Hi i''ve been having some issues with shorewall lately. You see, I''m using DNAT to port forward some ports.. some for gaming are working great but i have a few port forwards that are acting strangely. First i had an HTTP server running on box 192.168.5.41 and port 8129. Now, when clients requested the page from the outside they said it looked like they were going to get it for a sec and then it failed.. they got nothing. This was puzzling me so i installed ethereal. It seems that i got the packet fine on 192.168.5.41. I got a SYN packet from the internet client. My box then sent back a SYN ACK... which the client does not recieve! (i had ethereal on there as well.) So then the client sends another SYN thinking that something is wrong... and the process continues until time out. Second, i tried to do an FTP server on port 2121 (PASV) and now that''s doing the same thing! I don''t understand this since my policy is loc net ACCEPT. in fact, it''s all based off the two-interface example posted on shorewall.net. Shorewall Version: 1.4.2 IPs are eth0 192.168.1.3 (Net) eth1 192.168.5.3 (Loc) POLICY loc net ACCEPT net all DROP all all REJECT RULES DNAT net loc:192.168.5.40 tcp 8129 - DNAT net loc:192.168.5.40 tcp 2121:2131 - INTERFACES net eth0 192.168.1.255 routefilter loc eth1 192.168.5.255 I think that''s all the info. Any Clues?? _________________________________________________________________ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
On Sun, 03 Aug 2003 05:49:45 +0000, Dave B <dragin33@hotmail.com> wrote:> I think that''s all the info. Any Clues??No. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sun, 03 Aug 2003 05:49:45 +0000, Dave B <dragin33@hotmail.com> wrote:> Hi i''ve been having some issues with shorewall lately.So it worked well at some time in the past?> You see, I''m using DNAT to port forward some ports.. some for gaming are > working great but i have a few port forwards that are acting strangely. > First i had an HTTP server running on box 192.168.5.41 and port 8129. > Now, when clients requested the page from the outside they said it looked > like they were going to get it for a sec and then it failed.. they got > nothing. This was puzzling me so i installed ethereal. It seems that i > got the packet fine on 192.168.5.41. I got a SYN packet from the > internet client. My box then sent back a SYN ACK... which the client > does not recieve! (i had ethereal on there as well.)But you didn''t capture on the firewall?> So then the client sends another SYN thinking that something is wrong... > and the process continues until time out. Second, i tried to do an FTP > server on port 2121 (PASV) and now that''s doing the same thing! >> I don''t understand this since my policy is > loc net ACCEPT.Which has absolutely nothing to do with replies to DNATed requests....> > I think that''s all the info. Any Clues??Can you ping your ISP''s gateway router from the box running our HTTP server? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sun, 03 Aug 2003 18:44:04 -0700, Tom Eastep <teastep@shorewall.net> wrote:> Can you ping your ISP''s gateway router from the box running our HTTP > server? >I of course meant "... *your* HTTP server" -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
>Hi i''ve been having some issues with shorewall lately. You see, I''m using >DNAT to port forward some ports.. some for gaming are working great but i >have a few port forwards that are acting strangely. First i had an HTTP >server running on box 192.168.5.41 and port 8129. Now, when clients >requested the page from the outside they said it looked like they were >going to get it for a sec and then it failed.. they got nothing. This was >puzzling me so i installed ethereal. It seems that i got the packet fine >on 192.168.5.41. I got a SYN packet from the internet client. My box then >sent back a SYN ACK... which the client does not recieve! (i had ethereal >on there as well.) So then the client sends another SYN thinking that >something is wrong... and the process continues until time out. Second, i >tried to do an FTP server on port 2121 (PASV) and now that''s doing the same >thing!>I don''t understand this since my policy is >loc net ACCEPT. >in fact, it''s all based off the two-interface example posted on >shorewall.net.>Shorewall Version: 1.4.2 >IPs are eth0 192.168.1.3 (Net) >eth1 192.168.5.3 (Loc)>POLICY >loc net ACCEPT >net all DROP >all all REJECT>RULES >DNAT net loc:192.168.5.40 tcp 8129 - >DNAT net loc:192.168.5.40 tcp 2121:2131 ->INTERFACES >net eth0 192.168.1.255 routefilter >loc eth1 192.168.5.255>I think that''s all the info. Any Clues??Taking a closer look, i bypassed my router and my shorewall firewall/gateway and plugged the web/ftp server right into the modem. I tried having my internet clients connect and they were able to log into the ftp server and get the webpage on port 8129 perfectly.. now i know it''s not the ISP blocking stuff. BUT WHAT''S WORNG?! _________________________________________________________________ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus
On Tue, 2003-08-05 at 13:44, Dave B wrote:> >Hi i''ve been having some issues with shorewall lately. You see, I''m using > >DNAT to port forward some ports.. some for gaming are working great but i > >have a few port forwards that are acting strangely. First i had an HTTP > >server running on box 192.168.5.41 and port 8129. Now, when clients > >requested the page from the outside they said it looked like they were > >going to get it for a sec and then it failed.. they got nothing. This was > >puzzling me so i installed ethereal. It seems that i got the packet fine > >on 192.168.5.41. I got a SYN packet from the internet client. My box then > >sent back a SYN ACK... which the client does not recieve! (i had ethereal > >on there as well.) So then the client sends another SYN thinking that > >something is wrong... and the process continues until time out. Second, i > >tried to do an FTP server on port 2121 (PASV) and now that''s doing the same > >thing! > > >I don''t understand this since my policy is > >loc net ACCEPT. > >in fact, it''s all based off the two-interface example posted on > >shorewall.net. > > >Shorewall Version: 1.4.2 > >IPs are eth0 192.168.1.3 (Net) > >eth1 192.168.5.3 (Loc) > > >POLICY > >loc net ACCEPT > >net all DROP > >all all REJECT > > >RULES > >DNAT net loc:192.168.5.40 tcp 8129 - > >DNAT net loc:192.168.5.40 tcp 2121:2131 - > > >INTERFACES > >net eth0 192.168.1.255 routefilter > >loc eth1 192.168.5.255 > > >I think that''s all the info. Any Clues?? > > > Taking a closer look, i bypassed my router and my shorewall > firewall/gateway and plugged the web/ftp server right into the modem. I > tried having my internet clients connect and they were able to log into the > ftp server and get the webpage on port 8129 perfectly.. now i know it''s not > the ISP blocking stuff. BUT WHAT''S WORNG?!I SEE WE''RE NOW GOING TO YELL -- I ASKED YOU IN MY LAST POST IF THE HTTP SERVER CAN PING YOUR ISP''S ROUTER AND YOU DIDN''T ANSWER. I WILL NOW ALSO ASK YOU IF THE HTTP SERVER''S DEFAULT ROUTE IS BACK THROUGH THE SHOREWALL SYSTEM OR IS IT THROUGH SOME OTHER GATEWAY? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Tue, 2003-08-05 at 19:26, Dave B wrote:> Whoa there, easy. I didn''t see your last post and i''m still new to this new > to this mailing list deal. Anyway, Yes the HTTP server can ping the ISPs > gateway, surf the internet and everything. Also, the HTTP server''s default > gateway is set to 192.168.5.3Ok. I assume that for FTP you have followed the instructions at http://shorewall.net/FTP.html regarding FTP on non-standard ports? I guess the next thing to do is: a) shorewall reset b) tcpdump -i any -w /tmp/tcpdump host www.xxx.yyy.zzz c) Have someone try to connect from www.xxx.yyy.zzz d) stop tcpdump f) shorewall status > /tmp/status Send me both the /tmp/tcpdump and /tmp/status output. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net