Hi, I am running 1.4.8 and i have an external IP that is pretty well cut up with DNAT to several different subnets. When adding DNS (UDP:53) to the mix, I dont get a response from the server. According to shorewall (shorewall show nat): 33 2527 DNAT udp -- * * 0.0.0.0/0 69.13.51.22 udp dpt:53 to:10.2.80.40 yet my DNS log is coming up empty its only seeing requests off the 1918 address space, even though there are packets and bytes associated with the rule. I have other publics that are running DNSP with DNAT rules in place, but they have NAT entries which if added to the IP in question breaks the host of other services already running on the IP. I know that DNS responds on a high port and am wondering if this is the problem, since I have a RADIUS (TCP/UDP:1812-1814) server that is unresponsive on a unique public and private addresses with DNAT entries as well, (since radius uses the high ports for response as well). All of my rules/files look good as far as I can tell. Does anyone have any ideas? TIA k.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 K Efland wrote: | | All of my rules/files look good as far as I can tell. Does anyone | have any ideas? TIA | I have serveral ideas -- if you will forward the information requested at http://shorewall.net/support.htm, I''ll be happy to look at it. Be sure to note the part marked "THIS IS IMPORTANT!". - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBTFTCO/MAbZfjDLIRArwHAJ9FI775cSdjGOORHqLUBXdG4DXT7QCffaIy yryYUf3td1dzHxmjvXzV46M=YaEu -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 K Efland wrote: | Tom, | Thanks for the help! This is the latest version of my shorewall | config, and the information you requested. Ive tried almost every | every permutation of Dest NAT entries in rules and Source entries in | masq. The box in question is running smtp, imap and pop on the same | IP 10.2.80.40 with no problems, however when I add a NAT entry it | kills port forwarding. | | I look forward to hearing from you. | The reason that "NAT kills port forwarding" is that you have NAT_BEFORE_RULES=Yes in shorewall.conf. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBTI+vO/MAbZfjDLIRArDXAKCNeVk2ZoGffZXeurShq0rlcKqJaQCfezwc PAPYzTkslanXU3exf/9+WeM=WeqM -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote: | K Efland wrote: | | Tom, | | Thanks for the help! This is the latest version of my shorewall | | config, and the information you requested. Ive tried almost every | | every permutation of Dest NAT entries in rules and Source entries in | | masq. The box in question is running smtp, imap and pop on the same | | IP 10.2.80.40 with no problems, however when I add a NAT entry it | | kills port forwarding. | | | | I look forward to hearing from you. | | | | The reason that "NAT kills port forwarding" is that you have | NAT_BEFORE_RULES=Yes in shorewall.conf. | But I don''t see anything wrong with your setup. I can''t see exactly what is happening with the packets because you didn''t follow the instructions for getting a meaningful "shorewall status" capture and even if you did, you have two instances of ACCEPT net internal udp 53" in your rules file before the DNAT rules so it really doesn''t make any difference. I guess that you are going to have to analyze the problem using tcpdump or ethereal. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBTJFZO/MAbZfjDLIRAs92AKCrxfZ1EoinJDqLXMpnH7ED948/rgCdF2qe 8/GFCQteYn84hmaahRSYBGc=XWTp -----END PGP SIGNATURE-----