I am running shorewall-1.3.11 on Mandrake 8.2 (MNF). Shorewall is running fine except that DNAT will not work properly. I have tried DNAT for several ports, including ftp (21). For each DNAT rule shorewall does indeed forward to the intended destination -- but only for a brief moment. That is, each forwarded request appears to be immediately cut short (and in the case of ftp, repeated three times). Test 1. For DNAT''ing ftp, I have the rule DNAT wan lan:192.168.0.111:21 tcp ftp - and an attempt to connect from another ip (xxx.xxx.xxx.xxx) gives (not logged in) (xxx.xxx.xxx.xxx) > connected to ip : 0.0.0.0 (not logged in) (xxx.xxx.xxx.xxx) > sending welcome message. (not logged in) (xxx.xxx.xxx.xxx) > 220 My anonymous ftp server (not logged in) (xxx.xxx.xxx.xxx) > disconnected. So, the request is both forwarded and incomplete. Test 2. For DNAT''ing zebedee, I have tried both of these rules DNAT:info wan lan:192.168.0.111 tcp 11965 - DNAT:info wan lan:192.168.0.111:11965 tcp 11965 - and an attempt to connect from another ip (xxx.xxx.xxx.xxx) gives accepting connection from xxx.xxx.xxx.xxx waiting for connection on port 11965 ERROR: failed reading protocol version Again, the request is both forwarded and incomplete. Both of these systems are accessible through another firewall, but they do not work via shorewall and DNAT. When I log info, the syslog shows DNAT forwarding of each request -- in triplicate. I.e., each client tries three successive times to connect, with three successive failures. What have I done wrong? What setting have I missed?
On Fri, 10 Oct 2003, gjohnson wrote:> > > Both of these systems are accessible through another firewall, but they > do not work via shorewall and DNAT. When I log info, the syslog shows DNAT > forwarding of each request -- in triplicate. I.e., each client tries three > successive times to connect, with three successive failures. > > What have I done wrong? What setting have I missed?You probably have the default gateway on the server still set to the IP address of the "other firewall". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
> > Both of these systems are accessible through another firewall, but they > > do not work via shorewall and DNAT. When I log info, the syslog shows DNAT > > forwarding of each request -- in triplicate. I.e., each client tries three > > successive times to connect, with three successive failures. > > > > What have I done wrong? What setting have I missed? > > You probably have the default gateway on the server still set to the IP > address of the "other firewall".thanks! That was it. Is it possible to have one server (e.g. an ftpd, a zebedee server, etc.) accessible via two separate firewalls (i.e. two separate gateways) at the same time? Or must I set up two servers -- one on a machine with one gateway and a second on a machine with the other gateway?
> > You probably have the default gateway on the serverstill set to the IP> > address of the "other firewall". > > > thanks! That was it. > > Is it possible to have one server (e.g. an ftpd, a zebedeeserver, etc.)> accessible via two separate firewalls (i.e. two separategateways) at the> same time? Or must I set up two servers -- one on amachine with one> gateway and a second on a machine with the other gateway?This is off topic... but have a look at: http://lartc.org/howto/lartc.rpdb.multiple-links.html You''ll need to setup the server with the 2 default gateways and not your firewall. The idea is the same, provider1 is gatway1, but don''t worry about the local network part of the howto. Mail me if you like. Jerry Vonau
thanks. It is a very interesting link and I will consider reworking a network accordingly. My preference, at least in certain cases, is to have provider1 --> gtwy1/router1 --> switch1 <--> switch2 <--gtwy2/router2 <--provider2 with the server connected to either switch1 or switch2. This setup allows for the failure of either gateway and still allows access to the internet via the other gateway. This kind of setup can be necessary for several reasons, and I have some further details on how it can be used. I can explain further if you want. I was just wondering if there is any way to have a server on, say switch1, and have it use either gtwy1 or gtwy2 -- depending on whether it is accessed via gtwy1 or gtwy2. Also, if this is possible, do you know if is can also be done on a w2k workstation on switch 1 (e.g. if a user wants to have vnc access to his/her workstation via both gateways)? If you know this approach is definitively not possible, that''d be good to know. On the other hand, if you have any ideas on how it could be done, please let me know.> This is off topic... but have a look at: > http://lartc.org/howto/lartc.rpdb.multiple-links.html > > You''ll need to setup the server with the 2 default gateways > and not your firewall. > The idea is the same, provider1 is gatway1, but don''t worry > about the local > network part of the howto. Mail me if you like. > > Jerry Vonau > > > > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
On Sun, 12 Oct 2003, gjohnson wrote:> > I was just wondering if there is any way to have a server on, say switch1, > and have it use either gtwy1 or gtwy2 -- depending on whether it is > accessed via gtwy1 or gtwy2. Also, if this is possible, do you know if is > can also be done on a w2k workstation on switch 1 (e.g. if a user wants to > have vnc access to his/her workstation via both gateways)? > > If you know this approach is definitively not possible, that''d be good to > know. On the other hand, if you have any ideas on how it could be done, > please let me know. >The link below *tells you how to do it* if the server runs Linux.> > This is off topic... but have a look at: > > http://lartc.org/howto/lartc.rpdb.multiple-links.html-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sat, 2003-10-11 at 21:49, Tom Eastep wrote:> On Sun, 12 Oct 2003, gjohnson wrote: >> > The link below *tells you how to do it* if the server runs Linux. > > > > This is off topic... but have a look at: > > > http://lartc.org/howto/lartc.rpdb.multiple-links.html >Note that your server will need to have a unique IP address associated with each gateway; I don''t believe that there is a requirement to have two NICs installed in the server. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net