Hej, I found the line reported below in my log, that prevents http browsing from local network to a server hosted on the local network as a proxyarped external address 62.243.165.91 from the log: Jan 26 13:16:51 janus kernel: Shorewall:FORWARD:REJECT:IN=eth2 OUT=eth2 SRC=192.168.102.110 DST=62.243.165.91 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=53613 DF PROTO=TCP SPT=1311 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 I thought that the rule: ACCEPT loc loc:$JONAS56X all where $JONAS56X is defined in /etc/shorewall/params as JONAS56X=62.243.165.91 would have allowed that. I read in FAQ#17 that a reject in FORWARD chain from/to the same interface is probably due to a missing routeback option in /etc/shorewall/interfaces, I have added that but with no different result. Do you have any other idea of what might be wrong? A gzipped dump file is attached and the FORWARD chain from it is here below: Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 86162 44M eth0_fwd 0 -- eth0 * 0.0.0.0/0 0.0.0.0/0 6582 2878K eth1_fwd 0 -- eth1 * 0.0.0.0/0 0.0.0.0/0 85252 47M eth2_fwd 0 -- eth2 * 0.0.0.0/0 0.0.0.0/0 16 888 Reject 0 -- * * 0.0.0.0/0 0.0.0.0/0 12 576 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'' 12 576 reject 0 -- * * 0.0.0.0/0 0.0.0.0/0 Thanks for any help, Paolo ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Paolo Nesti Poggi wrote:> > from the log: > Jan 26 13:16:51 janus kernel: Shorewall:FORWARD:REJECT:IN=eth2 OUT=eth2 > SRC=192.168.102.110 DST=62.243.165.91 LEN=48 TOS=0x00 PREC=0x00 TTL=127 > ID=53613 DF PROTO=TCP SPT=1311 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0> I read in FAQ#17 that a reject in FORWARD chain from/to the same interface > is probably due to a missing routeback option in /etc/shorewall/interfaces, > I have added that but with no different result.I see no evidence in the dump that you have set the ''routeback'' option on eth2. Are you sure that Shorewall restarted successfully after you made the change? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep wrote:> Paolo Nesti Poggi wrote: > >> from the log: >> Jan 26 13:16:51 janus kernel: Shorewall:FORWARD:REJECT:IN=eth2 OUT=eth2 >> SRC=192.168.102.110 DST=62.243.165.91 LEN=48 TOS=0x00 PREC=0x00 TTL=127 >> ID=53613 DF PROTO=TCP SPT=1311 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 > >> I read in FAQ#17 that a reject in FORWARD chain from/to the same interface >> is probably due to a missing routeback option in /etc/shorewall/interfaces, >> I have added that but with no different result. > > I see no evidence in the dump that you have set the ''routeback'' option on eth2. > > Are you sure that Shorewall restarted successfully after you made the change?If you believe that Shorewall restarted successfully, then please tar up your /etc/shorewall direcctory and send it to me. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> >> I read in FAQ#17 that a reject in FORWARD chain from/to the > same interface > >> is probably due to a missing routeback option in > /etc/shorewall/interfaces, > >> I have added that but with no different result. > > > > I see no evidence in the dump that you have set the ''routeback'' > option on eth2. > > > > Are you sure that Shorewall restarted successfully after you > made the change? >I had set the routeback option to the wrong interface (blush) Changing that, it works as expected. Greets, Paolo ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV