Hi gang, I''ve got a problem with shorewall, it keeps dropping packets when it should be DNATing them. I want all connections on a tcp port 4662 to be forwarded to a machine on my network (192.168.0.5) - the port is used for mldonkey (P2P app). It seems to be partially working - loads of packets are being DNAT''ed but some are not - I cant figure out why! The firewall (192.168.0.1) is running RH9 with kernel 2.4.20-8, iptables v1.2.7a and shorewall version 1.4.6a Line in /etc/shorewall/rules... DNAT net loc:192.168.0.5 tcp 4662 but here''s the bit in /var/log/messages that says its dropping packets.... Nov 11 01:11:49 potchin kernel: Shorewall:logdrop:DROP:IN=ppp0 OUT=eth0 SRC=201.128.9.30 DST=192.168.0.5 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=6299 DF PROTO=TCP SPT=3187 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 One thing I did think about was my external interface - its an ADSL connection with a dynamic IP that is occasionally dropped for IP renewal. I have not set the firewall to restart or anything when the IP does change - I dont think it need to. All internal IPs are static I''m no guru on firewalls and haven''t really fiddled with the default settings that much so not sure what else you might need. If you need to see some more config files then I can put them online if it helps. As always, all suggestions welcome. Regards Jeff
Hi, may be this is only a hint. Try check if you put a DROP or REJECT rule before the DNAT. If you do, check if the DROP or REJECT blocks stream from net->loc. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Jeff Sent: Wednesday, November 12, 2003 1:22 PM To: shorewall-users@lists.shorewall.net Subject: [Shorewall-users] NEWBIE: DNAT Prob Hi gang, I''ve got a problem with shorewall, it keeps dropping packets when it should be DNATing them. I want all connections on a tcp port 4662 to be forwarded to a machine on my network (192.168.0.5) - the port is used for mldonkey (P2P app). It seems to be partially working - loads of packets are being DNAT''ed but some are not - I cant figure out why! The firewall (192.168.0.1) is running RH9 with kernel 2.4.20-8, iptables v1.2.7a and shorewall version 1.4.6a Line in /etc/shorewall/rules... DNAT net loc:192.168.0.5 tcp 4662 but here''s the bit in /var/log/messages that says its dropping packets.... Nov 11 01:11:49 potchin kernel: Shorewall:logdrop:DROP:IN=ppp0 OUT=eth0 SRC=201.128.9.30 DST=192.168.0.5 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=6299 DF PROTO=TCP SPT=3187 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 One thing I did think about was my external interface - its an ADSL connection with a dynamic IP that is occasionally dropped for IP renewal. I have not set the firewall to restart or anything when the IP does change - I dont think it need to. All internal IPs are static I''m no guru on firewalls and haven''t really fiddled with the default settings that much so not sure what else you might need. If you need to see some more config files then I can put them online if it helps. As always, all suggestions welcome. Regards Jeff _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On 12 Nov 2003, Jeff wrote:> > but here''s the bit in /var/log/messages that says its dropping > packets.... > > > Nov 11 01:11:49 potchin kernel: Shorewall:logdrop:DROP:IN=ppp0 OUT=eth0 > SRC=201.128.9.30 DST=192.168.0.5 LEN=48 TOS=0x00 PREC=0x00 TTL=113 > ID=6299 DF PROTO=TCP SPT=3187 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 > > One thing I did think about was my external interface - its an ADSL > connection with a dynamic IP that is occasionally dropped for IP > renewal. I have not set the firewall to restart or anything when the IP > does change - I dont think it need to. All internal IPs are static > > I''m no guru on firewalls and haven''t really fiddled with the default > settings that much so not sure what else you might need. If you need to > see some more config files then I can put them online if it helps. > > As always, all suggestions welcome. >Please read FAQ 17 -- it will help explain the above log message and should give you a clue as to the problem. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net