All,
I know that this question has been addressed about a zillion times because I
have been through all of them!
So, bear with me...
I am trying to host a web site on my dmz computer. It has an ip address of
192.168.2.1, and is attached to the shorewall firewall machine via an
independent ethernet interface, eth2, which has an address of 192.168.2.254.
The dmz computer''s gateway matches this address.
In the rules section of my shorewall config, I am using the following:
DNAT net dmz:192.168.2.1:8082 tcp www,https
On the DMZ, apache is listening to power 8082.
Using the internal address of the web server, http://192.168.2.1:8082, I can
access my web page from my local network without problems.
>From outside of my network, I nor anyone else can access it.
>From FAQ1b, when I type
iptables -t nat -Z
shorewall show nat
I see the DNAT counter go up, so I know that the packets are being
DNAT''d
correctly.
Furthermore, when I run tcpdump on the dmz computer I can see the requests
coming in from the external (net) site. The connection shows up in
"netstat -a" stuck in the SYN_RECV state.
I also see some responses from my dmz computer back out to the external box,
but a connection is never established.
Here is a an example of some of the tcpdump print out from the dmz computer:
18:34:29.356616 lsh106.siteprotect.com.38460 > 192.168.2.1.8082: S
3630940255:3630940255(0) win 5840 <mss 1460,sackOK,timestamp 57146495
0,nop,wscale 0> (DF)
18:34:29.356760 192.168.2.1.8082 > lsh106.siteprotect.com.38460: S
3169322673:3169322673(0) ack 3630940256 win 16060 <mss 1460,sackOK,timestamp
340632 57146495,nop,wscale 0> (DF)
18:34:29.359255 192.168.2.1.1025 > firewall.domain: 47601+ PTR?
1.2.168.192.in-addr.arpa. (42)
18:34:29.370988 firewall.domain > 192.168.2.1.1025: 47601 NXDomain 0/1/0
(119) (DF)
18:34:29.371631 192.168.2.1.1025 > firewall.domain: 47602+ PTR?
243.134.113.66.in-addr.arpa. (45)
18:34:29.372530 firewall.domain > 192.168.2.1.1025: 47602 1/0/0 (81) (DF)
18:34:29.373260 192.168.2.1.1025 > firewall.domain: 47603+ PTR?
254.1.168.192.in-addr.arpa. (44)
18:34:29.374099 firewall.domain > 192.168.2.1.1025: 47603* 1/0/0 (66) (DF)
18:34:32.351022 lsh106.siteprotect.com.38460 > 192.168.2.1.8082: S
3630940255:3630940255(0) win 5840 <mss 1460,sackOK,timestamp 57146795
0,nop,wscale 0> (DF)
18:34:32.351057 192.168.2.1.8082 > lsh106.siteprotect.com.38460: S
3169322673:3169322673(0) ack 3630940256 win 16060 <mss 1460,sackOK,timestamp
340931 57146495,nop,wscale 0> (DF)
18:34:32.716670 192.168.2.1.8082 > lsh106.siteprotect.com.38460: S
3169322673:3169322673(0) ack 3630940256 win 16060 <mss 1460,sackOK,timestamp
340968 57146495,nop,wscale 0> (DF)
18:34:34.351439 arp who-has 192.168.2.1 tell 192.168.2.254
18:34:34.351482 arp reply 192.168.2.1 is-at 0:80:c6:ff:0:9c
18:34:34.351855 192.168.2.1.1025 > firewall.domain: 47604+ PTR?
254.2.168.192.in-addr.arpa. (44)
18:34:34.365266 firewall.domain > 192.168.2.1.1025: 47604 NXDomain 0/1/0
(121) (DF)
18:34:38.350945 lsh106.siteprotect.com.38460 > 192.168.2.1.8082: S
3630940255:3630940255(0) win 5840 <mss 1460,sackOK,timestamp 57147395
0,nop,wscale 0> (DF)
18:34:38.350988 192.168.2.1.8082 > lsh106.siteprotect.com.38460: S
3169322673:3169322673(0) ack 3630940256 win 16060 <mss 1460,sackOK,timestamp
341531 57146495,nop,wscale 0> (DF)
18:34:39.216672 192.168.2.1.8082 > lsh106.siteprotect.com.38460: S
3169322673:3169322673(0) ack 3630940256 win 16060 <mss 1460,sackOK,timestamp
341618 57146495,nop,wscale 0> (DF)
18:34:39.346669 arp who-has 192.168.2.254 tell 192.168.2.1
18:34:39.346997 arp reply 192.168.2.254 is-at 0:c0:f0:1c:ff:ffp
Any help is greatly appreciated.
Thanks,
matt
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.732 / Virus Database: 486 - Release Date: 7/29/2004