I have DNAT rules to redirect port 54xx from the net to port 22 on specific machines on the LANs, as well as a DNAT rule for port 80 to go to port 80 on a video camera. Neither seem to work and I can not see why. On the other side, everything works OK with DNAT rules for ports related to VoIP. Furthermore, although I''ve requested for the packets to be logged, it appears that nothing is logged. In previous mail I had attached the file with the results of *shorewall status*,but the mail did not pass because its size (70KB) was larger than the 40Kb threshold. I can not cut the file, else important information may be lost. I would appreciate your help on this one. Thanks. Costantino ___________________________________________________________ How much free photo storage do you get? Store your holiday snaps for FREE with Yahoo! Photos http://uk.photos.yahoo.com ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
Costantino wrote:> I have DNAT rules to redirect port 54xx from the net to port 22 on > specific machines on the LANs, as well as a DNAT rule for port 80 > to go to port 80 on a video camera. > Neither seem to work and I can not see why. > > On the other side, everything works OK with DNAT rules for ports > related to VoIP. > Furthermore, although I''ve requested for the packets to be > logged, it appears that nothing is logged. > > In previous mail I had attached the file with the results of > *shorewall status*,but the mail did not pass because its size (70KB) > was larger than the 40Kb threshold. > I can not cut the file, else important information may be lost.Did you try compressing it?> I would appreciate your help on this one.When the list administrator approves your post, we can look at your "shorewall status". In the mean time, please follow the DNAT trouble shooting tips in Shorewall FAQs 1a and 1b -- The vast majority of DNAT problems can be solved (or at least understood) if you just read and follow those instructions. We can''t help when all we are told is that *it doesn''t work and I don''t know why* -- sorry but we are not possessed with supernatural powers where we can see half way around the world and tell you what you are doing wrong. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom, I''ve tried, but the mail server reports the following: +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Hi. This is the qmail-send program at yahoo.com. I''m afraid I wasn''t able to deliver your message to the following addresses. This is a permanent error; I''ve given up. Sorry it didn''t work out. <shorewall-users@lists.sourceforge.net>: 66.35.250.206 failed after I sent the message. Remote host said: 550-"For the time being, we are blocking all mail with the .zip extension. 550-If this this is a problem, please open a Support Request on the SF.net 550 webite." --- Below this line is a copy of the message. <---cut---> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Costantino -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net]On Behalf Of Tom Eastep Sent: 01 October 2005 04:09 To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] DNAT rules Costantino wrote:> I have DNAT rules to redirect port 54xx from the net to port 22 on > specific machines on the LANs, as well as a DNAT rule for port 80 > to go to port 80 on a video camera. > Neither seem to work and I can not see why. > > On the other side, everything works OK with DNAT rules for ports > related to VoIP. > Furthermore, although I''ve requested for the packets to be > logged, it appears that nothing is logged. > > In previous mail I had attached the file with the results of > *shorewall status*,but the mail did not pass because its size (70KB) > was larger than the 40Kb threshold. > I can not cut the file, else important information may be lost.Did you try compressing it?> I would appreciate your help on this one.When the list administrator approves your post, we can look at your "shorewall status". In the mean time, please follow the DNAT trouble shooting tips in Shorewall FAQs 1a and 1b -- The vast majority of DNAT problems can be solved (or at least understood) if you just read and follow those instructions. We can''t help when all we are told is that *it doesn''t work and I don''t know why* -- sorry but we are not possessed with supernatural powers where we can see half way around the world and tell you what you are doing wrong. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ___________________________________________________________ Yahoo! Messenger - NEW crystal clear PC to PC calling worldwide with voicemail http://uk.messenger.yahoo.com ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
I''ll try to trick the server by renaming the zip file to .DAT Just rename it back before un-zipping. COstantino -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net]On Behalf Of Tom Eastep Sent: 01 October 2005 04:09 To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] DNAT rules Costantino wrote:> I have DNAT rules to redirect port 54xx from the net to port 22 on > specific machines on the LANs, as well as a DNAT rule for port 80 > to go to port 80 on a video camera. > Neither seem to work and I can not see why. > > On the other side, everything works OK with DNAT rules for ports > related to VoIP. > Furthermore, although I''ve requested for the packets to be > logged, it appears that nothing is logged. > > In previous mail I had attached the file with the results of > *shorewall status*,but the mail did not pass because its size (70KB) > was larger than the 40Kb threshold. > I can not cut the file, else important information may be lost.Did you try compressing it?> I would appreciate your help on this one.When the list administrator approves your post, we can look at your "shorewall status". In the mean time, please follow the DNAT trouble shooting tips in Shorewall FAQs 1a and 1b -- The vast majority of DNAT problems can be solved (or at least understood) if you just read and follow those instructions. We can''t help when all we are told is that *it doesn''t work and I don''t know why* -- sorry but we are not possessed with supernatural powers where we can see half way around the world and tell you what you are doing wrong. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Costantino wrote:> I''ll try to trick the server by renaming the zip file to .DAT > Just rename it back before un-zipping.You could also use gzip or bzip2. The instructions at http://www.shorewall.net/support.htm clearly tell you to try the failing connection (in your case DNAT) before capturing the output of "shorewall status". Assuming that you did that, the requests are never reaching your firewall (Note the "0" in the "pkts" column below): NAT Table Chain PREROUTING (policy ACCEPT 981K packets, 76M bytes) pkts bytes target prot opt in out source destination 0 0 net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0 Your firewall cannot redirect connections that don''t go through it. If you didn''t try the failing connection before capturing the "shorewall status" output then, once again, please follow the troubleshooting instructions in FAQs 1a and 2b. Until you are able to see the connection requests reach your firewall, no amount of changing your Shorewall configuration is going to have any effect. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key