-------- Original Message --------
Subject: Re: [Shorewall-users] rules file is not working
Date: Thu, 06 Nov 2008 12:44:21 -0800
From: Tom Eastep <teastep@shorewall.net>
To: viuwier <viuwier@wp.pl>
References: <781770787.20081024165636@wp.pl>
<4901E414.6000203@cassens.com> <490330497fa531.72564229@wp.pl>
<4903329D.3080706@shorewall.net> <174267725.20081106195709@wp.pl>
<1151319378.20081106203512@wp.pl> <49134B2C.3080904@shorewall.net>
<1417984161.20081106211137@wp.pl> <4913513E.8000208@shorewall.net>
<48751528.20081106212406@wp.pl>
viuwier wrote:> Hello Tom
>
>> The firewall has sent the SYN packet to 192.168.0.22 who has not
>> responded. You must be changing things faster than I can read your
posts
>> since you will notice that the port was being forward to .22 in the
dump
>> you sent while now you claim to be forwarding the connections to .42.
>
> Sorry for changing, thanks for your help !
>
> Now my rules file:
> #Maciek rules:
> DNAT net loc:192.168.0.42:3389 tcp 3389 -
> DNAT net loc:192.168.0.42:3389 udp 3389 -
>
> ACCEPT loc:192.168.0.42 net tcp 3389 -
> ACCEPT loc:192.168.0.42 net udp 3389 -
>
> Now there is nothing in nat file.
>
> And I''ve tried to connect to 83.14.53.12 (it is my gateway to
local
> network with computer 192.168.0.42), connection no working:
>
> root@bramka:/etc/shorewall# shorewall show nat
> Shorewall 4.2.0 NAT Table at bramka - Thu Nov 6 21:13:40 CET 2008
>
> Counters reset Thu Nov 6 21:12:47 CET 2008
>
> Chain PREROUTING (policy ACCEPT 464 packets, 36501 bytes)
> pkts bytes target prot opt in out source
destination
> 85 6586 net_dnat all -- eth1 * 0.0.0.0/0
0.0.0.0/0
>
> Chain POSTROUTING (policy ACCEPT 2 packets, 105 bytes)
> pkts bytes target prot opt in out source
destination
> 343 19963 eth1_masq all -- * eth1 0.0.0.0/0
0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
destination
>
> Chain eth1_masq (1 references)
> pkts bytes target prot opt in out source
destination
> 343 19963 MASQUERADE all -- * * 192.168.0.0/24
0.0.0.0/0
>
> Chain net_dnat (1 references)
> pkts bytes target prot opt in out source
destination
> 1 52 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:3389 to:192.168.0.42:3389
> 0 0 DNAT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:3389 to:192.168.0.42:3389
>
>
> My new dup file is attached. Earlier it was always working :(
>
>
>
>
From the dump, the connection is being forwarded but the local host
isn''t responding. NOT ALL CONNECTION PROBLEMS ARE FIREWALL PROBLEMS.
I suggest that you put a packet sniffer on the local interface (eth0)
and be sure that the SYN packet is going out. Then if you don''t see a
SYN/ACK coming back (or if it comes back with the wrong layer 2
destination address), then you will know what the problem is.
And if the SYN goes out but you don''t see any response, then run a
packet sniffer on the server (192.168.0.42) and see if the SYN is
getting to that system.
-Tom
--
Tom Eastep \ The ultimate result of shielding men from the
Shoreline, \ effects of folly is to fill the world with fools.
Washington, USA \ -Herbert Spencer
http://shorewall.net \________________________________________________
--
Tom Eastep \ The ultimate result of shielding men from the
Shoreline, \ effects of folly is to fill the world with fools.
Washington, USA \ -Herbert Spencer
http://shorewall.net \________________________________________________
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/