Hello all I wanted to forward all incoming requests in port 80 to a server in my LAN, and by using DNAT lines, it actually works. However, it is unstable, in the sense that in the beggining of each connection (one or two seconds) it is extremely fast, then it sometimes pauses and waits 30 seconds or so, then it starts again and so on. The line i used is : DNAT net loc:192.168.0.210 tcp 80 DNAT net loc:192.168.0.210 udp 80 ... both of them in the "rules" file. I am using Shorewall''s very latest stable version and Fedora Core 1. Any help or pointing to the right direction will be greatly appreciated. Best Regards Panos
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Panos Katergiathis wrote: | | | The line i used is : | | DNAT net loc:192.168.0.210 tcp 80 | DNAT net loc:192.168.0.210 udp 80 HTTP uses TCP exclusively so the second rule is nonsense. | | ... both of them in the "rules" file. | | I am using Shorewall''s very latest stable version and Fedora Core 1. | | Any help or pointing to the right direction will be greatly appreciated. Is DNS configured correctly on 192.168.0.210 and does it work? - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBSavxO/MAbZfjDLIRAvT+AJ4iYiaPzxRiBs3pI3ZoT8YiT4IhVACfV0Wx A1SxJTBDaNkHeIkfYE0PxJc=fBHc -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote: | Panos Katergiathis wrote: | | | | | | The line i used is : | | | | DNAT net loc:192.168.0.210 tcp 80 | | DNAT net loc:192.168.0.210 udp 80 | | HTTP uses TCP exclusively so the second rule is nonsense. | | | | | ... both of them in the "rules" file. | | | | I am using Shorewall''s very latest stable version and Fedora Core 1. | | | | Any help or pointing to the right direction will be greatly appreciated. | | Is DNS configured correctly on 192.168.0.210 and does it work? | Also, are you seeing ''Shorewall'' messages in your log (see http://shorewall.net/shorewall_logging.html if you don''t know which log to look in). - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBSbBCO/MAbZfjDLIRAk5kAKCWT/uVI7+CsjN2GXuBBC2NsWH4jQCePBIL gE18oZgB6Yfi+aSUwoWG1Ow=iYo1 -----END PGP SIGNATURE-----
Hello all The problem i reported was solved when i properly configured SNAT with the IP Address of eth0. It is all lightning-fast now. By the way, thank you Tom for the hint on port 80 which indeed does not use udp at all. The udp addition was part of the despair that gotten me when i was trying to solve the problem. Best Regards P.S. For anyone that may come across a similar problem, i was using a setup that included one Linux machine (as a firewall-router) equiped with two ethernet cards. The internal network was connected to eth1 while eth0 was connected to the ADSL line. Masquerading eth0 on eth1 does provide access to the internet from the internal network (with the proper firewall rules enabled), yet it did not work properly when trying to do some port-forwarding in the internal network, despite the fact that the DNAT lines in the "rules" file were correct. As i mentioned the problem was solved when i added the SNAT functionality on the ip address of eth0. I have no idea why this works (and any help on understanding it will be most welcome) but it does. ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Cc: "Panos Katergiathis" <shorewall@protocol.gr> Sent: Thursday, September 16, 2004 6:24 PM Subject: Re: [Shorewall-users] DNAT works, yet extremely slow> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Tom Eastep wrote: > | Panos Katergiathis wrote: > | | > | | > | | The line i used is : > | | > | | DNAT net loc:192.168.0.210 tcp 80 > | | DNAT net loc:192.168.0.210 udp 80 > | > | HTTP uses TCP exclusively so the second rule is nonsense. > | > | | > | | ... both of them in the "rules" file. > | | > | | I am using Shorewall''s very latest stable version and Fedora Core 1. > | | > | | Any help or pointing to the right direction will be greatly > appreciated. > | > | Is DNS configured correctly on 192.168.0.210 and does it work? > | > > Also, are you seeing ''Shorewall'' messages in your log (see > http://shorewall.net/shorewall_logging.html if you don''t know which log > to look in). > > - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFBSbBCO/MAbZfjDLIRAk5kAKCWT/uVI7+CsjN2GXuBBC2NsWH4jQCePBIL > gE18oZgB6Yfi+aSUwoWG1Ow> =iYo1 > -----END PGP SIGNATURE----- >
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Protocol Webmaster wrote: | | P.S. For anyone that may come across a similar problem, i was using a | setup that included one Linux machine (as a firewall-router) equiped | with two ethernet cards. The internal network was connected to eth1 | while eth0 was connected to the ADSL line. Masquerading eth0 on eth1 | does provide access to the internet from the internal network (with the | proper firewall rules enabled), yet it did not work properly when trying | to do some port-forwarding in the internal network, despite the fact | that the DNAT lines in the "rules" file were correct. As i mentioned the | problem was solved when i added the SNAT functionality on the ip address | of eth0. I have no idea why this works (and any help on understanding it | will be most welcome) but it does. See Shorewall FAQ #2 -- it describes how to correctly forward ports withing the local LAN. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBSbZMO/MAbZfjDLIRAsLAAJ9u1Acj8kGflafpXyDIDVA94aw1ewCgxObi Fca8Tl7M3GO8SBjE8beAPQE=GYGX -----END PGP SIGNATURE-----