Hi, I am trying to make connections that go to the firewall (10.10.10.100 internal) on port TCP/5900 be redirected to an internal host (10.10.10.2) but cannot get it to work, the firewall starts ok and shows no errors when starting up and there are no log entries in the syslog to suggest that the packets are being dropped, could you please advise? I have attached a copy of the ''shorewall dump'' command. thanks, -- David Rothera ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there''s a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you''ll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com
Hi, I am trying to make connections that go to the firewall (10.10.10.100 internal) on port TCP/5900 be redirected to an internal host (10.10.10.2) but cannot get it to work, the firewall starts ok and shows no errors when starting up and there are no log entries in the syslog to suggest that the packets are being dropped, could you please advise? I have attached a copy of the ''shorewall dump'' command. thanks, ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there''s a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you''ll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com
Hi, I am trying to make connections that go to the firewall (10.10.10.100 internal) on port TCP/5900 be redirected to an internal host (10.10.10.2) but cannot get it to work, the firewall starts ok and shows no errors when starting up and there are no log entries in the syslog to suggest that the packets are being dropped, could you please advise? I have attached a copy of the ''shorewall dump'' command. thanks, -- David Rothera Emma Goldman - "If voting changed anything, they''d make it illegal." ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there''s a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you''ll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com
>Hi, > >I am trying to make connections that go to the firewall (10.10.10.100 >internal) on port TCP/5900 be redirected to an internal host (10.10.10.2) >but cannot get it to work, the firewall starts ok and shows no errors when >starting up and there are no log entries in the syslog to suggest that the >packets are being dropped, could you please advise? I have attached a copy >of the ''shorewall dump'' command. > >thanks,Hi David, I don''t really know how to read Shorewall dumps, but what I saw in your dump confused me a bit. It appears that the system running Shorewall has only one configured Ethernet interface (eth0). However, your configuration appears to be based on a two-interface setup (because your dump includes loc, net, and fw zones). This isn''t necessarily wrong, but unless you have some reason for having more than two zones (loc and fw), it seems unnecessary to me. On to your actual problem: In your interfaces file, add the ''routeback'' option to eth0 (I''m sure someone more experienced than I could tell if this was already enabled based on the dump) In your rules file, add the following rule (the ''!10.10.10.2'' may not be desirable in your case, but I can''t imagine why 10.10.10.2 would try to connect to 10.10.10.100 when it was trying to access a service that it was hosting): DNAT loc:!10.10.10.2 loc:10.10.10.2 tcp 5900 In your masq file, add the following: eth0 eth0 10.10.10.100 That should do it. --Russel Riley ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there''s a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you''ll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com
David Rothera wrote:> Hi, > > I am trying to make connections that go to the firewall (10.10.10.100 > internal) on port TCP/5900 be redirected to an internal host > (10.10.10.2) but cannot get it to work, the firewall starts ok and > shows no errors when starting up and there are no log entries in the > syslog to suggest that the packets are being dropped, could you please > advise? I have attached a copy of the ''shorewall dump'' command.First of all, I would not call your configuration a ''firewall''; it is a ''one-armed router'' (see http://www.shorewall.net/Multiple_Zones.html#OneArmed). Second, you have not set it up correctly as a one-armed router; in that configuration, the ''loc'' zone must be defined as a sub-zone of the ''net'' zone (or at least ''loc'' must be defined before ''net'' in /etc/shorewall/zones). Third, your original question is Shorewall FAQ 2. In addition to setting ''routeback'' on eth0 in /etc/shorewall/interfaces as suggested by Russel, you need a rule in /etc/shorewall/masq. See http://www.shorewall.net/FAQ.htm#faq2 for details. Forth, I recommend that you migrate to using Shorewall-perl at the first opportunity. It starts/restarts much faster, it catches many more problems at compile time, it has more features and it will totally replace Shorewall-shell in Shorewall 4.4. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there''s a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you''ll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com
Russel Riley wrote:> In your masq file, add the following: > eth0 eth0 10.10.10.100That entry will result in a warning each time that Shorewall starts/restarts. I suggest: eth0 10.10.10.0/24 10.10.10.100 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there''s a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you''ll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com