Hi, I have several virtual IP on my FW and one of them is eth1:4 1.2.3.4. I want connection from IP 2.3.4.5:3499 (the internet) to 1.2.3.4:3499 forward to 5.6.7.8 which is behind the firewall. I have create this rule: DNAT net:2.3.4.5 loc:5.6.7.8 tcp 3499 - 1.2.3.4 Why the connection can''t be made? Should I use ACCEPT? TIA Willy ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
sangprabv wrote:> Hi, > I have several virtual IP on my FW and one of them is eth1:4 1.2.3.4. I > want connection from IP 2.3.4.5:3499 (the internet) to 1.2.3.4:3499 > forward to 5.6.7.8 which is behind the firewall. I have create this > rule: > DNAT net:2.3.4.5 loc:5.6.7.8 tcp 3499 - 1.2.3.4If you want to enforce both the source and dest port restrictions, you want: DNAT net:2.3.4.5 loc:5.6.7.8 tcp 3499 3499 1.2.3.4 One question -- how are you ensuring that the client at 2.3.4.5 is binding to port 3499?> Why the connection can''t be made? Should I use ACCEPT? TIASee the DNAT debugging tips in Shorewall FAQs 1a and 1b. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
2.3.4.5 is my partner and we agreed to bind to each other on that port. But the problem is, when 5.6.7.8 try to connect to 2.3.4.5 it always failed. And according to my partner log, it say that connection from is not coming from 5.6.7.8. Please help. TIA. Willy On Thu, 2009-06-11 at 21:55 -0700, Tom Eastep wrote:> sangprabv wrote: > > Hi, > > I have several virtual IP on my FW and one of them is eth1:4 1.2.3.4. I > > want connection from IP 2.3.4.5:3499 (the internet) to 1.2.3.4:3499 > > forward to 5.6.7.8 which is behind the firewall. I have create this > > rule: > > DNAT net:2.3.4.5 loc:5.6.7.8 tcp 3499 - 1.2.3.4 > > If you want to enforce both the source and dest port restrictions, you want: > > DNAT net:2.3.4.5 loc:5.6.7.8 tcp 3499 3499 1.2.3.4 > > One question -- how are you ensuring that the client at 2.3.4.5 is > binding to port 3499? > > > Why the connection can''t be made? Should I use ACCEPT? TIA > > See the DNAT debugging tips in Shorewall FAQs 1a and 1b. > > -Tom > ------------------------------------------------------------------------------ > Crystal Reports - New Free Runtime and 30 Day Trial > Check out the new simplified licensing option that enables unlimited > royalty-free distribution of the report engine for externally facing > server and web deployment. > http://p.sf.net/sfu/businessobjects > _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
sangprabv wrote:> 2.3.4.5 is my partner and we agreed to bind to each other on that port. > But the problem is, when 5.6.7.8 try to connect to 2.3.4.5 it always > failed. And according to my partner log, it say that connection from is > not coming from 5.6.7.8. Please help. TIA.You are most likely applying MASQUERADE/SNAT to 5.6.7.8''s outgoing connections via an entry in /etc/shorewall/masq. Modify that entry (or delete it completely) as appropriate. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
Currently I have this setting on /etc/shorewall/masq: eth0 eth1 Should I remove completely this? Willy On Sat, 2009-06-13 at 06:42 -0700, Tom Eastep wrote:> sangprabv wrote: > > 2.3.4.5 is my partner and we agreed to bind to each other on that port. > > But the problem is, when 5.6.7.8 try to connect to 2.3.4.5 it always > > failed. And according to my partner log, it say that connection from is > > not coming from 5.6.7.8. Please help. TIA. > > You are most likely applying MASQUERADE/SNAT to 5.6.7.8''s outgoing > connections via an entry in /etc/shorewall/masq. Modify that entry (or > delete it completely) as appropriate. > > -Tom > ------------------------------------------------------------------------------ > Crystal Reports - New Free Runtime and 30 Day Trial > Check out the new simplified licensing option that enables unlimited > royalty-free distribution of the report engine for externally facing > server and web deployment. > http://p.sf.net/sfu/businessobjects > _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
sangprabv wrote:> Currently I have this setting on /etc/shorewall/masq: > eth0 eth1 > Should I remove completely this?How could we possibly know? We know nothing about your configuration. The only way that you could remove that entry entirely is if all of the systems connected through eth1 have public IP addresses that are routed through your firewall. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
Currently all computers behind Shorewall using private IP. Also I do one to one NAT on /etc/shorewall/nat Willy On Sat, 2009-06-13 at 09:51 -0700, Tom Eastep wrote:> sangprabv wrote: > > Currently I have this setting on /etc/shorewall/masq: > > eth0 eth1 > > Should I remove completely this? > > How could we possibly know? We know nothing about your configuration. > > The only way that you could remove that entry entirely is if all of the > systems connected through eth1 have public IP addresses that are routed > through your firewall. > > -Tom > ------------------------------------------------------------------------------ > Crystal Reports - New Free Runtime and 30 Day Trial > Check out the new simplified licensing option that enables unlimited > royalty-free distribution of the report engine for externally facing > server and web deployment. > http://p.sf.net/sfu/businessobjects > _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
sangprabv wrote:> Currently all computers behind Shorewall using private IP. Also I do one > to one NAT on /etc/shorewall/natThen 5.6.7.8 is a private address? If so, then I''m totally lost as to what you are complaining about. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects