Hello all, Running the "ancient" 1.4.7-RC1 version I have a problem with port forwarding. I have for a number of external fixed IP addresses forwarding to an internal terminal server - this works :-) DNAT net:111.22.33.44 loc:192.168.1.11 tcp 3389 DNAT net:222.33.44.55 loc:192.168.1.11 tcp 3389 Now I need to forward port 80 from one external address to an internal test web server, so I figured I''d do this DNAT net:111.22.33.44 loc:192.168.1.76:80 tcp 80 I also tried DNAT net:111.22.33.44 loc:192.168.1.76 tcp 80 None of these worked What is really strange is that in the log file I get a DROP from a completely different address Oct 28 15:40:08 gw kernel: Shorewall:net2all:DROP:IN=eth0 OUTMAC=00:04:75:fc:2f:bf:00:09:43:7f:24:e7:08:00 SRC=99.88.77.666 DST=81.200.97.45 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=32325 DF PROTO=TCP SPT=45257 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 If I add the following rule DNAT net:99.88.77.666 loc:192.168.1.76 tcp 80 This kind of works, but it is very slow and the complete web page does not get displayed Has anyone seen this problem before ? Graham -- Graham K. Dodd Director of Operations Falk & Ross GmbH Tel: 06301 717 0
On Thu, 2004-10-28 at 07:01, Graham Dodd wrote:> Hello all, > > Running the "ancient" 1.4.7-RC1 version I have a problem with port > forwarding. > > I have for a number of external fixed IP addresses forwarding to an internal > terminal server - this works :-) > > DNAT net:111.22.33.44 loc:192.168.1.11 tcp 3389 > DNAT net:222.33.44.55 loc:192.168.1.11 tcp 3389If 111.22.33.44 and 222.33.444.55 are YOUR addresses configured on the Shorewall box then the above rules are wrong. The correct syntax is: DNAT net loc tcp 3389 - 111.22.33.44> > Now I need to forward port 80 from one external address to an internal test > web server, so I figured I''d do this > DNAT net:111.22.33.44 loc:192.168.1.76:80 tcp 80 > > I also tried > DNAT net:111.22.33.44 loc:192.168.1.76 tcp 80 > > None of these worked > > What is really strange is that in the log file I get a DROP from a > completely different address > > Oct 28 15:40:08 gw kernel: Shorewall:net2all:DROP:IN=eth0 OUT> MAC=00:04:75:fc:2f:bf:00:09:43:7f:24:e7:08:00 SRC=99.88.77.666 > DST=81.200.97.45 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=32325 DF PROTO=TCP > SPT=45257 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0Completely understandable -- Your rule only works on traffic FROM 111.22.33.44 and the above connection attempt is from 99.88.77.666!!!> > > If I add the following rule > DNAT net:99.88.77.666 loc:192.168.1.76 tcp 80 > > This kind of works, but it is very slow and the complete web page does not > get displayed > > Has anyone seen this problem before ?The last rule is correct if you want traffic FROM 99.88.77.666 to ANY ADDRESS on your firewall (unless you have DETECT_DNAT_ADDRS=Yes in shorewall.conf in which case it will be the *first* IP address on your external interface) AND with destination port TCP 80 to be forwarded to internal system 192.168.1.76. The slowness and failure to complete web page download sounnd like an MTU problem which might be fixed by adding CLAMPMSS=Yes to your shorewall.conf. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
shorewall-users-bounces@lists.shorewall.net <> wrote:> On Thu, 2004-10-28 at 07:01, Graham Dodd wrote: >> Hello all, >> >> Running the "ancient" 1.4.7-RC1 version I have a problem with port >> forwarding. >> >> I have for a number of external fixed IP addresses forwarding to an >> internal terminal server - this works :-) >> >> DNAT net:111.22.33.44 loc:192.168.1.11 tcp 3389 >> DNAT net:222.33.44.55 loc:192.168.1.11 tcp 3389 > > If 111.22.33.44 and 222.33.444.55 are YOUR addresses > configured on the Shorewall box then the above rules are > wrong. The correct syntax is:The above addresses are external sales offices (real addresses hidden). Which I read that from the network external address 111.22.33.44 will be forwarded to Internal address 192.168.1.11 port 3389 - this has been working for at least 1 year> > DNAT net loc tcp 3389 - 111.22.33.44Ok I will try this> >> >> Oct 28 15:40:08 gw kernel: Shorewall:net2all:DROP:IN=eth0 OUT>> MAC=00:04:75:fc:2f:bf:00:09:43:7f:24:e7:08:00 SRC=99.88.77.666 >> DST=81.200.97.45 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=32325 DF >> PROTO=TCP SPT=45257 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > > Completely understandable -- Your rule only works on traffic FROM > 111.22.33.44 and the above connection attempt is from 99.88.77.666!!!I know....... but as this office only has 1 fixed IP 111.22.33.44 why do I get A log entry for 99.88.77.666> >> >> >> If I add the following rule >> DNAT net:99.88.77.666 loc:192.168.1.76 tcp 80 >> >> This kind of works, but it is very slow and the complete web page >> does not get displayed >> >> Has anyone seen this problem before ? > > The last rule is correct if you want traffic FROM > 99.88.77.666 to ANY ADDRESS on your firewall (unless you haveWhich I would read as forward external IP address 99.88.77.666 to local address 192.168.1.76 port 80 Hmmm.... I guess it''s possible to completely mis-understand Shorewall and still make it work ;-) Graham -- Graham K. Dodd Director of Operations Falk & Ross GmbH Tel: 06301 717 0
shorewall-users-bounces@lists.shorewall.net <> wrote:> On Thu, 2004-10-28 at 07:01, Graham Dodd wrote: >> Hello all, >> >> Running the "ancient" 1.4.7-RC1 version I have a problem with port >> forwarding. >> >> I have for a number of external fixed IP addresses forwarding to an >> internal terminal server - this works :-) >> >> DNAT net:111.22.33.44 loc:192.168.1.11 tcp 3389 >> DNAT net:222.33.44.55 loc:192.168.1.11 tcp 3389 > > If 111.22.33.44 and 222.33.444.55 are YOUR addresses > configured on the Shorewall box then the above rules are > wrong. The correct syntax is: > > DNAT net loc tcp 3389 - 111.22.33.44 >Which gave me the following error Error: DNAT rules require a server address; rule: "DNAT net loc tcp 80 - 213.96.41.83" Processing /etc/shorewall/stop ... Graham -- Graham K. Dodd Director of Operations Falk & Ross GmbH Tel: 06301 717 0
On Thu, 2004-10-28 at 08:11, Graham Dodd wrote:> shorewall-users-bounces@lists.shorewall.net <> wrote: > > On Thu, 2004-10-28 at 07:01, Graham Dodd wrote: > >> Hello all, > >> > >> Running the "ancient" 1.4.7-RC1 version I have a problem with port > >> forwarding. > >> > >> I have for a number of external fixed IP addresses forwarding to an > >> internal terminal server - this works :-) > >> > >> DNAT net:111.22.33.44 loc:192.168.1.11 tcp 3389 > >> DNAT net:222.33.44.55 loc:192.168.1.11 tcp 3389 > > > > If 111.22.33.44 and 222.33.444.55 are YOUR addresses > > configured on the Shorewall box then the above rules are > > wrong. The correct syntax is: > > > > DNAT net loc tcp 3389 - 111.22.33.44 > > > > Which gave me the following error > Error: DNAT rules require a server address; rule: "DNAT net loc tcp 80 - > 213.96.41.83" > Processing /etc/shorewall/stop ...It doesn''t make any difference -- You don''t want that rule anyway. you only wanted to specify an address in the ORIGINAL DEST column if 111.222.33.44 WAS AN ADDRESS ON YOUR FIREWALL. You have already told us that 111.22.33.44 is the address of one of your sales offices so your original rule was correct. I suspect that the 99.88.77.666 log message has absolutely nothing to do with your problem and adding a rule with that address in it didn''t do anything to change your problem. It''s time to go to work here but your original rules were correct and you just have to find out why they aren''t working. For that, Shorewall FAQs 1a and 1b should help. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
shorewall-users-bounces@lists.shorewall.net <> wrote:> On Thu, 2004-10-28 at 08:11, Graham Dodd wrote:> already told us that 111.22.33.44 is the address of one of > your sales offices so your original rule was correct. I > suspect that the 99.88.77.666 log message has absolutely > nothing to do with your problem and adding a rule with thatOr it could be that the ISP for our Spanish office runs a transparent Proxy, as a tcpdump revealed. So now I just have to bypass their ISP (port 8088 looks ok)> > It''s time to go to work here but your original rules wereAnd here it''s late and time to go home, so I''ll try tomorrow Thanks for the help Graham -- Graham K. Dodd Director of Operations Falk & Ross GmbH Tel: 06301 717 0
On Thu, 2004-10-28 at 10:37, Graham Dodd wrote:> shorewall-users-bounces@lists.shorewall.net <> wrote: > > On Thu, 2004-10-28 at 08:11, Graham Dodd wrote: > > > already told us that 111.22.33.44 is the address of one of > > your sales offices so your original rule was correct. I > > suspect that the 99.88.77.666 log message has absolutely > > nothing to do with your problem and adding a rule with that > > Or it could be that the ISP for our Spanish office runs a transparent > Proxy, as a tcpdump revealed. >Yes -- that would also explain it :-) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key