> And a reverse DNS lookup from the VM of the IP address of your HTTP >> client succeeds? Do you see anything logged by Apache in either it''s >> access or error logs? > > Tom, could you take a look at my other post, the one which suggests a > different DNAT rule? I don''t think his rule is correct, but I have never > used DNAT before and certainly cannot be sure that my suggestion is any > better. > >You are correct Rodolfo if indeed the OP is trying to connect on 8080 and forward it to 80. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
At 7/15/2003 16:45 -0700, Tom Eastep wrote:>You are correct Rodolfo if indeed the OP is trying to connect on 8080 and >forward it to 80.Here is the first paragraph of his original post:>>I got a litel problem, i try to forward port 8080 to a apache server on >>VMware. >>I can see that to connection comes to the VMware computer with tcpdump but >>nothing gets back the connection timesout.We''ll see from his next post whether or not I have guessed successfully (and learned some DNAT in the bargain). By the way, is DNAT really always that easy? And do I understand correctly that DNAT is essentially the same as REDIRECT, except that REDIRECT is all inside the same server and DNAT forwards to another computer? -- Rodolfo J. Paiz rpaiz@simpaticus.com
On Tue, 15 Jul 2003 17:54:03 -0600, Rodolfo J. Paiz <rpaiz@simpaticus.com> wrote:> > By the way, is DNAT really always that easy?Yes.> And do I understand correctly that DNAT is essentially the same as > REDIRECT, except that REDIRECT is all inside the same server and DNAT > forwards to another computer? > >That''s the basic notion, yes. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Your right it is a litel typo there... but in the rule i have is: DNAT net loc:192.168.0.3 tcp 8080 I changed it to: DNAT net loc:192.168.0.3:80 tcp 8080 I have checked with tcpdump and i found that now i can''t see the connections any more... I use more DNAT rules and they works. One of them look like this: DNAT net loc:192.168.0.2 tcp 1612 I give up. It is only my devel computer that runs under VMware so there is no realy need to let others connect to it but it would be fun to show what i have done sometimes. Thanks for the help! Rodolfo J. Paiz wrote:> At 7/16/2003 00:28 +0200, you wrote: > >> Rodolfo J. Paiz wrote: >> >>> At 7/16/2003 00:02 +0200, you wrote: >>> >>>> The rule i use looks like this: >>>> DNAT net loc:192.168.0.3 tcp 80 >>> >>> >>> >>> If the network in VMware is bridged, the guest computer will act >>> just like any other computer on the same network. So, if you can >>> reach Apache at 192.168.0.3 from another computer on the same >>> network, you should also be able to reach it by outside. >>> >>> Can the VMware computer connect to the outside world? Can it browse >>> web pages, ping other computers, etc? >>> >>> Also, are you sure that DNAT rule is correct, and that it is the >>> only Shorewall rule you need? >>> >> Yes, i can ping it and so on, it works perfect in the local network, >> thats why i don''t know what can be wrong. >> There shall only be one rule or? > > > Have you used DNAT before? Are you 100% sure that your rule is > correct? Are you 100% sure that this DNAT rule is the only one you need? > > You originally said that you were trying to take external connections > to port 8080 and forward them to the .1.3 IP address on port 80. As > far as I can see, the DNAT rule you''ve written takes external > connections to port 80 and forwards them to the internal system on > port 80. Not the same thing. > > How about: > > DNAT net loc:192.168.0.3:80 tcp 8080 > > Disclaimer: I have never used DNAT before, but this is how I interpret > the documentation and comments inside the /etc/shorewall/rules file. > At least it''s different from yours, and it seems to make good sense to > me. <grin> > >