Hi, I''m not sure if this is a shorewall problem, I apologize if it is not, I don''t know where else to ask ;-) I''m running version 2.4.7 on an LRP box. I have a DNAT setting (in /etc/shorewall/rules) as follows DNAT net loc:192.168.111.247 tcp 80 - 72.34.231.xx I have this in /etc/shorewall/nat 72.34.231.xx eth0 192.168.111.247 no no I am able to connect to port 80 of 192.168.111.247 from the firewall: # nc 192.168.111.247 80 get / <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>501 Method Not Implemented</title> </head><body> <h1>Method Not Implemented</h1> <p>get to /index.html not supported.<br /> </p> <hr> <address>Apache/2.0.54 (Fedora) Server at comfogo.americasnet.com Port 80</address> </body></html> But I''m unable to open port 80 from the outside: telnet 72.34.231.xx 80 Trying 72.34.231.xx... It never connects. I am able to ping 72.34.231.xx after enabling ping in shorewall, so it''s reachable. I even have opened AllowWeb in the rules file, even though DNAT is supposed to do it already, but that doesn''t help. It''s also strange that nothing registers on shorewall.log when I attempt to connect to port 80, which I would imagine means there''s no DROP or REJECT action happening. I can''t figure out what I''m doing wrong, is it possible this is a routing problem on the server, and not a problem on the firewall? But in that case, why is there no problem connecting to the server from the firewall? The server 192.168.111.247 has 2 routes to 2 separate firewalls (192.168.1.254 and 192.168.111.254): # ip route 192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.247 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.247 192.168.111.0/24 dev eth0 proto kernel scope link src 192.168.111.247 169.254.0.0/16 dev eth1 scope link default via 192.168.1.254 dev eth0 But again, I would imagine if this were a routing problem, then I wouldn''t be able to get a response from the server when connecting from the firewall itself, no? I''ve attached the shorewall status, please let me know if you need any other information. Thanks for your kind help! Ricardo ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Sun, Jul 30, 2006 at 4:56pm Ricardo Kleemann <ricardo@americasnet.com> wrote:> Hi, > I''m not sure if this is a shorewall problem, I apologize if it is not, I > don''t know where else to ask ;-) > I''m running version 2.4.7 on an LRP box. > I have a DNAT setting (in /etc/shorewall/rules) as follows> DNAT net loc:192.168.111.247 tcp 80 - 72.34.231.xx> I have this in /etc/shorewall/nat> 72.34.231.xx eth0 192.168.111.247 no noWhy do you have both of those. With the entry in the nat file, all you need in rules is ACCEPT net loc:192.168.111.247 tcp 80> I am able to connect to port 80 of 192.168.111.247 from the firewall: > But I''m unable to open port 80 from the outside: > telnet 72.34.231.xx 80 > Trying 72.34.231.xx..Please read Shorewall FAQs 1a and 1b. They describe in great detail how to diagnose DNAT problems. These problems almost NEVER have anything to do with the Shorewall configuration. -Tom. -- Tom Eastep \\ Nothing is foolproof to a sufficiently talented fool Shoreline, \\ http://shorewall.net Washington USA \\ teastep@avvanta.com ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Thank you, Tom. I see that the problem must be related to the default gateway, and I guess then that this becomes off-topic for this list... Anyone on this list can help me off-list ? Basically I''m assuming the problem is that the internal server is connected to 2 firewalls but the default gateway is not this particular firewall. I had setup the routing table but I guess that still isn''t working. If someone on this list can help me out, I''d appreciate it. Thanks Ricardo ----- Original Message ----- From: "teastep" <teastep@avvanta.com> To: "Shorewall Users" <shorewall-users@lists.sourceforge.net> Sent: Sunday, July 30, 2006 9:00 PM Subject: Re: [Shorewall-users] please help with DNAT setting> On Sun, Jul 30, 2006 at 4:56pm Ricardo Kleemann <ricardo@americasnet.com> > wrote: >> Hi, >> I''m not sure if this is a shorewall problem, I apologize if it is not, I >> don''t know where else to ask ;-) >> I''m running version 2.4.7 on an LRP box. >> I have a DNAT setting (in /etc/shorewall/rules) as follows > >> DNAT net loc:192.168.111.247 tcp 80 - 72.34.231.xx > >> I have this in /etc/shorewall/nat > >> 72.34.231.xx eth0 192.168.111.247 no no > > Why do you have both of those. With the entry in the nat file, all you > need in rules is ACCEPT net loc:192.168.111.247 tcp 80 > >> I am able to connect to port 80 of 192.168.111.247 from the firewall: >> But I''m unable to open port 80 from the outside: >> telnet 72.34.231.xx 80 >> Trying 72.34.231.xx.. > > Please read Shorewall FAQs 1a and 1b. They describe in great detail how to > diagnose DNAT problems. These problems almost NEVER have anything to do > with the Shorewall configuration. > > -Tom. > > -- > Tom Eastep \\ Nothing is foolproof to a sufficiently talented fool > Shoreline, \\ http://shorewall.net > Washington USA \\ teastep@avvanta.com > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to share > your > opinions on IT & business topics through brief surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Mon, Jul 31, 2006 at 8:46am Ricardo Kleemann <ricardo@americasnet.com> wrote:> Thank you, Tom. > I see that the problem must be related to the default gateway, and I guess > then that this becomes off-topic for this list... > Anyone on this list can help me off-list ? Basically I''m assuming the > problem is that the internal server is connected to 2 firewalls but the > default gateway is not this particular firewall. >There are four ways to make this work: a) Change the server''s default gateway to go through the Shorewall box. b) Use an SNAT rule so that all traffic forwarded by the DNAT rule appears to the server to come from the Shorewall box. This of course makes the access and error logs on the server worthless since you can''t tell where the traffic really came from. In /etc/shorewall/masq: <local iface>:192.168.111.247 0.0.0.0/0 <local IP> tcp 80 c) Implement policy routing on the server. d) If you know all of the potential clients of the DNAT rule, you can add static routes on the server via the Shorewall box to those hosts. I don''t have the free time to help you with this -- sorry. -Tom -- Tom Eastep \\ Nothing is foolproof to a sufficiently talented fool Shoreline, \\ http://shorewall.net Washington USA \\ teastep@avvanta.com ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV