Gianni Socionovo
2008-Aug-05 11:34 UTC
Re: Shorewall 4.06 + DNAT + Problem with internalrouting
OpenGroupware.org
Re: [Shorewall-users] Shorewall 4.06 + DNAT + Problem with internalrouting
mailLabel&nbsp
sender:
Gianni Socionovo
<#AttributeCell>
<#Font><#DateLabel/>:#Font>
#AttributeCell>
<#ValueCell>
<#Font><#Date/> #Font>
#ValueCell>
content:
Shorewall Users wrote:
> Tom Eastep wrote:
> > Gianni Socionovo wrote:
> >
> >>
> >> from the log i got:
> >>
> >> Aug 4 19:10:07 mylinuxbox kernel: [276232.278815]
> >> Shorewall:net_dnat:DNAT:IN=eth0 SRC=88.xx.xx.xx
DST=88.xx.xx.1 LEN=48
> >> TOS=0x00 PREC=0x00 TTL=128 ID=4891 DF PROTO=TCP
SPT=1128 DPT=22
> >> WINDOW=16384 RES=0x00 SYN URGP=0 Aug 4 19:10:07
mylinuxbox kernel:
> >> [276232.278839] Shorewall:FORWARD:REJECT:IN=eth0
OUT=eth0
> >> SRC=88.xx.xx.xx DST=10.10.2.4 LEN=48 TOS=0x00
PREC=0x00 TTL=127
> >> ID=4891 DF PROTO=TCP SPT=1128 DPT=80 WIN
DOW=16384 RES=0x00 SYN URGP=0
> >> It seem that DNAT rule work well but after DNAT REJECT
policy takes
> >> place.
> >>
> >> Can anyo
ne help me to solve the configuration error? I need urgently
> >> to set other DNAT rules towards the other nested
zones.
> >
> > It''s a routing issue. See
http://www.shorewall.net/Multiple_Zones.html
> >
>
> Note that since you didn''t follow the problem reporting
Guidelines
> (http://www.shorewall.net/support.htm#Guidelines), we can''t
tell you how your
routing is wrong. But from the REJECT message, it is apparent that your
> router is routing 10.10.2.4 out of eth0, not eth1 as you intend.
>
> -Tom
> --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.n
et
> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>
>
Hello Tom, obviously I obfuscated for the public mailing list the real IP
nu
mbers of Shorewall configuration.
Tell me if i can send you all information and trace fiel to protected email
recipient
--
Ing. Gianni Socionovo
MEP SpA
footerRowLabel1
5
©
footerRowLabel2
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
Gianni Socionovo wrote:> Hello Tom, obviously I obfuscated for the public mailing list the real IP > nu > mbers of Shorewall configuration.If it is not a routing problem then you have mistyped the IP address of the server in your DNAT rules. You are forwarding the traffic to an address that has no route out of eth1. The dump that you sent me privately confirms that. Type ''ip route ls'' and see for yourself. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Gianni Socionovo
2008-Aug-05 14:49 UTC
Re: Shorewall 4.06 + DNAT + Problem with internalrouting
Sorry you were right, it was a routing problem, when I restarted the machine one static route to join one of the subnets didn''t grow up. Now I fixed the problem and DNAT work fine. thank you for the suggests. _________________________________________________ */Gianni Socionovo/* /E-Business Manager/ MEP S.p.A. Via Papa Giovanni XXIII, 49 61045 Pergola (PU) ITALY /email: giannisocionovo@mepsaws.it <mailto:giannisocionovo@mepsaws.it>/ /Web Page: http://www.mepsaws.com/ Tel. +39 0721 737262 Fax. +39 0721 734533 ------------------------------------------------------------------------ Le informazioni contenute nella presente comunicazione e i relativi allegati possono essere riservate e sono, comunque, destinate esclusivamente alle persone o alla Società sopraindicate. La diffusione, distribuzione e/o copiatura del documento trasmesso da parte di qualsiasi soggetto diverso dal destinatario è proibita, sia ai sensi dell''art. 616 c.p. , che ai sensi del D.Lgs. n. 196/2003. Se avete ricevuto questo messaggio per errore, vi preghiamo di distruggerlo e di informare il mittente. The information in this e-mail is confidential and may also be legally privileged. It is intended for the addressee only. Unauthorized recipients are required to maintain confidentiality. If you have received this e-mail in error please notify us immediately, destroy any copies. Any use, dissemination, forwarding, printing or copying of this e-mail is prohibited in accordance with art. 616 of the Penal Code and Legislative Decree N° 196 of 2003. Tom Eastep ha scritto:> Gianni Socionovo wrote: > >> Hello Tom, obviously I obfuscated for the public mailing list the >> real IP >> nu >> mbers of Shorewall configuration. > > If it is not a routing problem then you have mistyped the IP address > of the server in your DNAT rules. You are forwarding the traffic to an > address that has no route out of eth1. The dump that you sent me > privately confirms that. > > Type ''ip route ls'' and see for yourself. > > -Tom------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/