Hello, I''m facing this strange situation when I apply these rules: ACCEPT net fw tcp 22,80 - DNAT net dmz:10.0.0.4 tcp 22,80 - 94.23.242.44 ACCEPT net fw tcp 1022 - - 6/min:5 My set up is a demilitarized zone where I put some KVM guests. I can ssh from the world to 94.23.242.44 (or from the host to 10.0.0.4), but I''m getting these responses when trying to connect to port 80: telnet 94.23.242.44 80 Trying 94.23.242.44... telnet: connect to address 94.23.242.44: No route to host telnet 10.0.0.4 80 Trying 10.0.0.4... telnet: Unable to connect to remote host: No route to host I also tried some other ports like ftp but I can only make ssh work. Thanks in advance for your help! Eric Desgranges. ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
On Sun, 20 Dec 2009 23:40:54 +0530 ericdes <eric@vcardprocessor.com> wrote:> Hello, > > I''m facing this strange situation when I apply these rules: > > ACCEPT net fw tcp 22,80 - > DNAT net dmz:10.0.0.4 tcp 22,80 - 94.23.242.44 > ACCEPT net fw tcp 1022 - - 6/min:5 > > My set up is a demilitarized zone where I put some KVM guests. > > I can ssh from the world to 94.23.242.44 (or from the host to > 10.0.0.4), but I''m getting these responses when trying to connect to > port 80: > > telnet 94.23.242.44 80 > Trying 94.23.242.44... > telnet: connect to address 94.23.242.44: No route to host > > telnet 10.0.0.4 80 > Trying 10.0.0.4... > telnet: Unable to connect to remote host: No route to host > > I also tried some other ports like ftp but I can only make ssh work.Try running tcpdump on the DMZ interface (bridge) while you try to connect. What do you see? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
Hi Tom, Thank you for looking into this. This is what tcpdump outputs when I launch a http request: 04:20:08.292735 IP es01.tela-web.com.35200 > ks309069.kimsufi.com.www: S 3758580123:3758580123(0) win 5840 <mss 1460,sackOK,timestamp 40378785 0,nop,wscale 5> 04:20:08.293384 IP ks309069.kimsufi.com > es01.tela-web.com: ICMP host ks309069.kimsufi.com unreachable - admin prohibited, length 68 And this when I ssh: 04:31:26.138508 IP es01.tela-web.com.35007 > ks309069.kimsufi.com.ssh: . ack 958 win 281 <nop,nop,timestamp 41056616 122428939> 04:31:26.141516 IP es01.tela-web.com.35007 > ks309069.kimsufi.com.ssh: P 838:982(144) ack 958 win 281 <nop,nop,timestamp 41056619 122428939> 04:31:26.146252 IP ks309069.kimsufi.com.ssh > es01.tela-web.com.35007: P 958:1678(720) ack 982 win 70 <nop,nop,timestamp 122429100 41056619> Thank you, Eric. On 12/21/2009 12:43 AM, Tom Eastep wrote:> On Sun, 20 Dec 2009 23:40:54 +0530 > ericdes<eric@vcardprocessor.com> wrote: > >> Hello, >> >> I''m facing this strange situation when I apply these rules: >> >> ACCEPT net fw tcp 22,80 - >> DNAT net dmz:10.0.0.4 tcp 22,80 - 94.23.242.44 >> ACCEPT net fw tcp 1022 - - 6/min:5 >> >> My set up is a demilitarized zone where I put some KVM guests. >> >> I can ssh from the world to 94.23.242.44 (or from the host to >> 10.0.0.4), but I''m getting these responses when trying to connect to >> port 80: >> >> telnet 94.23.242.44 80 >> Trying 94.23.242.44... >> telnet: connect to address 94.23.242.44: No route to host >> >> telnet 10.0.0.4 80 >> Trying 10.0.0.4... >> telnet: Unable to connect to remote host: No route to host >> >> I also tried some other ports like ftp but I can only make ssh work. > > Try running tcpdump on the DMZ interface (bridge) while you try to > connect. What do you see? > > -Tom------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
On Mon, 2009-12-21 at 09:05 +0530, ericdes wrote:> > 04:20:08.292735 IP es01.tela-web.com.35200 > ks309069.kimsufi.com.www: S > 3758580123:3758580123(0) win 5840 <mss 1460,sackOK,timestamp 40378785 > 0,nop,wscale 5> > 04:20:08.293384 IP ks309069.kimsufi.com > es01.tela-web.com: ICMP host > ks309069.kimsufi.com unreachable - admin prohibited, length 68Well, that''s a pretty obvious result. Surely you must be seeing why your HTTP connections are not working. The machine/port you are trying to reach has been packet filtered, and they are even being so courteous as to tell you that rather than just dropping your packets on the floor (like I would do).> And this when I ssh: > > 04:31:26.138508 IP es01.tela-web.com.35007 > ks309069.kimsufi.com.ssh: . > ack 958 win 281 <nop,nop,timestamp 41056616 122428939> > 04:31:26.141516 IP es01.tela-web.com.35007 > ks309069.kimsufi.com.ssh: P > 838:982(144) ack 958 win 281 <nop,nop,timestamp 41056619 122428939> > 04:31:26.146252 IP ks309069.kimsufi.com.ssh > es01.tela-web.com.35007: P > 958:1678(720) ack 982 win 70 <nop,nop,timestamp 122429100 41056619>And of course, this is not being packet filtered. b. ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
Brian, I''m in charge of the machine ks309069.kimsufi.com and I thought I hadn''t configure Shorewall correctly (it''s the first time I''m using it). Are you meaning the packet filtering has been applied outside Shorewall? This host is running Proxmox and is not filtering the port 80 for the non-fully virtualized guests (through venet0). The problem arises only when I want to access a KVM guest which are accessed through vmbr0. Maybe I''m back to the problem related to the fact that our hosting company (OVH) has disabled bridging. I thought I had solved it by following this guide http://www.myatus.co.uk/2009/08/31/guide-firewall-and-router-with-proxmox/ which exposes a way to circumvent that restriction by doing this on vmbr0: - assign an IP address used as the gateway for all dmz KVM guests - remove the bridge ports And using NAT with the help of Shorewall. I also enabled proxy arp for 10.0.0.4. Well, I guess I need to dig a bit deeper! Thank you, Eric. On 12/21/2009 9:53 AM, Brian J. Murrell wrote:> On Mon, 2009-12-21 at 09:05 +0530, ericdes wrote: >> >> 04:20:08.292735 IP es01.tela-web.com.35200> ks309069.kimsufi.com.www: S >> 3758580123:3758580123(0) win 5840<mss 1460,sackOK,timestamp 40378785 >> 0,nop,wscale 5> >> 04:20:08.293384 IP ks309069.kimsufi.com> es01.tela-web.com: ICMP host >> ks309069.kimsufi.com unreachable - admin prohibited, length 68 > > Well, that''s a pretty obvious result. Surely you must be seeing why > your HTTP connections are not working. The machine/port you are trying > to reach has been packet filtered, and they are even being so courteous > as to tell you that rather than just dropping your packets on the floor > (like I would do). > >> And this when I ssh: >> >> 04:31:26.138508 IP es01.tela-web.com.35007> ks309069.kimsufi.com.ssh: . >> ack 958 win 281<nop,nop,timestamp 41056616 122428939> >> 04:31:26.141516 IP es01.tela-web.com.35007> ks309069.kimsufi.com.ssh: P >> 838:982(144) ack 958 win 281<nop,nop,timestamp 41056619 122428939> >> 04:31:26.146252 IP ks309069.kimsufi.com.ssh> es01.tela-web.com.35007: P >> 958:1678(720) ack 982 win 70<nop,nop,timestamp 122429100 41056619> > > And of course, this is not being packet filtered. > > b. > > > > > ------------------------------------------------------------------------------ > This SF.Net email is sponsored by the Verizon Developer Community > Take advantage of Verizon''s best-in-class app development support > A streamlined, 14 day to market process makes app distribution fast and easy > Join now and get one step closer to millions of Verizon customers > http://p.sf.net/sfu/verizon-dev2dev > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
On Mon, 21 Dec 2009 09:05:08 +0530 ericdes <eric@vcardprocessor.com> wrote:> Hi Tom, > > Thank you for looking into this. This is what tcpdump outputs when I > launch a http request: > > 04:20:08.292735 IP es01.tela-web.com.35200 > > ks309069.kimsufi.com.www: S 3758580123:3758580123(0) win 5840 <mss > 1460,sackOK,timestamp 40378785 0,nop,wscale 5> > 04:20:08.293384 IP ks309069.kimsufi.com > es01.tela-web.com: ICMP > host ks309069.kimsufi.com unreachable - admin prohibited, length 68 >Hint: ALWAYS USE THE -n OPTION WITH TCPDUMP. If you truly captured this from the bridge, then it means that the system in the DMZ is rejecting port 80 with an ''admin prohibited'' ICMP. Shorewall rejects TCP connections with an RST so it is not Shorewall that is generating that response. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev