Hi, I got a dual ISP Setup and my 2nd ISP router is congigured to forward all traffic to my shorewal fw. Some of the ports shall be forwarded then from shorewall to a server in my dmz. The ports not being forwarded by the DNAT rule or seen to be rejected. The Ports which I try to forward to the Server dont work and I dont see an error. Here my files: rules entry DNAT net:eth0.5 dmz:85.183.131.11 tcp 22,1970,54999:56000 providers: SDSL1 1 1 main eth0.1 192.168.1.1 track,balance eth0.2,eth0.3,eth0.4 ADSL2 2 2 main eth0.5 192.168.5.253 track,balance eth0.2,eth0.3,eth0.4 zones fw firewall net ipv4 lan ipv4 zco ipv4 dmz ipv4 dmzp ipv4 adsl ipv4 wlan ipv4 tcrules 1:P 0.0.0.0/0 134.100.58.130,213.203.193.43 all 1:P fw 0.0.0.0/0 tcp 25 1:P 192.168.2.0/24 0.0.0.0/0 all 1:P 192.168.3.0/24 0.0.0.0/0 all 1:P 192.168.4.0/24 0.0.0.0/0 all 1:P 85.183.131.11,85.183.131.13 0.0.0.0/0 all 1:P 85.183.131.11 0.0.0.0/0 icmp echo-request 1:P 85.183.131.11 0.0.0.0/0 icmp echo-reply 2:P 192.168.1.2,192.168.2.2 0.0.0.0/0 tcp 21,80 1 192.168.1.2,192.168.2.2,85.183.131.11 134.100.58.0/24,85.31.186.60 tcp 21,80 interfaces #ZONE INTERFACE BROADCAST OPTIONS GATEWAY net eth0.1 detect nosmurfs net eth0.5 detect nosmurfs lan eth0.2 192.168.2.255 dhcp wlan eth0.6 192.168.6.255 dhcp zco eth0.3 192.168.3.255 dhcp - eth0.4 detect masq eth0.1 eth0.2 85.183.131.9 tcp 110,143 eth0.1 192.168.2.10 85.183.131.9 eth0.1 192.168.6.253 85.183.131.9 eth0.1 192.168.2.7 85.183.131.9 eth0.1 192.168.2.6 85.183.131.9 eth0.1 192.168.6.7 85.183.131.9 eth0.1 192.168.2.22 85.183.131.9 eth0.1 192.168.2.20 85.183.131.9 eth0.1 192.168.2.21 85.183.131.9 eth0.1 192.168.4.100 85.183.131.9 eth0.1 192.168.1.2 85.183.131.9 eth0.1 192.168.2.6 85.183.131.9 eth0.1 192.168.2.8 85.183.131.9 eth0.1 192.168.2.6 85.183.131.9 eth0.1 192.168.5.254 85.183.131.9 eth0.5 85.183.131.9 192.168.5.254 eth0.5 192.168.1.2 192.168.5.254 eth0.5 192.168.2.10 192.168.5.254 eth0.5 192.168.6.7 192.168.5.254 eth0.5 192.168.6.253 192.168.5.254 eth0.5 192.168.2.8 192.168.5.254 eth0.4:85.183.131.11 192.168.4.0/24 85.183.131.9 tcp 1970 -- Christophe Zwecker :Sysctl Koppel 96 20099 Hamburg phon: +49 40 41263790 fax: +49 40 41263799 mail: czwecker@sysctl.de ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Christophe Zwecker wrote:> Hi, > > I got a dual ISP Setup and my 2nd ISP router is congigured to forward > all traffic to my shorewal fw. Some of the ports shall be forwarded then > from shorewall to a server in my dmz. The ports not being forwarded by > the DNAT rule or seen to be rejected. The Ports which I try to forward > to the Server dont work and I dont see an error.Please follow the DNAT debugging tips in Shorewall FAQs 1a and 1b.> > Here my files:If you don''t find a solution, then please provide the information requested at http://www.shorewall.net/support.htm. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Hi, attached is my shorewall dump. when connecting from outside to my ip from 2nd isp (87.139.112.239) I see this in the log: Sep 25 15:44:02 gate kernel: Shorewall:net_dnat:DNAT:IN=eth0.5 OUT= MAC=00:0e:0c:84:16:42:00:0b:3b:0e:7d:bb:08:00 SRC=134.100.58.143 DST=192.168.5.254 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=207 DF PROTO=TCP SPT=44706 DPT=1970 WINDOW=5840 RES=0x00 SYN URGP=0 my DNAT rule now: DNAT:info net:eth0.5 dmz:85.183.131.11 tcp 22,1970,54999:56000 - 192.168.5.254 the router for second isp (192.168.5.253) forwards port 1970 to my firewall 192.168.5.254. so im not sure if I shall use as orig destination the official IP or the one from my firewalls interface to the router... Tom Eastep wrote:> Christophe Zwecker wrote: >> Hi, >> >> I got a dual ISP Setup and my 2nd ISP router is congigured to forward >> all traffic to my shorewal fw. Some of the ports shall be forwarded then >> from shorewall to a server in my dmz. The ports not being forwarded by >> the DNAT rule or seen to be rejected. The Ports which I try to forward >> to the Server dont work and I dont see an error. > > Please follow the DNAT debugging tips in Shorewall FAQs 1a and 1b. > >> Here my files: > > If you don''t find a solution, then please provide the information requested at > http://www.shorewall.net/support.htm. >-- Christophe Zwecker mail: doc@zwecker.de Hamburg, Germany fon: +49 179 3994867 http://www.zwecker.de "Reality is that which, when you stop believing in it, doesn''t go away" ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Christophe Zwecker wrote:> Hi, > > attached is my shorewall dump. > when connecting from outside to my ip from 2nd isp (87.139.112.239) I > see this in the log: > > Sep 25 15:44:02 gate kernel: Shorewall:net_dnat:DNAT:IN=eth0.5 OUT> MAC=00:0e:0c:84:16:42:00:0b:3b:0e:7d:bb:08:00 SRC=134.100.58.143 > DST=192.168.5.254 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=207 DF PROTO=TCP > SPT=44706 DPT=1970 WINDOW=5840 RES=0x00 SYN URGP=0Do you set TC_EXPERT=Yes in shorewall.conf? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep wrote:> Christophe Zwecker wrote: >> Hi, >> >> attached is my shorewall dump. >> when connecting from outside to my ip from 2nd isp (87.139.112.239) I >> see this in the log: >> >> Sep 25 15:44:02 gate kernel: Shorewall:net_dnat:DNAT:IN=eth0.5 OUT>> MAC=00:0e:0c:84:16:42:00:0b:3b:0e:7d:bb:08:00 SRC=134.100.58.143 >> DST=192.168.5.254 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=207 DF PROTO=TCP >> SPT=44706 DPT=1970 WINDOW=5840 RES=0x00 SYN URGP=0 > > Do you set TC_EXPERT=Yes in shorewall.conf?before i didnt (used older shorewall.conf) but now i do, doesn change anything -- Christophe Zwecker :Sysctl Koppel 96 20099 Hamburg phon: +49 40 41263790 fax: +49 40 41263799 mail: czwecker@sysctl.de ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Christophe Zwecker wrote:> Tom Eastep wrote: >> Christophe Zwecker wrote: >>> Hi, >>> >>> attached is my shorewall dump. >>> when connecting from outside to my ip from 2nd isp (87.139.112.239) I >>> see this in the log: >>> >>> Sep 25 15:44:02 gate kernel: Shorewall:net_dnat:DNAT:IN=eth0.5 OUT>>> MAC=00:0e:0c:84:16:42:00:0b:3b:0e:7d:bb:08:00 SRC=134.100.58.143 >>> DST=192.168.5.254 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=207 DF PROTO=TCP >>> SPT=44706 DPT=1970 WINDOW=5840 RES=0x00 SYN URGP=0 >> Do you set TC_EXPERT=Yes in shorewall.conf? > > before i didnt (used older shorewall.conf) but now i do, doesn change > anything > >So long as you have TC_EXPERT=Yes and your current set of tcrules, it will never work because you are overwriting the ''track'' mark on all traffic from your server. Chain tcpre (3 references) pkts bytes target prot opt in out source destination ... 415K 97M MARK all -- * * 85.183.131.11 0.0.0.0/0 MARK set 0x1 I can''t stress enough that TC_EXPERT=Yes is for *experts* -- an expert is someone who can look at the output of "shorewall dump" themselves and see this type of problem. -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV