Hi, im running shorewall 2.0.16 with centos 3 (iptables v1.2.8), everything
is working fine for several days, i have configured a masq lan and all the
outgoing traffic is ok, but now i want to redirect (port forward) the
external web traffic to an internal machine, somethig like this
INTERNET ---------> SHOREWALL -------------------> INTERNAL_MACHINE
[public (eth0) 200.13.180.13]
(198.220.250.90)
[internal (eth1) 198.220.250.39]
these are the relevant files:
/etc/shorewall/interfaces
net eth0 detect
loc eth1 detect dhcp,routeback
/etc/shorewall/zones
net Net Internet
loc Local Local networks
/etc/shorewall/policy
loc net ACCEPT
loc fw ACCEPT
fw net ACCEPT
fw loc ACCEPT
net all DROP info
all all REJECT info
/etc/shorewall/masq
eth0 198.220.250.0/24 200.13.180.13
/etc/shorewall/rules
ACCEPT net fw tcp 22
ACCEPT net fw tcp 80
DNAT net loc:198.220.250.90 tcp 80
With this configuration files i cant connect from the outside to the web
service running in 198.220.250.90, i dont see any errors in
/var/log/messages, using tcpdump i see the connection to the 200.13.180.13
address , port 80 , but dont see the corresponding attemp to the
198.220.250.90 address, port 80>From the firewall connect to the web service in 198.220.250.90 wihtou
problem:
[root@fw shorewall]# telnet 198.220.250.90 80
Trying 198.220.250.90...
Connected to 198.220.250.90 (198.220.250.90).
Escape character is ''^]''.
am i missing something?
thanks
mmiranda@americatel.com.sv wrote:> ACCEPT net fw tcp 80I don''t understand the point of that rule.> am i missing something?Shorewall FAQs 1a and 1b offer additional DNAT troubleshooting advice -- have you taken those steps? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
mmiranda@americatel.com.sv wrote:> > > [root@fw shorewall]# telnet 198.220.250.90 80 > Trying 198.220.250.90... > Connected to 198.220.250.90 (198.220.250.90). > Escape character is ''^]''.By the way -- I assume that the 198.220.250.x internal addresses are bogus since you don''t appear to be the US Department of Defense (which owns those addresses). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
mmiranda@americatel.com.sv wrote:> > > [root@fw shorewall]# telnet 198.220.250.90 80 > Trying 198.220.250.90... > Connected to 198.220.250.90 (198.220.250.90). > Escape character is ''^]''.> By the way -- I assume that the 198.220.250.x internal addresses are > bogus since you don''t appear to be the US Department of Defense (which > owns those addresses).> -TomTom, you are right, the customer selected that address range for his WAN when he was with another ISP, i tried to explain him the error but the "sysadmin" of his WAN thinks its a trivial problem, ;-)> Shorewall FAQs 1a and 1b offer additional DNAT troubleshooting advice -- > have you taken those steps?These steps solved my problem, as stated in 1b: After [root@fw shorewall]# iptables -t nat -Z [root@fw shorewall]# shorewall show nat Chain PREROUTING (policy ACCEPT 55 packets, 3468 bytes) pkts bytes target prot opt in out source destination 11 540 net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0 Is the packet count in the first column non-zero? YES!!! So, the connection request is reaching the firewall and is being redirected to the server. In this case, the problem is usually a missing or incorrect default gateway setting on the local system (the system you are trying to forward to -- its default gateway should be the IP address of the firewall''s interface to that system). The internal web server didnt have the gateway setting. thanks for a great product and forum --- Miguel
I want to replace an existing firewall by a shorewall box.
I have several public ip-addresses:
1.2.3.4 used for the external interface of the shorewall (eth0)
1.2.3.5 I will use this address for redirecting all smtp/http
traffic to that address to my internal mailserver (192.168.1.1)
This is a sample of some config-files
/etc/shorewall/rules
ACTION: DNAT
SOURCE: net
DEST: loc:192.168.1.1
PROTO: tcp
DEST PORT: 25,80
SOURCE PORT : -
ORIGINAL DEST : 1.2.3.5
/etc/shorewall/nat
EXTERNAL: 1.2.3.5
INTERFACE: eth0
INTERNAL: 192.168.1.1
/etc/shorewall/masq
INTERFACE: eth0
SUBNET: eth1
Entries of the /etc/shorewall.conf
ADD_IP_ALIASES=Yes
IP_FORWARDING=On
What´s missing ?
I also read the Port forwarding FAQ 1a and 1b
There are no problems at the ISP or internal servers because everything is
working with the existing firewall.
I also can connect to the the external interface 1.2.3.4 of the shorewall. But
the 1.2.3.5 is unreachable. I also have no logging and the packet count is zero.
Regards,
Carlo
Carlo Maesen wrote:> I want to replace an existing firewall by a shorewall box. > > I have several public ip-addresses: > > 1.2.3.4 used for the external interface of the shorewall (eth0) > > 1.2.3.5 I will use this address for redirecting all smtp/http traffic to that address to my internal mailserver (192.168.1.1) > > > > This is a sample of some config-files > > > > /etc/shorewall/rules > > > > ACTION: DNAT > SOURCE: net > DEST: loc:192.168.1.1 > PROTO: tcp > DEST PORT: 25,80 > SOURCE PORT : - > ORIGINAL DEST : 1.2.3.5 > > > > /etc/shorewall/nat > > > > EXTERNAL: 1.2.3.5 > INTERFACE: eth0 > INTERNAL: 192.168.1.1 > > > > /etc/shorewall/masq > > > > INTERFACE: eth0 > > SUBNET: eth1 > > > > Entries of the /etc/shorewall.conf > > ADD_IP_ALIASES=Yes > > IP_FORWARDING=On > > > > What´s missing ? > > > > I also read the Port forwarding FAQ 1a and 1b > > There are no problems at the ISP or internal servers because everything is working with the existing firewall. > > I also can connect to the the external interface 1.2.3.4 of the shorewall. But the 1.2.3.5 is unreachable. > I also have no logging and the packet count is zero.Please see http://shorewall.net/support.htm for instructions regarding submitting a proper problem report. Pay particular attention to the part that begins THIS IS IMPORTANT!!! Several things though: With the entry in /etc/shorewall/nat, you don''t use DNAT rules; ACCEPT rules are appropriate since you are already causing the destination address to be rewritten. I suggest that you look at http://shorewall.net/Shorewall_and_Aliased_Interfaces.html. If you can''t determine the problem then submit the information described at the above link and we''ll try to help. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key