Shorewall users - Jul 2007 - DNAT (port foward not working, I know I've missed something simple)

Hi guys,

I have a very simple setup

ADSL Mode (bridge mode) -- eth0-shorewall masq-eth1 -- internal lan
Using PPPOE on a leaf bering-uclibc machine

All seems to work I can surf the web from my machines on the lan no issues
at all, but I can''t get my simple DNAT rule to work.
I just want to pass port 80 into my local machine on 10.0.10.40 (this was
working perfectly on my old setup, but I lost the config (dead floppy disk),
and of course stupid me no backup, it was a shorewall 2.x machine, bout time
I upgraded either way). 

So I setup a new machine, new shorewall 3.4.5 version and can''t get a
simple
DNAT to work. 
I don''t get denies in shorewall.log and shorewall show nat shows the
counters on that rule incrementing, I did the read the FAQ about gateway on
machine etc, but it all worked perfectly on the old setup. The only thing
that has changed is the new shorewall box.

Notes:
My ISP does NOT block incoming ports.
My internal machine on 10.0.10.40 can ping 10.0.10.1 (eth1) I cleared the
arp table, rebooted the machine, and can surf the web fine from 10.0.10.40
External IP is 202.10.93.183 via pppoe.

I''m sure I''ve missed something very simple...

shorewall dump attached

Cheers
Ad


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Adam Niedzwiedzki wrote:
> Hi guys,
> 
> I have a very simple setup
> 
> ADSL Mode (bridge mode) -- eth0-shorewall masq-eth1 -- internal lan
> Using PPPOE on a leaf bering-uclibc machine
> 
> All seems to work I can surf the web from my machines on the lan no issues
> at all, but I can''t get my simple DNAT rule to work.
> I just want to pass port 80 into my local machine on 10.0.10.40 (this was
> working perfectly on my old setup, but I lost the config (dead floppy
disk),
> and of course stupid me no backup, it was a shorewall 2.x machine, bout
time
> I upgraded either way). 
> 
> So I setup a new machine, new shorewall 3.4.5 version and can''t
get a simple
> DNAT to work. 
> I don''t get denies in shorewall.log and shorewall show nat shows
the
> counters on that rule incrementing, I did the read the FAQ about gateway on
> machine etc, but it all worked perfectly on the old setup. The only thing
> that has changed is the new shorewall box.
> 
> Notes:
> My ISP does NOT block incoming ports.
> My internal machine on 10.0.10.40 can ping 10.0.10.1 (eth1) I cleared the
> arp table, rebooted the machine, and can surf the web fine from 10.0.10.40
> External IP is 202.10.93.183 via pppoe.
So what''s the problem?

teastep@tipper:~/shorewall/tags/4.0.0/Shorewall-common$ telnet
202.10.93.183 80
Trying 202.10.93.183...
Connected to 202.10.93.183.
Escape character is ''^]''.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Here are some more observations.

Tom Eastep wrote:
> Adam Niedzwiedzki wrote:
< old configuration worked>
>> So I setup a new machine, new shorewall 3.4.5 version and
can''t get a simple
>> DNAT to work. 
>> I don''t get denies in shorewall.log and shorewall show nat
shows the
>> counters on that rule incrementing, I did the read the FAQ about
gateway on
>> machine etc, but it all worked perfectly on the old setup. The only
thing
>> that has changed is the new shorewall box.
"I can''t get a simple DNAT to work"

What does that mean?

- "shorewall start" fails? (probably not since we have
''dump'' output)
- "shorewall start" causes the firewall to burst into flames? (maybe,
if
   you were fast in collecting the dump).
- TCP connection attempts from "somewhere" to the firewall''s
external
  interface port 80 fail in some way? That''s my guess but we
don''t know
  if DNS lookups fail, timeouts occur, connections are refused, server
  500 errors are returned, images of Bill Gates fill your browser''s
  window, ...

From the "dump" output that you sent, the Shorewall configuration is
correct. Connection requests from the net to TCP port 80 are being
DNATed and forwarded to 10.0.10.40 in the ''loc'' zone.

The fact that there are no conntrack entries for these connections,
suggest that the connections are being refused by the server but that''s
only a guess.

One more observation. Any system that has been connected to the internet
for 10 minutes or more should have been probed by someone. So the fact
that your shorewall.log is empty suggests to me that you have a logging
configuration problem and your assertion that "I don''t get denies
in
shorewall.log" is probably not relevant. But, again, it looks like
connection requests on TCP port 80 are being forwarded correctly.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Howdy Tom,

Thank you so much for your response ,always love the tongue in cheek ones,
and of course my firewall is still in tact, no flames ;).
All is working now (and I can admit all I did was reboot everything, server,
dsl, firewall) and once it was all back up everything worked..

I feel kinda embarrassed I didn''t do that first :s

Hmm as for the logging any suggestions? I''m using ULOG in my policy
file,
where else could I look to see about logging?

Cheers
Ad


-----Original Message-----
From: shorewall-users-bounces@lists.sourceforge.net
[mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Tom
Eastep
Sent: Friday, 20 July 2007 12:43 PM
To: Shorewall Users
Subject: Re: [Shorewall-users] DNAT (port foward not working, I know
I''ve
missed something simple)

Here are some more observations.

Tom Eastep wrote:
> Adam Niedzwiedzki wrote:
< old configuration worked>
>> So I setup a new machine, new shorewall 3.4.5 version and
can''t get a
>> simple DNAT to work.
>> I don''t get denies in shorewall.log and shorewall show nat
shows the
>> counters on that rule incrementing, I did the read the FAQ about 
>> gateway on machine etc, but it all worked perfectly on the old setup. 
>> The only thing that has changed is the new shorewall box.
"I can''t get a simple DNAT to work"

What does that mean?

- "shorewall start" fails? (probably not since we have
''dump'' output)
- "shorewall start" causes the firewall to burst into flames? (maybe,
if
   you were fast in collecting the dump).
- TCP connection attempts from "somewhere" to the firewall''s
external
  interface port 80 fail in some way? That''s my guess but we
don''t know
  if DNS lookups fail, timeouts occur, connections are refused, server
  500 errors are returned, images of Bill Gates fill your browser''s
  window, ...
>From the "dump" output that you sent, the Shorewall configuration
is
correct. Connection requests from the net to TCP port 80 are being DNATed
and forwarded to 10.0.10.40 in the ''loc'' zone.

The fact that there are no conntrack entries for these connections, suggest
that the connections are being refused by the server but that''s only a
guess.

One more observation. Any system that has been connected to the internet for
10 minutes or more should have been probed by someone. So the fact that your
shorewall.log is empty suggests to me that you have a logging configuration
problem and your assertion that "I don''t get denies in
shorewall.log" is
probably not relevant. But, again, it looks like connection requests on TCP
port 80 are being forwarded correctly.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Hello Adam,

Adam Niedzwiedzki wrote:
> Thank you so much for your response ,always love the tongue in cheek ones,
> and of course my firewall is still in tact, no flames ;)
Glad to hear it ;-)
> All is working now (and I can admit all I did was reboot everything,
server,
> dsl, firewall) and once it was all back up everything worked..
> 
> I feel kinda embarrassed I didn''t do that first :s
Hard to guess at this point about what the cause was. But the main thing
is that it is working now.
> 
> Hmm as for the logging any suggestions? I''m using ULOG in my
policy file,
> where else could I look to see about logging?
> 
Be sure ulogd is running. I take it that you still aren''t seeing any
log
messages?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Hi Tom,

Yup still nothing in shorewall.log, and ulogd is running
firewall# cat ulogd.log
Sat Jul 21 11:10:36 2007 <3> ulogd.c:484 ulogd Version 1.23 starting
Sat Jul 21 11:10:36 2007 <3> ulogd.c:801 initialization finished, entering
main loop

ps auxf outupt

8398 root        268 S   /usr/sbin/ulogd -d

Just nothing in shorewall.log :(


-----Original Message-----
From: shorewall-users-bounces@lists.sourceforge.net
[mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Tom
Eastep
Sent: Friday, 20 July 2007 12:43 PM
To: Shorewall Users
Subject: Re: [Shorewall-users] DNAT (port foward not working, I know
I''ve
missed something simple)

Hello Adam,

Adam Niedzwiedzki wrote:
> Thank you so much for your response ,always love the tongue in cheek ones,
> and of course my firewall is still in tact, no flames ;)
Glad to hear it ;-)
> All is working now (and I can admit all I did was reboot everything,
server,
> dsl, firewall) and once it was all back up everything worked..
>=20
> I feel kinda embarrassed I didn''t do that first :s
Hard to guess at this point about what the cause was. But the main thing
is that it is working now.
>=20
> Hmm as for the logging any suggestions? I''m using ULOG in my
policy file,
> where else could I look to see about logging?
>=20
Be sure ulogd is running. I take it that you still aren''t seeing any
log
messages?

-Tom
--=20
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@sh...
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Adam Niedzwiedzki wrote:
> Hi Tom,
> 
> Yup still nothing in shorewall.log, and ulogd is running
> firewall# cat ulogd.log
> Sat Jul 21 11:10:36 2007 <3> ulogd.c:484 ulogd Version 1.23 starting
> Sat Jul 21 11:10:36 2007 <3> ulogd.c:801 initialization finished,
entering
> main loop
> 
> ps auxf outupt
> 
> 8398 root        268 S   /usr/sbin/ulogd -d
> 
> Just nothing in shorewall.log :(
shorewall show | grep ULOG

If there are non-zero values in the first column, then messages are
being logged and are not showing up in shorewall.log for some reason. If
not, then we must wonder why you bother to run a firewall...

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/