Hi, I have a client behind shorewall which has 2 IP: 192.168.8.35 is the real IP and 192.168.8.37 is the virtual IP. I have added DNAT rules into shorewall: DNAT net loc:192.168.8.35 tcp 11008 - 1.2.3.4 DNAT net loc:192.168.8.37 tcp 55000 - 1.2.3.5 1.2.3.4 and 1.2.3.5 is virtual IP on firewall side I want 192.168.8.35 able to telnet to my partner IP 9.8.7.6:11008 and it can connect OK. And I want also 192.168.8.37 able to my partner IP 5.4.3.2:55000 and this one FAIL. If i try telnet my.partner.ip.add:55000 -b 1.2.3.5 at firewall it is OK. I have manually added route add 9.8.7.6 gw 192.168.8.1 route add 5.4.3.2 gw 192.168.8.1 Both added to the client routing table. What''s wrong with my configuration? Many thanks for help. sangprabv sangprabv@gmail.com ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
If you want to let your local machines access the internet by telnet than DNAT is the wrong choice. DNAT is for access from internet to local machines. You should try something like (rules file) ACCEPT loc:192.168.8.37 net:5.4.3.2 tcp 55000 If you have policy ACCEPT loc net The rule will be useless. If your first client can but your sencond cant access, I guess you already have some rules or policies allowing this. In this case I suggest to doublecheck your masq file whether you only masq 192.168.8.35 or the whole network e.g. 192.168.8.0/24? Cheers Mike -----Ursprüngliche Nachricht----- Von: sangprabv [mailto:sangprabv@gmail.com] Gesendet: Freitag, 5. Februar 2010 09:28 An: Shorewall Users Betreff: [Shorewall-users] DNAT Problem Hi, I have a client behind shorewall which has 2 IP: 192.168.8.35 is the real IP and 192.168.8.37 is the virtual IP. I have added DNAT rules into shorewall: DNAT net loc:192.168.8.35 tcp 11008 - 1.2.3.4 DNAT net loc:192.168.8.37 tcp 55000 - 1.2.3.5 1.2.3.4 and 1.2.3.5 is virtual IP on firewall side I want 192.168.8.35 able to telnet to my partner IP 9.8.7.6:11008 and it can connect OK. And I want also 192.168.8.37 able to my partner IP 5.4.3.2:55000 and this one FAIL. If i try telnet my.partner.ip.add:55000 -b 1.2.3.5 at firewall it is OK. I have manually added route add 9.8.7.6 gw 192.168.8.1 route add 5.4.3.2 gw 192.168.8.1 Both added to the client routing table. What''s wrong with my configuration? Many thanks for help. sangprabv sangprabv@gmail.com ---------------------------------------------------------------------------- -- The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
Thanks for the reply, I have this setting in /etc/shorewall/masq: eth0 eth1 eth0 is the public IP, while eth1 is the private network I have tried your solution but it doesn''t work as well. sangprabv sangprabv@gmail.com On Feb 5, 2010, at 3:51 PM, Michael Weickel - iQom Business Services GmbH wrote:> > If you want to let your local machines access the internet by telnet than > DNAT is the wrong choice. DNAT is for access from internet to local > machines. > > You should try something like (rules file) > > ACCEPT loc:192.168.8.37 net:5.4.3.2 tcp > 55000 > > If you have policy > > ACCEPT loc net > > The rule will be useless. > > If your first client can but your sencond cant access, I guess you already > have some rules or policies allowing this. > > In this case I suggest to doublecheck your masq file whether you only masq > 192.168.8.35 or the whole network e.g. 192.168.8.0/24? > > > Cheers > Mike > > -----Ursprüngliche Nachricht----- > Von: sangprabv [mailto:sangprabv@gmail.com] > Gesendet: Freitag, 5. Februar 2010 09:28 > An: Shorewall Users > Betreff: [Shorewall-users] DNAT Problem > > Hi, > I have a client behind shorewall which has 2 IP: > 192.168.8.35 is the real IP and 192.168.8.37 is the virtual IP. > I have added DNAT rules into shorewall: > DNAT net loc:192.168.8.35 tcp > 11008 - 1.2.3.4 > DNAT net loc:192.168.8.37 tcp > 55000 - 1.2.3.5 > > 1.2.3.4 and 1.2.3.5 is virtual IP on firewall side > > I want 192.168.8.35 able to telnet to my partner IP 9.8.7.6:11008 and it can > connect OK. > And I want also 192.168.8.37 able to my partner IP 5.4.3.2:55000 and this > one FAIL. > If i try telnet my.partner.ip.add:55000 -b 1.2.3.5 at firewall it is OK. > > I have manually added > route add 9.8.7.6 gw 192.168.8.1 > route add 5.4.3.2 gw 192.168.8.1 > Both added to the client routing table. What''s wrong with my configuration? > Many thanks for help. > > > > sangprabv > sangprabv@gmail.com > > > > ---------------------------------------------------------------------------- > -- > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the > business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ------------------------------------------------------------------------------ > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
This looks ok. I suggest you make a quick try with (policy file) loc net ACCEPT If you still cannot access to the internet by telnet something with your routing is wrong or you have conflicts in your policy or rules file. To check this I think a shorewall dump is needed. But if this would be true you should maybe see something in your messages. A tcpdump output could help as well. Routing seems to be ok if you still have But if this is kernel route command I miss the netmask parameter. I dont know anything about your distribution but to add routes there should be always a netmask parameter. Try to trace the internet ip> route add 9.8.7.6 gw 192.168.8.1 > route add 5.4.3.2 gw 192.168.8.1Cheers Mike -----Ursprüngliche Nachricht----- Von: sangprabv [mailto:sangprabv@gmail.com] Gesendet: Freitag, 5. Februar 2010 17:23 An: Shorewall Users Betreff: Re: [Shorewall-users] DNAT Problem Thanks for the reply, I have this setting in /etc/shorewall/masq: eth0 eth1 eth0 is the public IP, while eth1 is the private network I have tried your solution but it doesn''t work as well. sangprabv sangprabv@gmail.com On Feb 5, 2010, at 3:51 PM, Michael Weickel - iQom Business Services GmbH wrote:> > If you want to let your local machines access the internet by telnet than > DNAT is the wrong choice. DNAT is for access from internet to local > machines. > > You should try something like (rules file) > > ACCEPT loc:192.168.8.37 net:5.4.3.2 tcp > 55000 > > If you have policy > > ACCEPT loc net > > The rule will be useless. > > If your first client can but your sencond cant access, I guess you already > have some rules or policies allowing this. > > In this case I suggest to doublecheck your masq file whether you only masq > 192.168.8.35 or the whole network e.g. 192.168.8.0/24? > > > Cheers > Mike > > -----Ursprüngliche Nachricht----- > Von: sangprabv [mailto:sangprabv@gmail.com] > Gesendet: Freitag, 5. Februar 2010 09:28 > An: Shorewall Users > Betreff: [Shorewall-users] DNAT Problem > > Hi, > I have a client behind shorewall which has 2 IP: > 192.168.8.35 is the real IP and 192.168.8.37 is the virtual IP. > I have added DNAT rules into shorewall: > DNAT net loc:192.168.8.35tcp> 11008 - 1.2.3.4 > DNAT net loc:192.168.8.37tcp> 55000 - 1.2.3.5 > > 1.2.3.4 and 1.2.3.5 is virtual IP on firewall side > > I want 192.168.8.35 able to telnet to my partner IP 9.8.7.6:11008 and itcan> connect OK. > And I want also 192.168.8.37 able to my partner IP 5.4.3.2:55000 and this > one FAIL. > If i try telnet my.partner.ip.add:55000 -b 1.2.3.5 at firewall it is OK. > > I have manually added > route add 9.8.7.6 gw 192.168.8.1 > route add 5.4.3.2 gw 192.168.8.1 > Both added to the client routing table. What''s wrong with myconfiguration?> Many thanks for help. > > > > sangprabv > sangprabv@gmail.com > > > >----------------------------------------------------------------------------> -- > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the > business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >---------------------------------------------------------------------------- --> The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in thebusiness> Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users---------------------------------------------------------------------------- -- The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
I use Ubuntu and I don''t think mask is mandatory because if it is mandatory then why telnet to 9.8.7.6 always success and not with 5.4.3.2. It makes me crazy :( sangprabv sangprabv@gmail.com On Feb 5, 2010, at 11:35 PM, Michael Weickel - iQom Business Services GmbH wrote:> > This looks ok. > > I suggest you make a quick try with > > (policy file) > > loc net ACCEPT > > If you still cannot access to the internet by telnet something with your > routing is wrong or you have conflicts in your policy or rules file. > To check this I think a shorewall dump is needed. But if this would be true > you should maybe see something in your messages. A tcpdump output could help > as well. > > Routing seems to be ok if you still have > > But if this is kernel route command I miss the netmask parameter. I don’t > know anything about your distribution but to add routes there should be > always a netmask parameter. Try to trace the internet ip > >> route add 9.8.7.6 gw 192.168.8.1 >> route add 5.4.3.2 gw 192.168.8.1 > > > > Cheers > Mike > > > > -----Ursprüngliche Nachricht----- > Von: sangprabv [mailto:sangprabv@gmail.com] > Gesendet: Freitag, 5. Februar 2010 17:23 > An: Shorewall Users > Betreff: Re: [Shorewall-users] DNAT Problem > > Thanks for the reply, I have this setting in > /etc/shorewall/masq: > eth0 eth1 > > eth0 is the public IP, while eth1 is the private network > > I have tried your solution but it doesn''t work as well. > > > > > sangprabv > sangprabv@gmail.com > > > On Feb 5, 2010, at 3:51 PM, Michael Weickel - iQom Business Services GmbH > wrote: > >> >> If you want to let your local machines access the internet by telnet than >> DNAT is the wrong choice. DNAT is for access from internet to local >> machines. >> >> You should try something like (rules file) >> >> ACCEPT loc:192.168.8.37 net:5.4.3.2 tcp >> 55000 >> >> If you have policy >> >> ACCEPT loc net >> >> The rule will be useless. >> >> If your first client can but your sencond cant access, I guess you already >> have some rules or policies allowing this. >> >> In this case I suggest to doublecheck your masq file whether you only masq >> 192.168.8.35 or the whole network e.g. 192.168.8.0/24? >> >> >> Cheers >> Mike >> >> -----Ursprüngliche Nachricht----- >> Von: sangprabv [mailto:sangprabv@gmail.com] >> Gesendet: Freitag, 5. Februar 2010 09:28 >> An: Shorewall Users >> Betreff: [Shorewall-users] DNAT Problem >> >> Hi, >> I have a client behind shorewall which has 2 IP: >> 192.168.8.35 is the real IP and 192.168.8.37 is the virtual IP. >> I have added DNAT rules into shorewall: >> DNAT net loc:192.168.8.35 > tcp >> 11008 - 1.2.3.4 >> DNAT net loc:192.168.8.37 > tcp >> 55000 - 1.2.3.5 >> >> 1.2.3.4 and 1.2.3.5 is virtual IP on firewall side >> >> I want 192.168.8.35 able to telnet to my partner IP 9.8.7.6:11008 and it > can >> connect OK. >> And I want also 192.168.8.37 able to my partner IP 5.4.3.2:55000 and this >> one FAIL. >> If i try telnet my.partner.ip.add:55000 -b 1.2.3.5 at firewall it is OK. >> >> I have manually added >> route add 9.8.7.6 gw 192.168.8.1 >> route add 5.4.3.2 gw 192.168.8.1 >> Both added to the client routing table. What''s wrong with my > configuration? >> Many thanks for help. >> >> >> >> sangprabv >> sangprabv@gmail.com >> >> >> >> > ---------------------------------------------------------------------------- >> -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the >> business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone call away. >> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> > ---------------------------------------------------------------------------- > -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the > business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone call away. >> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ---------------------------------------------------------------------------- > -- > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the > business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ------------------------------------------------------------------------------ > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
Maybe nothing runs on the requested port on the other side? I think without a dump it would be hard to manage your problem by the list. -----Ursprüngliche Nachricht----- Von: sangprabv [mailto:sangprabv@gmail.com] Gesendet: Freitag, 5. Februar 2010 18:42 An: Shorewall Users Betreff: Re: [Shorewall-users] DNAT Problem I use Ubuntu and I don''t think mask is mandatory because if it is mandatory then why telnet to 9.8.7.6 always success and not with 5.4.3.2. It makes me crazy :( sangprabv sangprabv@gmail.com On Feb 5, 2010, at 11:35 PM, Michael Weickel - iQom Business Services GmbH wrote:> > This looks ok. > > I suggest you make a quick try with > > (policy file) > > loc net ACCEPT > > If you still cannot access to the internet by telnet something with your > routing is wrong or you have conflicts in your policy or rules file. > To check this I think a shorewall dump is needed. But if this would betrue> you should maybe see something in your messages. A tcpdump output couldhelp> as well. > > Routing seems to be ok if you still have > > But if this is kernel route command I miss the netmask parameter. I dont > know anything about your distribution but to add routes there should be > always a netmask parameter. Try to trace the internet ip > >> route add 9.8.7.6 gw 192.168.8.1 >> route add 5.4.3.2 gw 192.168.8.1 > > > > Cheers > Mike > > > > -----Ursprüngliche Nachricht----- > Von: sangprabv [mailto:sangprabv@gmail.com] > Gesendet: Freitag, 5. Februar 2010 17:23 > An: Shorewall Users > Betreff: Re: [Shorewall-users] DNAT Problem > > Thanks for the reply, I have this setting in > /etc/shorewall/masq: > eth0 eth1 > > eth0 is the public IP, while eth1 is the private network > > I have tried your solution but it doesn''t work as well. > > > > > sangprabv > sangprabv@gmail.com > > > On Feb 5, 2010, at 3:51 PM, Michael Weickel - iQom Business Services GmbH > wrote: > >> >> If you want to let your local machines access the internet by telnet than >> DNAT is the wrong choice. DNAT is for access from internet to local >> machines. >> >> You should try something like (rules file) >> >> ACCEPT loc:192.168.8.37 net:5.4.3.2 tcp >> 55000 >> >> If you have policy >> >> ACCEPT loc net >> >> The rule will be useless. >> >> If your first client can but your sencond cant access, I guess youalready>> have some rules or policies allowing this. >> >> In this case I suggest to doublecheck your masq file whether you onlymasq>> 192.168.8.35 or the whole network e.g. 192.168.8.0/24? >> >> >> Cheers >> Mike >> >> -----Ursprüngliche Nachricht----- >> Von: sangprabv [mailto:sangprabv@gmail.com] >> Gesendet: Freitag, 5. Februar 2010 09:28 >> An: Shorewall Users >> Betreff: [Shorewall-users] DNAT Problem >> >> Hi, >> I have a client behind shorewall which has 2 IP: >> 192.168.8.35 is the real IP and 192.168.8.37 is the virtual IP. >> I have added DNAT rules into shorewall: >> DNAT net loc:192.168.8.35 > tcp >> 11008 - 1.2.3.4 >> DNAT net loc:192.168.8.37 > tcp >> 55000 - 1.2.3.5 >> >> 1.2.3.4 and 1.2.3.5 is virtual IP on firewall side >> >> I want 192.168.8.35 able to telnet to my partner IP 9.8.7.6:11008 and it > can >> connect OK. >> And I want also 192.168.8.37 able to my partner IP 5.4.3.2:55000 and this >> one FAIL. >> If i try telnet my.partner.ip.add:55000 -b 1.2.3.5 at firewall it is OK. >> >> I have manually added >> route add 9.8.7.6 gw 192.168.8.1 >> route add 5.4.3.2 gw 192.168.8.1 >> Both added to the client routing table. What''s wrong with my > configuration? >> Many thanks for help. >> >> >> >> sangprabv >> sangprabv@gmail.com >> >> >> >> >---------------------------------------------------------------------------->> -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the >> business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone callaway.>> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> >----------------------------------------------------------------------------> -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the > business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone callaway.>> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >----------------------------------------------------------------------------> -- > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the > business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >---------------------------------------------------------------------------- --> The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in thebusiness> Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users---------------------------------------------------------------------------- -- The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
I think I found the reason why connection is always failed. I tried to tcpdump and found that telnet to 5.4.3.2 is using 9.8.7.6. I don''t know why this happen? sangprabv sangprabv@gmail.com On Feb 6, 2010, at 12:48 AM, Michael Weickel - iQom Business Services GmbH wrote:> > Maybe nothing runs on the requested port on the other side? > I think without a dump it would be hard to manage your problem by the list. > > > -----Ursprüngliche Nachricht----- > Von: sangprabv [mailto:sangprabv@gmail.com] > Gesendet: Freitag, 5. Februar 2010 18:42 > An: Shorewall Users > Betreff: Re: [Shorewall-users] DNAT Problem > > I use Ubuntu and I don''t think mask is mandatory because if it is mandatory > then why telnet to 9.8.7.6 always success and not with 5.4.3.2. It makes me > crazy :( > > > > sangprabv > sangprabv@gmail.com > > > On Feb 5, 2010, at 11:35 PM, Michael Weickel - iQom Business Services GmbH > wrote: > >> >> This looks ok. >> >> I suggest you make a quick try with >> >> (policy file) >> >> loc net ACCEPT >> >> If you still cannot access to the internet by telnet something with your >> routing is wrong or you have conflicts in your policy or rules file. >> To check this I think a shorewall dump is needed. But if this would be > true >> you should maybe see something in your messages. A tcpdump output could > help >> as well. >> >> Routing seems to be ok if you still have >> >> But if this is kernel route command I miss the netmask parameter. I don’t >> know anything about your distribution but to add routes there should be >> always a netmask parameter. Try to trace the internet ip >> >>> route add 9.8.7.6 gw 192.168.8.1 >>> route add 5.4.3.2 gw 192.168.8.1 >> >> >> >> Cheers >> Mike >> >> >> >> -----Ursprüngliche Nachricht----- >> Von: sangprabv [mailto:sangprabv@gmail.com] >> Gesendet: Freitag, 5. Februar 2010 17:23 >> An: Shorewall Users >> Betreff: Re: [Shorewall-users] DNAT Problem >> >> Thanks for the reply, I have this setting in >> /etc/shorewall/masq: >> eth0 eth1 >> >> eth0 is the public IP, while eth1 is the private network >> >> I have tried your solution but it doesn''t work as well. >> >> >> >> >> sangprabv >> sangprabv@gmail.com >> >> >> On Feb 5, 2010, at 3:51 PM, Michael Weickel - iQom Business Services GmbH >> wrote: >> >>> >>> If you want to let your local machines access the internet by telnet than >>> DNAT is the wrong choice. DNAT is for access from internet to local >>> machines. >>> >>> You should try something like (rules file) >>> >>> ACCEPT loc:192.168.8.37 net:5.4.3.2 tcp >>> 55000 >>> >>> If you have policy >>> >>> ACCEPT loc net >>> >>> The rule will be useless. >>> >>> If your first client can but your sencond cant access, I guess you > already >>> have some rules or policies allowing this. >>> >>> In this case I suggest to doublecheck your masq file whether you only > masq >>> 192.168.8.35 or the whole network e.g. 192.168.8.0/24? >>> >>> >>> Cheers >>> Mike >>> >>> -----Ursprüngliche Nachricht----- >>> Von: sangprabv [mailto:sangprabv@gmail.com] >>> Gesendet: Freitag, 5. Februar 2010 09:28 >>> An: Shorewall Users >>> Betreff: [Shorewall-users] DNAT Problem >>> >>> Hi, >>> I have a client behind shorewall which has 2 IP: >>> 192.168.8.35 is the real IP and 192.168.8.37 is the virtual IP. >>> I have added DNAT rules into shorewall: >>> DNAT net loc:192.168.8.35 >> tcp >>> 11008 - 1.2.3.4 >>> DNAT net loc:192.168.8.37 >> tcp >>> 55000 - 1.2.3.5 >>> >>> 1.2.3.4 and 1.2.3.5 is virtual IP on firewall side >>> >>> I want 192.168.8.35 able to telnet to my partner IP 9.8.7.6:11008 and it >> can >>> connect OK. >>> And I want also 192.168.8.37 able to my partner IP 5.4.3.2:55000 and this >>> one FAIL. >>> If i try telnet my.partner.ip.add:55000 -b 1.2.3.5 at firewall it is OK. >>> >>> I have manually added >>> route add 9.8.7.6 gw 192.168.8.1 >>> route add 5.4.3.2 gw 192.168.8.1 >>> Both added to the client routing table. What''s wrong with my >> configuration? >>> Many thanks for help. >>> >>> >>> >>> sangprabv >>> sangprabv@gmail.com >>> >>> >>> >>> >> > ---------------------------------------------------------------------------- >>> -- >>> The Planet: dedicated and managed hosting, cloud storage, colocation >>> Stay online with enterprise data centers and the best network in the >>> business >>> Choose flexible plans and management services without long-term contracts >>> Personal 24x7 support from experience hosting pros just a phone call > away. >>> http://p.sf.net/sfu/theplanet-com >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >>> >> > ---------------------------------------------------------------------------- >> -- >>> The Planet: dedicated and managed hosting, cloud storage, colocation >>> Stay online with enterprise data centers and the best network in the >> business >>> Choose flexible plans and management services without long-term contracts >>> Personal 24x7 support from experience hosting pros just a phone call > away. >>> http://p.sf.net/sfu/theplanet-com >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> > ---------------------------------------------------------------------------- >> -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the >> business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone call away. >> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> > ---------------------------------------------------------------------------- > -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the > business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone call away. >> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ---------------------------------------------------------------------------- > -- > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the > business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ------------------------------------------------------------------------------ > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
Please be a bit more precise. You telnet 5.4.3.2 from local client and you see a telnet to 9.8.7.6 in tcpdump instead of 5.4.3.2? You did it on eth1, right? If this is true this sounds like you have some wrong DNAT entry similar to DNAT loc:192.168.8.37 net:9.8.7.6 tcp 55000 - 5.4.3.2 This rule would make that all requests sent from loc:192.168.8.37 which requests a connection to tcp 55000 on ip 5.4.3.2 are send to 9.8.7.6 -----Ursprüngliche Nachricht----- Von: sangprabv [mailto:sangprabv@gmail.com] Gesendet: Freitag, 5. Februar 2010 19:14 An: Shorewall Users Betreff: Re: [Shorewall-users] DNAT Problem I think I found the reason why connection is always failed. I tried to tcpdump and found that telnet to 5.4.3.2 is using 9.8.7.6. I don''t know why this happen? sangprabv sangprabv@gmail.com On Feb 6, 2010, at 12:48 AM, Michael Weickel - iQom Business Services GmbH wrote:> > Maybe nothing runs on the requested port on the other side? > I think without a dump it would be hard to manage your problem by thelist.> > > -----Ursprüngliche Nachricht----- > Von: sangprabv [mailto:sangprabv@gmail.com] > Gesendet: Freitag, 5. Februar 2010 18:42 > An: Shorewall Users > Betreff: Re: [Shorewall-users] DNAT Problem > > I use Ubuntu and I don''t think mask is mandatory because if it ismandatory> then why telnet to 9.8.7.6 always success and not with 5.4.3.2. It makesme> crazy :( > > > > sangprabv > sangprabv@gmail.com > > > On Feb 5, 2010, at 11:35 PM, Michael Weickel - iQom Business Services GmbH > wrote: > >> >> This looks ok. >> >> I suggest you make a quick try with >> >> (policy file) >> >> loc net ACCEPT >> >> If you still cannot access to the internet by telnet something with your >> routing is wrong or you have conflicts in your policy or rules file. >> To check this I think a shorewall dump is needed. But if this would be > true >> you should maybe see something in your messages. A tcpdump output could > help >> as well. >> >> Routing seems to be ok if you still have >> >> But if this is kernel route command I miss the netmask parameter. I dont >> know anything about your distribution but to add routes there should be >> always a netmask parameter. Try to trace the internet ip >> >>> route add 9.8.7.6 gw 192.168.8.1 >>> route add 5.4.3.2 gw 192.168.8.1 >> >> >> >> Cheers >> Mike >> >> >> >> -----Ursprüngliche Nachricht----- >> Von: sangprabv [mailto:sangprabv@gmail.com] >> Gesendet: Freitag, 5. Februar 2010 17:23 >> An: Shorewall Users >> Betreff: Re: [Shorewall-users] DNAT Problem >> >> Thanks for the reply, I have this setting in >> /etc/shorewall/masq: >> eth0 eth1 >> >> eth0 is the public IP, while eth1 is the private network >> >> I have tried your solution but it doesn''t work as well. >> >> >> >> >> sangprabv >> sangprabv@gmail.com >> >> >> On Feb 5, 2010, at 3:51 PM, Michael Weickel - iQom Business Services GmbH >> wrote: >> >>> >>> If you want to let your local machines access the internet by telnetthan>>> DNAT is the wrong choice. DNAT is for access from internet to local >>> machines. >>> >>> You should try something like (rules file) >>> >>> ACCEPT loc:192.168.8.37 net:5.4.3.2 tcp >>> 55000 >>> >>> If you have policy >>> >>> ACCEPT loc net >>> >>> The rule will be useless. >>> >>> If your first client can but your sencond cant access, I guess you > already >>> have some rules or policies allowing this. >>> >>> In this case I suggest to doublecheck your masq file whether you only > masq >>> 192.168.8.35 or the whole network e.g. 192.168.8.0/24? >>> >>> >>> Cheers >>> Mike >>> >>> -----Ursprüngliche Nachricht----- >>> Von: sangprabv [mailto:sangprabv@gmail.com] >>> Gesendet: Freitag, 5. Februar 2010 09:28 >>> An: Shorewall Users >>> Betreff: [Shorewall-users] DNAT Problem >>> >>> Hi, >>> I have a client behind shorewall which has 2 IP: >>> 192.168.8.35 is the real IP and 192.168.8.37 is the virtual IP. >>> I have added DNAT rules into shorewall: >>> DNAT net loc:192.168.8.35 >> tcp >>> 11008 - 1.2.3.4 >>> DNAT net loc:192.168.8.37 >> tcp >>> 55000 - 1.2.3.5 >>> >>> 1.2.3.4 and 1.2.3.5 is virtual IP on firewall side >>> >>> I want 192.168.8.35 able to telnet to my partner IP 9.8.7.6:11008 and it >> can >>> connect OK. >>> And I want also 192.168.8.37 able to my partner IP 5.4.3.2:55000 andthis>>> one FAIL. >>> If i try telnet my.partner.ip.add:55000 -b 1.2.3.5 at firewall it is OK. >>> >>> I have manually added >>> route add 9.8.7.6 gw 192.168.8.1 >>> route add 5.4.3.2 gw 192.168.8.1 >>> Both added to the client routing table. What''s wrong with my >> configuration? >>> Many thanks for help. >>> >>> >>> >>> sangprabv >>> sangprabv@gmail.com >>> >>> >>> >>> >> >---------------------------------------------------------------------------->>> -- >>> The Planet: dedicated and managed hosting, cloud storage, colocation >>> Stay online with enterprise data centers and the best network in the >>> business >>> Choose flexible plans and management services without long-termcontracts>>> Personal 24x7 support from experience hosting pros just a phone call > away. >>> http://p.sf.net/sfu/theplanet-com >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >>> >> >---------------------------------------------------------------------------->> -- >>> The Planet: dedicated and managed hosting, cloud storage, colocation >>> Stay online with enterprise data centers and the best network in the >> business >>> Choose flexible plans and management services without long-termcontracts>>> Personal 24x7 support from experience hosting pros just a phone call > away. >>> http://p.sf.net/sfu/theplanet-com >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> >---------------------------------------------------------------------------->> -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the >> business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone callaway.>> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> >----------------------------------------------------------------------------> -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the > business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone callaway.>> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >----------------------------------------------------------------------------> -- > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the > business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >---------------------------------------------------------------------------- --> The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in thebusiness> Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users---------------------------------------------------------------------------- -- The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
9.8.7.6 is my partner A IP 5.4.3.2 is my partner B IP 192.168.8.35 is my local server P IP behind firewall 192.168.8.37 is my local server P virtual IP behind firewall 192.168.8.1 is my firewall eth1 IP 1.2.3.1 is my firewall eth0 IP 1.2.3.4 is my firewall eth0:4 virtual IP 1.2.3.5 is my firewall eth0:5 virtual IP I want connection to 9.8.7.6 port 11008 from server P IP 192.168.8.35 use 1.2.3.4 so I have rules: ACCEPT loc:192.168.8.35 net:9.8.7.6 tcp 11008 - 1.2.3.4 And nat: 1.2.3.4 eth0 192.168.8.35 I want connection to 5.4.3.2 port 55000 from server P virtual IP 192.168.8.37 use 1.2.3.5 so I have rules: ACCEPT loc:192.168.8.37 net:.5.4.3.2 tcp 55000 - 1.2.3.5 And nat: 1.2.3.5 eth0 192.168.8.37 I have masq value: eth0 eth1 On server P I have added route route add 9.8.7.6. gw 192.168.8.1 route add 5.4.3.2 gw 192.168.8.1 Connection to partner A 9.8.7.6:11008 is OK , I checked TCPDUMP it shows the connection to 9.8.7.6 uses 1.2.3.4 Connection to partner B 5.4.3.2:55000 is FAILED, I checked TCPDUMP it shows the connection to 5.4.3.2 uses 1.2.3.4 instead of 1.2.3.5 sangprabv sangprabv@gmail.com On Feb 6, 2010, at 1:50 AM, Michael Weickel - iQom Business Services GmbH wrote:> > Please be a bit more precise. > > You telnet 5.4.3.2 from local client and you see a telnet to 9.8.7.6 in > tcpdump instead of 5.4.3.2? You did it on eth1, right? > > If this is true this sounds like you have some wrong DNAT entry similar to > > DNAT loc:192.168.8.37 net:9.8.7.6 tcp 55000 - > 5.4.3.2 > > This rule would make that all requests sent from loc:192.168.8.37 which > requests a connection to tcp 55000 on ip 5.4.3.2 are send to 9.8.7.6 > > > -----Ursprüngliche Nachricht----- > Von: sangprabv [mailto:sangprabv@gmail.com] > Gesendet: Freitag, 5. Februar 2010 19:14 > An: Shorewall Users > Betreff: Re: [Shorewall-users] DNAT Problem > > I think I found the reason why connection is always failed. I tried to > tcpdump and found that telnet to 5.4.3.2 is using 9.8.7.6. I don''t know why > this happen? > > > sangprabv > sangprabv@gmail.com > > > On Feb 6, 2010, at 12:48 AM, Michael Weickel - iQom Business Services GmbH > wrote: > >> >> Maybe nothing runs on the requested port on the other side? >> I think without a dump it would be hard to manage your problem by the > list. >> >> >> -----Ursprüngliche Nachricht----- >> Von: sangprabv [mailto:sangprabv@gmail.com] >> Gesendet: Freitag, 5. Februar 2010 18:42 >> An: Shorewall Users >> Betreff: Re: [Shorewall-users] DNAT Problem >> >> I use Ubuntu and I don''t think mask is mandatory because if it is > mandatory >> then why telnet to 9.8.7.6 always success and not with 5.4.3.2. It makes > me >> crazy :( >> >> >> >> sangprabv >> sangprabv@gmail.com >> >> >> On Feb 5, 2010, at 11:35 PM, Michael Weickel - iQom Business Services GmbH >> wrote: >> >>> >>> This looks ok. >>> >>> I suggest you make a quick try with >>> >>> (policy file) >>> >>> loc net ACCEPT >>> >>> If you still cannot access to the internet by telnet something with your >>> routing is wrong or you have conflicts in your policy or rules file. >>> To check this I think a shorewall dump is needed. But if this would be >> true >>> you should maybe see something in your messages. A tcpdump output could >> help >>> as well. >>> >>> Routing seems to be ok if you still have >>> >>> But if this is kernel route command I miss the netmask parameter. I don’t >>> know anything about your distribution but to add routes there should be >>> always a netmask parameter. Try to trace the internet ip >>> >>>> route add 9.8.7.6 gw 192.168.8.1 >>>> route add 5.4.3.2 gw 192.168.8.1 >>> >>> >>> >>> Cheers >>> Mike >>> >>> >>> >>> -----Ursprüngliche Nachricht----- >>> Von: sangprabv [mailto:sangprabv@gmail.com] >>> Gesendet: Freitag, 5. Februar 2010 17:23 >>> An: Shorewall Users >>> Betreff: Re: [Shorewall-users] DNAT Problem >>> >>> Thanks for the reply, I have this setting in >>> /etc/shorewall/masq: >>> eth0 eth1 >>> >>> eth0 is the public IP, while eth1 is the private network >>> >>> I have tried your solution but it doesn''t work as well. >>> >>> >>> >>> >>> sangprabv >>> sangprabv@gmail.com >>> >>> >>> On Feb 5, 2010, at 3:51 PM, Michael Weickel - iQom Business Services GmbH >>> wrote: >>> >>>> >>>> If you want to let your local machines access the internet by telnet > than >>>> DNAT is the wrong choice. DNAT is for access from internet to local >>>> machines. >>>> >>>> You should try something like (rules file) >>>> >>>> ACCEPT loc:192.168.8.37 net:5.4.3.2 tcp >>>> 55000 >>>> >>>> If you have policy >>>> >>>> ACCEPT loc net >>>> >>>> The rule will be useless. >>>> >>>> If your first client can but your sencond cant access, I guess you >> already >>>> have some rules or policies allowing this. >>>> >>>> In this case I suggest to doublecheck your masq file whether you only >> masq >>>> 192.168.8.35 or the whole network e.g. 192.168.8.0/24? >>>> >>>> >>>> Cheers >>>> Mike >>>> >>>> -----Ursprüngliche Nachricht----- >>>> Von: sangprabv [mailto:sangprabv@gmail.com] >>>> Gesendet: Freitag, 5. Februar 2010 09:28 >>>> An: Shorewall Users >>>> Betreff: [Shorewall-users] DNAT Problem >>>> >>>> Hi, >>>> I have a client behind shorewall which has 2 IP: >>>> 192.168.8.35 is the real IP and 192.168.8.37 is the virtual IP. >>>> I have added DNAT rules into shorewall: >>>> DNAT net loc:192.168.8.35 >>> tcp >>>> 11008 - 1.2.3.4 >>>> DNAT net loc:192.168.8.37 >>> tcp >>>> 55000 - 1.2.3.5 >>>> >>>> 1.2.3.4 and 1.2.3.5 is virtual IP on firewall side >>>> >>>> I want 192.168.8.35 able to telnet to my partner IP 9.8.7.6:11008 and it >>> can >>>> connect OK. >>>> And I want also 192.168.8.37 able to my partner IP 5.4.3.2:55000 and > this >>>> one FAIL. >>>> If i try telnet my.partner.ip.add:55000 -b 1.2.3.5 at firewall it is OK. >>>> >>>> I have manually added >>>> route add 9.8.7.6 gw 192.168.8.1 >>>> route add 5.4.3.2 gw 192.168.8.1 >>>> Both added to the client routing table. What''s wrong with my >>> configuration? >>>> Many thanks for help. >>>> >>>> >>>> >>>> sangprabv >>>> sangprabv@gmail.com >>>> >>>> >>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>> -- >>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>> Stay online with enterprise data centers and the best network in the >>>> business >>>> Choose flexible plans and management services without long-term > contracts >>>> Personal 24x7 support from experience hosting pros just a phone call >> away. >>>> http://p.sf.net/sfu/theplanet-com >>>> _______________________________________________ >>>> Shorewall-users mailing list >>>> Shorewall-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>> >>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>> -- >>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>> Stay online with enterprise data centers and the best network in the >>> business >>>> Choose flexible plans and management services without long-term > contracts >>>> Personal 24x7 support from experience hosting pros just a phone call >> away. >>>> http://p.sf.net/sfu/theplanet-com >>>> _______________________________________________ >>>> Shorewall-users mailing list >>>> Shorewall-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >>> >> > ---------------------------------------------------------------------------- >>> -- >>> The Planet: dedicated and managed hosting, cloud storage, colocation >>> Stay online with enterprise data centers and the best network in the >>> business >>> Choose flexible plans and management services without long-term contracts >>> Personal 24x7 support from experience hosting pros just a phone call > away. >>> http://p.sf.net/sfu/theplanet-com >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >>> >> > ---------------------------------------------------------------------------- >> -- >>> The Planet: dedicated and managed hosting, cloud storage, colocation >>> Stay online with enterprise data centers and the best network in the >> business >>> Choose flexible plans and management services without long-term contracts >>> Personal 24x7 support from experience hosting pros just a phone call > away. >>> http://p.sf.net/sfu/theplanet-com >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> > ---------------------------------------------------------------------------- >> -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the >> business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone call away. >> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> > ---------------------------------------------------------------------------- > -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the > business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone call away. >> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ---------------------------------------------------------------------------- > -- > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the > business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ------------------------------------------------------------------------------ > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
What is this? net:.5.4.3.2 I guess you copy pasted it? The leading "." should be removed Else config looks fine but I think you dont need that nat rules for the things you plan to do. Your entries in masq, rules and interfaces will manage to do what you want -----Ursprüngliche Nachricht----- Von: sangprabv [mailto:sangprabv@gmail.com] Gesendet: Samstag, 6. Februar 2010 02:11 An: Shorewall Users Betreff: Re: [Shorewall-users] DNAT Problem 9.8.7.6 is my partner A IP 5.4.3.2 is my partner B IP 192.168.8.35 is my local server P IP behind firewall 192.168.8.37 is my local server P virtual IP behind firewall 192.168.8.1 is my firewall eth1 IP 1.2.3.1 is my firewall eth0 IP 1.2.3.4 is my firewall eth0:4 virtual IP 1.2.3.5 is my firewall eth0:5 virtual IP I want connection to 9.8.7.6 port 11008 from server P IP 192.168.8.35 use 1.2.3.4 so I have rules: ACCEPT loc:192.168.8.35 net:9.8.7.6 tcp 11008 - 1.2.3.4 And nat: 1.2.3.4 eth0 192.168.8.35 I want connection to 5.4.3.2 port 55000 from server P virtual IP 192.168.8.37 use 1.2.3.5 so I have rules: ACCEPT loc:192.168.8.37 net:.5.4.3.2 tcp 55000 - 1.2.3.5 And nat: 1.2.3.5 eth0 192.168.8.37 I have masq value: eth0 eth1 On server P I have added route route add 9.8.7.6. gw 192.168.8.1 route add 5.4.3.2 gw 192.168.8.1 Connection to partner A 9.8.7.6:11008 is OK , I checked TCPDUMP it shows the connection to 9.8.7.6 uses 1.2.3.4 Connection to partner B 5.4.3.2:55000 is FAILED, I checked TCPDUMP it shows the connection to 5.4.3.2 uses 1.2.3.4 instead of 1.2.3.5 sangprabv sangprabv@gmail.com On Feb 6, 2010, at 1:50 AM, Michael Weickel - iQom Business Services GmbH wrote:> > Please be a bit more precise. > > You telnet 5.4.3.2 from local client and you see a telnet to 9.8.7.6 in > tcpdump instead of 5.4.3.2? You did it on eth1, right? > > If this is true this sounds like you have some wrong DNAT entry similar to > > DNAT loc:192.168.8.37 net:9.8.7.6 tcp 55000 - > 5.4.3.2 > > This rule would make that all requests sent from loc:192.168.8.37 which > requests a connection to tcp 55000 on ip 5.4.3.2 are send to 9.8.7.6 > > > -----Ursprüngliche Nachricht----- > Von: sangprabv [mailto:sangprabv@gmail.com] > Gesendet: Freitag, 5. Februar 2010 19:14 > An: Shorewall Users > Betreff: Re: [Shorewall-users] DNAT Problem > > I think I found the reason why connection is always failed. I tried to > tcpdump and found that telnet to 5.4.3.2 is using 9.8.7.6. I don''t knowwhy> this happen? > > > sangprabv > sangprabv@gmail.com > > > On Feb 6, 2010, at 12:48 AM, Michael Weickel - iQom Business Services GmbH > wrote: > >> >> Maybe nothing runs on the requested port on the other side? >> I think without a dump it would be hard to manage your problem by the > list. >> >> >> -----Ursprüngliche Nachricht----- >> Von: sangprabv [mailto:sangprabv@gmail.com] >> Gesendet: Freitag, 5. Februar 2010 18:42 >> An: Shorewall Users >> Betreff: Re: [Shorewall-users] DNAT Problem >> >> I use Ubuntu and I don''t think mask is mandatory because if it is > mandatory >> then why telnet to 9.8.7.6 always success and not with 5.4.3.2. It makes > me >> crazy :( >> >> >> >> sangprabv >> sangprabv@gmail.com >> >> >> On Feb 5, 2010, at 11:35 PM, Michael Weickel - iQom Business ServicesGmbH>> wrote: >> >>> >>> This looks ok. >>> >>> I suggest you make a quick try with >>> >>> (policy file) >>> >>> loc net ACCEPT >>> >>> If you still cannot access to the internet by telnet something with your >>> routing is wrong or you have conflicts in your policy or rules file. >>> To check this I think a shorewall dump is needed. But if this would be >> true >>> you should maybe see something in your messages. A tcpdump output could >> help >>> as well. >>> >>> Routing seems to be ok if you still have >>> >>> But if this is kernel route command I miss the netmask parameter. Idont>>> know anything about your distribution but to add routes there should be >>> always a netmask parameter. Try to trace the internet ip >>> >>>> route add 9.8.7.6 gw 192.168.8.1 >>>> route add 5.4.3.2 gw 192.168.8.1 >>> >>> >>> >>> Cheers >>> Mike >>> >>> >>> >>> -----Ursprüngliche Nachricht----- >>> Von: sangprabv [mailto:sangprabv@gmail.com] >>> Gesendet: Freitag, 5. Februar 2010 17:23 >>> An: Shorewall Users >>> Betreff: Re: [Shorewall-users] DNAT Problem >>> >>> Thanks for the reply, I have this setting in >>> /etc/shorewall/masq: >>> eth0 eth1 >>> >>> eth0 is the public IP, while eth1 is the private network >>> >>> I have tried your solution but it doesn''t work as well. >>> >>> >>> >>> >>> sangprabv >>> sangprabv@gmail.com >>> >>> >>> On Feb 5, 2010, at 3:51 PM, Michael Weickel - iQom Business ServicesGmbH>>> wrote: >>> >>>> >>>> If you want to let your local machines access the internet by telnet > than >>>> DNAT is the wrong choice. DNAT is for access from internet to local >>>> machines. >>>> >>>> You should try something like (rules file) >>>> >>>> ACCEPT loc:192.168.8.37 net:5.4.3.2 tcp >>>> 55000 >>>> >>>> If you have policy >>>> >>>> ACCEPT loc net >>>> >>>> The rule will be useless. >>>> >>>> If your first client can but your sencond cant access, I guess you >> already >>>> have some rules or policies allowing this. >>>> >>>> In this case I suggest to doublecheck your masq file whether you only >> masq >>>> 192.168.8.35 or the whole network e.g. 192.168.8.0/24? >>>> >>>> >>>> Cheers >>>> Mike >>>> >>>> -----Ursprüngliche Nachricht----- >>>> Von: sangprabv [mailto:sangprabv@gmail.com] >>>> Gesendet: Freitag, 5. Februar 2010 09:28 >>>> An: Shorewall Users >>>> Betreff: [Shorewall-users] DNAT Problem >>>> >>>> Hi, >>>> I have a client behind shorewall which has 2 IP: >>>> 192.168.8.35 is the real IP and 192.168.8.37 is the virtual IP. >>>> I have added DNAT rules into shorewall: >>>> DNAT net loc:192.168.8.35 >>> tcp >>>> 11008 - 1.2.3.4 >>>> DNAT net loc:192.168.8.37 >>> tcp >>>> 55000 - 1.2.3.5 >>>> >>>> 1.2.3.4 and 1.2.3.5 is virtual IP on firewall side >>>> >>>> I want 192.168.8.35 able to telnet to my partner IP 9.8.7.6:11008 andit>>> can >>>> connect OK. >>>> And I want also 192.168.8.37 able to my partner IP 5.4.3.2:55000 and > this >>>> one FAIL. >>>> If i try telnet my.partner.ip.add:55000 -b 1.2.3.5 at firewall it isOK.>>>> >>>> I have manually added >>>> route add 9.8.7.6 gw 192.168.8.1 >>>> route add 5.4.3.2 gw 192.168.8.1 >>>> Both added to the client routing table. What''s wrong with my >>> configuration? >>>> Many thanks for help. >>>> >>>> >>>> >>>> sangprabv >>>> sangprabv@gmail.com >>>> >>>> >>>> >>>> >>> >> >---------------------------------------------------------------------------->>>> -- >>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>> Stay online with enterprise data centers and the best network in the >>>> business >>>> Choose flexible plans and management services without long-term > contracts >>>> Personal 24x7 support from experience hosting pros just a phone call >> away. >>>> http://p.sf.net/sfu/theplanet-com >>>> _______________________________________________ >>>> Shorewall-users mailing list >>>> Shorewall-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>> >>>> >>>> >>> >> >---------------------------------------------------------------------------->>> -- >>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>> Stay online with enterprise data centers and the best network in the >>> business >>>> Choose flexible plans and management services without long-term > contracts >>>> Personal 24x7 support from experience hosting pros just a phone call >> away. >>>> http://p.sf.net/sfu/theplanet-com >>>> _______________________________________________ >>>> Shorewall-users mailing list >>>> Shorewall-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >>> >> >---------------------------------------------------------------------------->>> -- >>> The Planet: dedicated and managed hosting, cloud storage, colocation >>> Stay online with enterprise data centers and the best network in the >>> business >>> Choose flexible plans and management services without long-termcontracts>>> Personal 24x7 support from experience hosting pros just a phone call > away. >>> http://p.sf.net/sfu/theplanet-com >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >>> >> >---------------------------------------------------------------------------->> -- >>> The Planet: dedicated and managed hosting, cloud storage, colocation >>> Stay online with enterprise data centers and the best network in the >> business >>> Choose flexible plans and management services without long-termcontracts>>> Personal 24x7 support from experience hosting pros just a phone call > away. >>> http://p.sf.net/sfu/theplanet-com >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> >---------------------------------------------------------------------------->> -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the >> business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone callaway.>> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> >----------------------------------------------------------------------------> -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the > business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone callaway.>> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >----------------------------------------------------------------------------> -- > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the > business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >---------------------------------------------------------------------------- --> The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in thebusiness> Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users---------------------------------------------------------------------------- -- The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
net:.5.4.3.2 just an illustration, it''s not the real IP and it''s just a typo. If I disable the nat entry in nat file 192.168.8.35 can not telnet to 9.8.7.6:11008 sangprabv sangprabv@gmail.com On Feb 6, 2010, at 3:18 PM, Michael Weickel - iQom Business Services GmbH wrote:> > What is this? net:.5.4.3.2 > I guess you copy pasted it? The leading "." should be removed > Else config looks fine but I think you dont need that nat rules for the > things you plan to do. Your entries in masq, rules and interfaces will > manage to do what you want > > -----Ursprüngliche Nachricht----- > Von: sangprabv [mailto:sangprabv@gmail.com] > Gesendet: Samstag, 6. Februar 2010 02:11 > An: Shorewall Users > Betreff: Re: [Shorewall-users] DNAT Problem > > 9.8.7.6 is my partner A IP > 5.4.3.2 is my partner B IP > > 192.168.8.35 is my local server P IP behind firewall > 192.168.8.37 is my local server P virtual IP behind firewall > > 192.168.8.1 is my firewall eth1 IP > > 1.2.3.1 is my firewall eth0 IP > 1.2.3.4 is my firewall eth0:4 virtual IP > 1.2.3.5 is my firewall eth0:5 virtual IP > > > I want connection to 9.8.7.6 port 11008 from server P IP 192.168.8.35 use > 1.2.3.4 so I have rules: > ACCEPT loc:192.168.8.35 net:9.8.7.6 tcp 11008 - > 1.2.3.4 > And nat: > 1.2.3.4 eth0 192.168.8.35 > > I want connection to 5.4.3.2 port 55000 from server P virtual IP > 192.168.8.37 use 1.2.3.5 so I have rules: > ACCEPT loc:192.168.8.37 net:.5.4.3.2 tcp 55000 - > 1.2.3.5 > And nat: > 1.2.3.5 eth0 192.168.8.37 > > I have masq value: > eth0 eth1 > > On server P I have added route > route add 9.8.7.6. gw 192.168.8.1 > route add 5.4.3.2 gw 192.168.8.1 > > Connection to partner A 9.8.7.6:11008 is OK , I checked TCPDUMP it shows the > connection to 9.8.7.6 uses 1.2.3.4 > Connection to partner B 5.4.3.2:55000 is FAILED, I checked TCPDUMP it shows > the connection to 5.4.3.2 uses 1.2.3.4 instead of 1.2.3.5 > > > sangprabv > sangprabv@gmail.com > > > On Feb 6, 2010, at 1:50 AM, Michael Weickel - iQom Business Services GmbH > wrote: > >> >> Please be a bit more precise. >> >> You telnet 5.4.3.2 from local client and you see a telnet to 9.8.7.6 in >> tcpdump instead of 5.4.3.2? You did it on eth1, right? >> >> If this is true this sounds like you have some wrong DNAT entry similar to >> >> DNAT loc:192.168.8.37 net:9.8.7.6 tcp 55000 - >> 5.4.3.2 >> >> This rule would make that all requests sent from loc:192.168.8.37 which >> requests a connection to tcp 55000 on ip 5.4.3.2 are send to 9.8.7.6 >> >> >> -----Ursprüngliche Nachricht----- >> Von: sangprabv [mailto:sangprabv@gmail.com] >> Gesendet: Freitag, 5. Februar 2010 19:14 >> An: Shorewall Users >> Betreff: Re: [Shorewall-users] DNAT Problem >> >> I think I found the reason why connection is always failed. I tried to >> tcpdump and found that telnet to 5.4.3.2 is using 9.8.7.6. I don''t know > why >> this happen? >> >> >> sangprabv >> sangprabv@gmail.com >> >> >> On Feb 6, 2010, at 12:48 AM, Michael Weickel - iQom Business Services GmbH >> wrote: >> >>> >>> Maybe nothing runs on the requested port on the other side? >>> I think without a dump it would be hard to manage your problem by the >> list. >>> >>> >>> -----Ursprüngliche Nachricht----- >>> Von: sangprabv [mailto:sangprabv@gmail.com] >>> Gesendet: Freitag, 5. Februar 2010 18:42 >>> An: Shorewall Users >>> Betreff: Re: [Shorewall-users] DNAT Problem >>> >>> I use Ubuntu and I don''t think mask is mandatory because if it is >> mandatory >>> then why telnet to 9.8.7.6 always success and not with 5.4.3.2. It makes >> me >>> crazy :( >>> >>> >>> >>> sangprabv >>> sangprabv@gmail.com >>> >>> >>> On Feb 5, 2010, at 11:35 PM, Michael Weickel - iQom Business Services > GmbH >>> wrote: >>> >>>> >>>> This looks ok. >>>> >>>> I suggest you make a quick try with >>>> >>>> (policy file) >>>> >>>> loc net ACCEPT >>>> >>>> If you still cannot access to the internet by telnet something with your >>>> routing is wrong or you have conflicts in your policy or rules file. >>>> To check this I think a shorewall dump is needed. But if this would be >>> true >>>> you should maybe see something in your messages. A tcpdump output could >>> help >>>> as well. >>>> >>>> Routing seems to be ok if you still have >>>> >>>> But if this is kernel route command I miss the netmask parameter. I > don’t >>>> know anything about your distribution but to add routes there should be >>>> always a netmask parameter. Try to trace the internet ip >>>> >>>>> route add 9.8.7.6 gw 192.168.8.1 >>>>> route add 5.4.3.2 gw 192.168.8.1 >>>> >>>> >>>> >>>> Cheers >>>> Mike >>>> >>>> >>>> >>>> -----Ursprüngliche Nachricht----- >>>> Von: sangprabv [mailto:sangprabv@gmail.com] >>>> Gesendet: Freitag, 5. Februar 2010 17:23 >>>> An: Shorewall Users >>>> Betreff: Re: [Shorewall-users] DNAT Problem >>>> >>>> Thanks for the reply, I have this setting in >>>> /etc/shorewall/masq: >>>> eth0 eth1 >>>> >>>> eth0 is the public IP, while eth1 is the private network >>>> >>>> I have tried your solution but it doesn''t work as well. >>>> >>>> >>>> >>>> >>>> sangprabv >>>> sangprabv@gmail.com >>>> >>>> >>>> On Feb 5, 2010, at 3:51 PM, Michael Weickel - iQom Business Services > GmbH >>>> wrote: >>>> >>>>> >>>>> If you want to let your local machines access the internet by telnet >> than >>>>> DNAT is the wrong choice. DNAT is for access from internet to local >>>>> machines. >>>>> >>>>> You should try something like (rules file) >>>>> >>>>> ACCEPT loc:192.168.8.37 net:5.4.3.2 tcp >>>>> 55000 >>>>> >>>>> If you have policy >>>>> >>>>> ACCEPT loc net >>>>> >>>>> The rule will be useless. >>>>> >>>>> If your first client can but your sencond cant access, I guess you >>> already >>>>> have some rules or policies allowing this. >>>>> >>>>> In this case I suggest to doublecheck your masq file whether you only >>> masq >>>>> 192.168.8.35 or the whole network e.g. 192.168.8.0/24? >>>>> >>>>> >>>>> Cheers >>>>> Mike >>>>> >>>>> -----Ursprüngliche Nachricht----- >>>>> Von: sangprabv [mailto:sangprabv@gmail.com] >>>>> Gesendet: Freitag, 5. Februar 2010 09:28 >>>>> An: Shorewall Users >>>>> Betreff: [Shorewall-users] DNAT Problem >>>>> >>>>> Hi, >>>>> I have a client behind shorewall which has 2 IP: >>>>> 192.168.8.35 is the real IP and 192.168.8.37 is the virtual IP. >>>>> I have added DNAT rules into shorewall: >>>>> DNAT net loc:192.168.8.35 >>>> tcp >>>>> 11008 - 1.2.3.4 >>>>> DNAT net loc:192.168.8.37 >>>> tcp >>>>> 55000 - 1.2.3.5 >>>>> >>>>> 1.2.3.4 and 1.2.3.5 is virtual IP on firewall side >>>>> >>>>> I want 192.168.8.35 able to telnet to my partner IP 9.8.7.6:11008 and > it >>>> can >>>>> connect OK. >>>>> And I want also 192.168.8.37 able to my partner IP 5.4.3.2:55000 and >> this >>>>> one FAIL. >>>>> If i try telnet my.partner.ip.add:55000 -b 1.2.3.5 at firewall it is > OK. >>>>> >>>>> I have manually added >>>>> route add 9.8.7.6 gw 192.168.8.1 >>>>> route add 5.4.3.2 gw 192.168.8.1 >>>>> Both added to the client routing table. What''s wrong with my >>>> configuration? >>>>> Many thanks for help. >>>>> >>>>> >>>>> >>>>> sangprabv >>>>> sangprabv@gmail.com >>>>> >>>>> >>>>> >>>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>>> -- >>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>> Stay online with enterprise data centers and the best network in the >>>>> business >>>>> Choose flexible plans and management services without long-term >> contracts >>>>> Personal 24x7 support from experience hosting pros just a phone call >>> away. >>>>> http://p.sf.net/sfu/theplanet-com >>>>> _______________________________________________ >>>>> Shorewall-users mailing list >>>>> Shorewall-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>>> >>>>> >>>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>> -- >>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>> Stay online with enterprise data centers and the best network in the >>>> business >>>>> Choose flexible plans and management services without long-term >> contracts >>>>> Personal 24x7 support from experience hosting pros just a phone call >>> away. >>>>> http://p.sf.net/sfu/theplanet-com >>>>> _______________________________________________ >>>>> Shorewall-users mailing list >>>>> Shorewall-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>> >>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>> -- >>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>> Stay online with enterprise data centers and the best network in the >>>> business >>>> Choose flexible plans and management services without long-term > contracts >>>> Personal 24x7 support from experience hosting pros just a phone call >> away. >>>> http://p.sf.net/sfu/theplanet-com >>>> _______________________________________________ >>>> Shorewall-users mailing list >>>> Shorewall-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>> >>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>> -- >>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>> Stay online with enterprise data centers and the best network in the >>> business >>>> Choose flexible plans and management services without long-term > contracts >>>> Personal 24x7 support from experience hosting pros just a phone call >> away. >>>> http://p.sf.net/sfu/theplanet-com >>>> _______________________________________________ >>>> Shorewall-users mailing list >>>> Shorewall-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >>> >> > ---------------------------------------------------------------------------- >>> -- >>> The Planet: dedicated and managed hosting, cloud storage, colocation >>> Stay online with enterprise data centers and the best network in the >>> business >>> Choose flexible plans and management services without long-term contracts >>> Personal 24x7 support from experience hosting pros just a phone call > away. >>> http://p.sf.net/sfu/theplanet-com >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >>> >> > ---------------------------------------------------------------------------- >> -- >>> The Planet: dedicated and managed hosting, cloud storage, colocation >>> Stay online with enterprise data centers and the best network in the >> business >>> Choose flexible plans and management services without long-term contracts >>> Personal 24x7 support from experience hosting pros just a phone call > away. >>> http://p.sf.net/sfu/theplanet-com >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> > ---------------------------------------------------------------------------- >> -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the >> business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone call away. >> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> > ---------------------------------------------------------------------------- > -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the > business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone call away. >> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ---------------------------------------------------------------------------- > -- > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the > business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ------------------------------------------------------------------------------ > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
Again, you dont need the nat for make your target working. Throw away your config as outlined and do it like this. /etc/shorewall/masq (order of lines is quite important) eth0 192.168.8.35 1.2.3.4 tcp 11008 eth0 192.168.8.37 1.2.3.5 tcp 55000 eth0 eth1 or eth0:9.8.7.6 192.168.8.35 1.2.3.4 tcp 11008 eth0:5.4.3.2 192.168.8.37 1.2.3.5 tcp 55000 eth0 eth1 Both masq will work, it depends what you want to have. First example will always map telnet to 1.2.3.4 or 1.2.3.5 if you telnet to the given ports where second example will only do if you telnet to 9.8.7.6 or 5.4.3.2 /etc/shorewall/rules ACCEPT loc:192.168.8.35 net:9.8.7.6 ACCEPT loc:192.168.8.37 net:5.4.3.2 Your client routing should be kept.> route add 9.8.7.6. gw 192.168.8.1 > route add 5.4.3.2 gw 192.168.8.1You dont need your outlined nat entry, you dont need your outlined rules entry. Take mine. -----Ursprüngliche Nachricht----- Von: sangprabv [mailto:sangprabv@gmail.com] Gesendet: Samstag, 6. Februar 2010 10:49 An: Shorewall Users Betreff: Re: [Shorewall-users] DNAT Problem net:.5.4.3.2 just an illustration, it''s not the real IP and it''s just a typo. If I disable the nat entry in nat file 192.168.8.35 can not telnet to 9.8.7.6:11008 sangprabv sangprabv@gmail.com On Feb 6, 2010, at 3:18 PM, Michael Weickel - iQom Business Services GmbH wrote:> > What is this? net:.5.4.3.2 > I guess you copy pasted it? The leading "." should be removed > Else config looks fine but I think you dont need that nat rules for the > things you plan to do. Your entries in masq, rules and interfaces will > manage to do what you want > > -----Ursprüngliche Nachricht----- > Von: sangprabv [mailto:sangprabv@gmail.com] > Gesendet: Samstag, 6. Februar 2010 02:11 > An: Shorewall Users > Betreff: Re: [Shorewall-users] DNAT Problem > > 9.8.7.6 is my partner A IP > 5.4.3.2 is my partner B IP > > 192.168.8.35 is my local server P IP behind firewall > 192.168.8.37 is my local server P virtual IP behind firewall > > 192.168.8.1 is my firewall eth1 IP > > 1.2.3.1 is my firewall eth0 IP > 1.2.3.4 is my firewall eth0:4 virtual IP > 1.2.3.5 is my firewall eth0:5 virtual IP > > > I want connection to 9.8.7.6 port 11008 from server P IP 192.168.8.35 use > 1.2.3.4 so I have rules: > ACCEPT loc:192.168.8.35 net:9.8.7.6 tcp11008 -> 1.2.3.4 > And nat: > 1.2.3.4 eth0 192.168.8.35 > > I want connection to 5.4.3.2 port 55000 from server P virtual IP > 192.168.8.37 use 1.2.3.5 so I have rules: > ACCEPT loc:192.168.8.37 net:.5.4.3.2 tcp55000 -> 1.2.3.5 > And nat: > 1.2.3.5 eth0 192.168.8.37 > > I have masq value: > eth0 eth1 > > On server P I have added route > route add 9.8.7.6. gw 192.168.8.1 > route add 5.4.3.2 gw 192.168.8.1 > > Connection to partner A 9.8.7.6:11008 is OK , I checked TCPDUMP it showsthe> connection to 9.8.7.6 uses 1.2.3.4 > Connection to partner B 5.4.3.2:55000 is FAILED, I checked TCPDUMP itshows> the connection to 5.4.3.2 uses 1.2.3.4 instead of 1.2.3.5 > > > sangprabv > sangprabv@gmail.com > > > On Feb 6, 2010, at 1:50 AM, Michael Weickel - iQom Business Services GmbH > wrote: > >> >> Please be a bit more precise. >> >> You telnet 5.4.3.2 from local client and you see a telnet to 9.8.7.6 in >> tcpdump instead of 5.4.3.2? You did it on eth1, right? >> >> If this is true this sounds like you have some wrong DNAT entry similarto>> >> DNAT loc:192.168.8.37 net:9.8.7.6 tcp 55000 - >> 5.4.3.2 >> >> This rule would make that all requests sent from loc:192.168.8.37 which >> requests a connection to tcp 55000 on ip 5.4.3.2 are send to 9.8.7.6 >> >> >> -----Ursprüngliche Nachricht----- >> Von: sangprabv [mailto:sangprabv@gmail.com] >> Gesendet: Freitag, 5. Februar 2010 19:14 >> An: Shorewall Users >> Betreff: Re: [Shorewall-users] DNAT Problem >> >> I think I found the reason why connection is always failed. I tried to >> tcpdump and found that telnet to 5.4.3.2 is using 9.8.7.6. I don''t know > why >> this happen? >> >> >> sangprabv >> sangprabv@gmail.com >> >> >> On Feb 6, 2010, at 12:48 AM, Michael Weickel - iQom Business ServicesGmbH>> wrote: >> >>> >>> Maybe nothing runs on the requested port on the other side? >>> I think without a dump it would be hard to manage your problem by the >> list. >>> >>> >>> -----Ursprüngliche Nachricht----- >>> Von: sangprabv [mailto:sangprabv@gmail.com] >>> Gesendet: Freitag, 5. Februar 2010 18:42 >>> An: Shorewall Users >>> Betreff: Re: [Shorewall-users] DNAT Problem >>> >>> I use Ubuntu and I don''t think mask is mandatory because if it is >> mandatory >>> then why telnet to 9.8.7.6 always success and not with 5.4.3.2. Itmakes>> me >>> crazy :( >>> >>> >>> >>> sangprabv >>> sangprabv@gmail.com >>> >>> >>> On Feb 5, 2010, at 11:35 PM, Michael Weickel - iQom Business Services > GmbH >>> wrote: >>> >>>> >>>> This looks ok. >>>> >>>> I suggest you make a quick try with >>>> >>>> (policy file) >>>> >>>> loc net ACCEPT >>>> >>>> If you still cannot access to the internet by telnet something withyour>>>> routing is wrong or you have conflicts in your policy or rules file. >>>> To check this I think a shorewall dump is needed. But if this would be >>> true >>>> you should maybe see something in your messages. A tcpdump output could >>> help >>>> as well. >>>> >>>> Routing seems to be ok if you still have >>>> >>>> But if this is kernel route command I miss the netmask parameter. I > dont >>>> know anything about your distribution but to add routes there should be >>>> always a netmask parameter. Try to trace the internet ip >>>> >>>>> route add 9.8.7.6 gw 192.168.8.1 >>>>> route add 5.4.3.2 gw 192.168.8.1 >>>> >>>> >>>> >>>> Cheers >>>> Mike >>>> >>>> >>>> >>>> -----Ursprüngliche Nachricht----- >>>> Von: sangprabv [mailto:sangprabv@gmail.com] >>>> Gesendet: Freitag, 5. Februar 2010 17:23 >>>> An: Shorewall Users >>>> Betreff: Re: [Shorewall-users] DNAT Problem >>>> >>>> Thanks for the reply, I have this setting in >>>> /etc/shorewall/masq: >>>> eth0 eth1 >>>> >>>> eth0 is the public IP, while eth1 is the private network >>>> >>>> I have tried your solution but it doesn''t work as well. >>>> >>>> >>>> >>>> >>>> sangprabv >>>> sangprabv@gmail.com >>>> >>>> >>>> On Feb 5, 2010, at 3:51 PM, Michael Weickel - iQom Business Services > GmbH >>>> wrote: >>>> >>>>> >>>>> If you want to let your local machines access the internet by telnet >> than >>>>> DNAT is the wrong choice. DNAT is for access from internet to local >>>>> machines. >>>>> >>>>> You should try something like (rules file) >>>>> >>>>> ACCEPT loc:192.168.8.37 net:5.4.3.2 tcp >>>>> 55000 >>>>> >>>>> If you have policy >>>>> >>>>> ACCEPT loc net >>>>> >>>>> The rule will be useless. >>>>> >>>>> If your first client can but your sencond cant access, I guess you >>> already >>>>> have some rules or policies allowing this. >>>>> >>>>> In this case I suggest to doublecheck your masq file whether you only >>> masq >>>>> 192.168.8.35 or the whole network e.g. 192.168.8.0/24? >>>>> >>>>> >>>>> Cheers >>>>> Mike >>>>> >>>>> -----Ursprüngliche Nachricht----- >>>>> Von: sangprabv [mailto:sangprabv@gmail.com] >>>>> Gesendet: Freitag, 5. Februar 2010 09:28 >>>>> An: Shorewall Users >>>>> Betreff: [Shorewall-users] DNAT Problem >>>>> >>>>> Hi, >>>>> I have a client behind shorewall which has 2 IP: >>>>> 192.168.8.35 is the real IP and 192.168.8.37 is the virtual IP. >>>>> I have added DNAT rules into shorewall: >>>>> DNAT net loc:192.168.8.35 >>>> tcp >>>>> 11008 - 1.2.3.4 >>>>> DNAT net loc:192.168.8.37 >>>> tcp >>>>> 55000 - 1.2.3.5 >>>>> >>>>> 1.2.3.4 and 1.2.3.5 is virtual IP on firewall side >>>>> >>>>> I want 192.168.8.35 able to telnet to my partner IP 9.8.7.6:11008 and > it >>>> can >>>>> connect OK. >>>>> And I want also 192.168.8.37 able to my partner IP 5.4.3.2:55000 and >> this >>>>> one FAIL. >>>>> If i try telnet my.partner.ip.add:55000 -b 1.2.3.5 at firewall it is > OK. >>>>> >>>>> I have manually added >>>>> route add 9.8.7.6 gw 192.168.8.1 >>>>> route add 5.4.3.2 gw 192.168.8.1 >>>>> Both added to the client routing table. What''s wrong with my >>>> configuration? >>>>> Many thanks for help. >>>>> >>>>> >>>>> >>>>> sangprabv >>>>> sangprabv@gmail.com >>>>> >>>>> >>>>> >>>>> >>>> >>> >> >---------------------------------------------------------------------------->>>>> -- >>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>> Stay online with enterprise data centers and the best network in the >>>>> business >>>>> Choose flexible plans and management services without long-term >> contracts >>>>> Personal 24x7 support from experience hosting pros just a phone call >>> away. >>>>> http://p.sf.net/sfu/theplanet-com >>>>> _______________________________________________ >>>>> Shorewall-users mailing list >>>>> Shorewall-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>>> >>>>> >>>>> >>>> >>> >> >---------------------------------------------------------------------------->>>> -- >>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>> Stay online with enterprise data centers and the best network in the >>>> business >>>>> Choose flexible plans and management services without long-term >> contracts >>>>> Personal 24x7 support from experience hosting pros just a phone call >>> away. >>>>> http://p.sf.net/sfu/theplanet-com >>>>> _______________________________________________ >>>>> Shorewall-users mailing list >>>>> Shorewall-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>> >>>> >>>> >>> >> >---------------------------------------------------------------------------->>>> -- >>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>> Stay online with enterprise data centers and the best network in the >>>> business >>>> Choose flexible plans and management services without long-term > contracts >>>> Personal 24x7 support from experience hosting pros just a phone call >> away. >>>> http://p.sf.net/sfu/theplanet-com >>>> _______________________________________________ >>>> Shorewall-users mailing list >>>> Shorewall-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>> >>>> >>>> >>> >> >---------------------------------------------------------------------------->>> -- >>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>> Stay online with enterprise data centers and the best network in the >>> business >>>> Choose flexible plans and management services without long-term > contracts >>>> Personal 24x7 support from experience hosting pros just a phone call >> away. >>>> http://p.sf.net/sfu/theplanet-com >>>> _______________________________________________ >>>> Shorewall-users mailing list >>>> Shorewall-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >>> >> >---------------------------------------------------------------------------->>> -- >>> The Planet: dedicated and managed hosting, cloud storage, colocation >>> Stay online with enterprise data centers and the best network in the >>> business >>> Choose flexible plans and management services without long-termcontracts>>> Personal 24x7 support from experience hosting pros just a phone call > away. >>> http://p.sf.net/sfu/theplanet-com >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >>> >> >---------------------------------------------------------------------------->> -- >>> The Planet: dedicated and managed hosting, cloud storage, colocation >>> Stay online with enterprise data centers and the best network in the >> business >>> Choose flexible plans and management services without long-termcontracts>>> Personal 24x7 support from experience hosting pros just a phone call > away. >>> http://p.sf.net/sfu/theplanet-com >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> >---------------------------------------------------------------------------->> -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the >> business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone callaway.>> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> >----------------------------------------------------------------------------> -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the > business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone callaway.>> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >----------------------------------------------------------------------------> -- > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the > business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >---------------------------------------------------------------------------- --> The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in thebusiness> Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users---------------------------------------------------------------------------- -- The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
I have tried your suggestion but now if I do tcpdump, the connection from 192.168.8.37 to 5.4.3.2:55000 is read from 192.168.8.1 (the firewall IP) sangprabv sangprabv@gmail.com On Feb 6, 2010, at 5:03 PM, Michael Weickel - iQom Business Services GmbH wrote:> > Again, you dont need the nat for make your target working. > > Throw away your config as outlined and do it like this. > > /etc/shorewall/masq (order of lines is quite important) > > eth0 192.168.8.35 1.2.3.4 tcp 11008 > eth0 192.168.8.37 1.2.3.5 tcp 55000 > eth0 eth1 > > or > > eth0:9.8.7.6 192.168.8.35 1.2.3.4 tcp 11008 > eth0:5.4.3.2 192.168.8.37 1.2.3.5 tcp 55000 > eth0 eth1 > > Both masq will work, it depends what you want to have. First example will > always map telnet to 1.2.3.4 or 1.2.3.5 if you telnet to the given ports > where second example will only do if you telnet to 9.8.7.6 or 5.4.3.2 > > /etc/shorewall/rules > > ACCEPT loc:192.168.8.35 net:9.8.7.6 > ACCEPT loc:192.168.8.37 net:5.4.3.2 > > Your client routing should be kept. > >> route add 9.8.7.6. gw 192.168.8.1 >> route add 5.4.3.2 gw 192.168.8.1 > > You don’t need your outlined nat entry, you don’t need your outlined rules > entry. Take mine. > > > > -----Ursprüngliche Nachricht----- > Von: sangprabv [mailto:sangprabv@gmail.com] > Gesendet: Samstag, 6. Februar 2010 10:49 > An: Shorewall Users > Betreff: Re: [Shorewall-users] DNAT Problem > > net:.5.4.3.2 just an illustration, it''s not the real IP and it''s just a > typo. > If I disable the nat entry in nat file 192.168.8.35 can not telnet to > 9.8.7.6:11008 > > > > > sangprabv > sangprabv@gmail.com > > > On Feb 6, 2010, at 3:18 PM, Michael Weickel - iQom Business Services GmbH > wrote: > >> >> What is this? net:.5.4.3.2 >> I guess you copy pasted it? The leading "." should be removed >> Else config looks fine but I think you dont need that nat rules for the >> things you plan to do. Your entries in masq, rules and interfaces will >> manage to do what you want >> >> -----Ursprüngliche Nachricht----- >> Von: sangprabv [mailto:sangprabv@gmail.com] >> Gesendet: Samstag, 6. Februar 2010 02:11 >> An: Shorewall Users >> Betreff: Re: [Shorewall-users] DNAT Problem >> >> 9.8.7.6 is my partner A IP >> 5.4.3.2 is my partner B IP >> >> 192.168.8.35 is my local server P IP behind firewall >> 192.168.8.37 is my local server P virtual IP behind firewall >> >> 192.168.8.1 is my firewall eth1 IP >> >> 1.2.3.1 is my firewall eth0 IP >> 1.2.3.4 is my firewall eth0:4 virtual IP >> 1.2.3.5 is my firewall eth0:5 virtual IP >> >> >> I want connection to 9.8.7.6 port 11008 from server P IP 192.168.8.35 use >> 1.2.3.4 so I have rules: >> ACCEPT loc:192.168.8.35 net:9.8.7.6 tcp > 11008 - >> 1.2.3.4 >> And nat: >> 1.2.3.4 eth0 192.168.8.35 >> >> I want connection to 5.4.3.2 port 55000 from server P virtual IP >> 192.168.8.37 use 1.2.3.5 so I have rules: >> ACCEPT loc:192.168.8.37 net:.5.4.3.2 tcp > 55000 - >> 1.2.3.5 >> And nat: >> 1.2.3.5 eth0 192.168.8.37 >> >> I have masq value: >> eth0 eth1 >> >> On server P I have added route >> route add 9.8.7.6. gw 192.168.8.1 >> route add 5.4.3.2 gw 192.168.8.1 >> >> Connection to partner A 9.8.7.6:11008 is OK , I checked TCPDUMP it shows > the >> connection to 9.8.7.6 uses 1.2.3.4 >> Connection to partner B 5.4.3.2:55000 is FAILED, I checked TCPDUMP it > shows >> the connection to 5.4.3.2 uses 1.2.3.4 instead of 1.2.3.5 >> >> >> sangprabv >> sangprabv@gmail.com >> >> >> On Feb 6, 2010, at 1:50 AM, Michael Weickel - iQom Business Services GmbH >> wrote: >> >>> >>> Please be a bit more precise. >>> >>> You telnet 5.4.3.2 from local client and you see a telnet to 9.8.7.6 in >>> tcpdump instead of 5.4.3.2? You did it on eth1, right? >>> >>> If this is true this sounds like you have some wrong DNAT entry similar > to >>> >>> DNAT loc:192.168.8.37 net:9.8.7.6 tcp 55000 - >>> 5.4.3.2 >>> >>> This rule would make that all requests sent from loc:192.168.8.37 which >>> requests a connection to tcp 55000 on ip 5.4.3.2 are send to 9.8.7.6 >>> >>> >>> -----Ursprüngliche Nachricht----- >>> Von: sangprabv [mailto:sangprabv@gmail.com] >>> Gesendet: Freitag, 5. Februar 2010 19:14 >>> An: Shorewall Users >>> Betreff: Re: [Shorewall-users] DNAT Problem >>> >>> I think I found the reason why connection is always failed. I tried to >>> tcpdump and found that telnet to 5.4.3.2 is using 9.8.7.6. I don''t know >> why >>> this happen? >>> >>> >>> sangprabv >>> sangprabv@gmail.com >>> >>> >>> On Feb 6, 2010, at 12:48 AM, Michael Weickel - iQom Business Services > GmbH >>> wrote: >>> >>>> >>>> Maybe nothing runs on the requested port on the other side? >>>> I think without a dump it would be hard to manage your problem by the >>> list. >>>> >>>> >>>> -----Ursprüngliche Nachricht----- >>>> Von: sangprabv [mailto:sangprabv@gmail.com] >>>> Gesendet: Freitag, 5. Februar 2010 18:42 >>>> An: Shorewall Users >>>> Betreff: Re: [Shorewall-users] DNAT Problem >>>> >>>> I use Ubuntu and I don''t think mask is mandatory because if it is >>> mandatory >>>> then why telnet to 9.8.7.6 always success and not with 5.4.3.2. It > makes >>> me >>>> crazy :( >>>> >>>> >>>> >>>> sangprabv >>>> sangprabv@gmail.com >>>> >>>> >>>> On Feb 5, 2010, at 11:35 PM, Michael Weickel - iQom Business Services >> GmbH >>>> wrote: >>>> >>>>> >>>>> This looks ok. >>>>> >>>>> I suggest you make a quick try with >>>>> >>>>> (policy file) >>>>> >>>>> loc net ACCEPT >>>>> >>>>> If you still cannot access to the internet by telnet something with > your >>>>> routing is wrong or you have conflicts in your policy or rules file. >>>>> To check this I think a shorewall dump is needed. But if this would be >>>> true >>>>> you should maybe see something in your messages. A tcpdump output could >>>> help >>>>> as well. >>>>> >>>>> Routing seems to be ok if you still have >>>>> >>>>> But if this is kernel route command I miss the netmask parameter. I >> don’t >>>>> know anything about your distribution but to add routes there should be >>>>> always a netmask parameter. Try to trace the internet ip >>>>> >>>>>> route add 9.8.7.6 gw 192.168.8.1 >>>>>> route add 5.4.3.2 gw 192.168.8.1 >>>>> >>>>> >>>>> >>>>> Cheers >>>>> Mike >>>>> >>>>> >>>>> >>>>> -----Ursprüngliche Nachricht----- >>>>> Von: sangprabv [mailto:sangprabv@gmail.com] >>>>> Gesendet: Freitag, 5. Februar 2010 17:23 >>>>> An: Shorewall Users >>>>> Betreff: Re: [Shorewall-users] DNAT Problem >>>>> >>>>> Thanks for the reply, I have this setting in >>>>> /etc/shorewall/masq: >>>>> eth0 eth1 >>>>> >>>>> eth0 is the public IP, while eth1 is the private network >>>>> >>>>> I have tried your solution but it doesn''t work as well. >>>>> >>>>> >>>>> >>>>> >>>>> sangprabv >>>>> sangprabv@gmail.com >>>>> >>>>> >>>>> On Feb 5, 2010, at 3:51 PM, Michael Weickel - iQom Business Services >> GmbH >>>>> wrote: >>>>> >>>>>> >>>>>> If you want to let your local machines access the internet by telnet >>> than >>>>>> DNAT is the wrong choice. DNAT is for access from internet to local >>>>>> machines. >>>>>> >>>>>> You should try something like (rules file) >>>>>> >>>>>> ACCEPT loc:192.168.8.37 net:5.4.3.2 tcp >>>>>> 55000 >>>>>> >>>>>> If you have policy >>>>>> >>>>>> ACCEPT loc net >>>>>> >>>>>> The rule will be useless. >>>>>> >>>>>> If your first client can but your sencond cant access, I guess you >>>> already >>>>>> have some rules or policies allowing this. >>>>>> >>>>>> In this case I suggest to doublecheck your masq file whether you only >>>> masq >>>>>> 192.168.8.35 or the whole network e.g. 192.168.8.0/24? >>>>>> >>>>>> >>>>>> Cheers >>>>>> Mike >>>>>> >>>>>> -----Ursprüngliche Nachricht----- >>>>>> Von: sangprabv [mailto:sangprabv@gmail.com] >>>>>> Gesendet: Freitag, 5. Februar 2010 09:28 >>>>>> An: Shorewall Users >>>>>> Betreff: [Shorewall-users] DNAT Problem >>>>>> >>>>>> Hi, >>>>>> I have a client behind shorewall which has 2 IP: >>>>>> 192.168.8.35 is the real IP and 192.168.8.37 is the virtual IP. >>>>>> I have added DNAT rules into shorewall: >>>>>> DNAT net loc:192.168.8.35 >>>>> tcp >>>>>> 11008 - 1.2.3.4 >>>>>> DNAT net loc:192.168.8.37 >>>>> tcp >>>>>> 55000 - 1.2.3.5 >>>>>> >>>>>> 1.2.3.4 and 1.2.3.5 is virtual IP on firewall side >>>>>> >>>>>> I want 192.168.8.35 able to telnet to my partner IP 9.8.7.6:11008 and >> it >>>>> can >>>>>> connect OK. >>>>>> And I want also 192.168.8.37 able to my partner IP 5.4.3.2:55000 and >>> this >>>>>> one FAIL. >>>>>> If i try telnet my.partner.ip.add:55000 -b 1.2.3.5 at firewall it is >> OK. >>>>>> >>>>>> I have manually added >>>>>> route add 9.8.7.6 gw 192.168.8.1 >>>>>> route add 5.4.3.2 gw 192.168.8.1 >>>>>> Both added to the client routing table. What''s wrong with my >>>>> configuration? >>>>>> Many thanks for help. >>>>>> >>>>>> >>>>>> >>>>>> sangprabv >>>>>> sangprabv@gmail.com >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>>>> -- >>>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>>> Stay online with enterprise data centers and the best network in the >>>>>> business >>>>>> Choose flexible plans and management services without long-term >>> contracts >>>>>> Personal 24x7 support from experience hosting pros just a phone call >>>> away. >>>>>> http://p.sf.net/sfu/theplanet-com >>>>>> _______________________________________________ >>>>>> Shorewall-users mailing list >>>>>> Shorewall-users@lists.sourceforge.net >>>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>>> -- >>>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>>> Stay online with enterprise data centers and the best network in the >>>>> business >>>>>> Choose flexible plans and management services without long-term >>> contracts >>>>>> Personal 24x7 support from experience hosting pros just a phone call >>>> away. >>>>>> http://p.sf.net/sfu/theplanet-com >>>>>> _______________________________________________ >>>>>> Shorewall-users mailing list >>>>>> Shorewall-users@lists.sourceforge.net >>>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>>> >>>>> >>>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>>> -- >>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>> Stay online with enterprise data centers and the best network in the >>>>> business >>>>> Choose flexible plans and management services without long-term >> contracts >>>>> Personal 24x7 support from experience hosting pros just a phone call >>> away. >>>>> http://p.sf.net/sfu/theplanet-com >>>>> _______________________________________________ >>>>> Shorewall-users mailing list >>>>> Shorewall-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>>> >>>>> >>>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>> -- >>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>> Stay online with enterprise data centers and the best network in the >>>> business >>>>> Choose flexible plans and management services without long-term >> contracts >>>>> Personal 24x7 support from experience hosting pros just a phone call >>> away. >>>>> http://p.sf.net/sfu/theplanet-com >>>>> _______________________________________________ >>>>> Shorewall-users mailing list >>>>> Shorewall-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>> >>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>> -- >>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>> Stay online with enterprise data centers and the best network in the >>>> business >>>> Choose flexible plans and management services without long-term > contracts >>>> Personal 24x7 support from experience hosting pros just a phone call >> away. >>>> http://p.sf.net/sfu/theplanet-com >>>> _______________________________________________ >>>> Shorewall-users mailing list >>>> Shorewall-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>> >>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>> -- >>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>> Stay online with enterprise data centers and the best network in the >>> business >>>> Choose flexible plans and management services without long-term > contracts >>>> Personal 24x7 support from experience hosting pros just a phone call >> away. >>>> http://p.sf.net/sfu/theplanet-com >>>> _______________________________________________ >>>> Shorewall-users mailing list >>>> Shorewall-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >>> >> > ---------------------------------------------------------------------------- >>> -- >>> The Planet: dedicated and managed hosting, cloud storage, colocation >>> Stay online with enterprise data centers and the best network in the >>> business >>> Choose flexible plans and management services without long-term contracts >>> Personal 24x7 support from experience hosting pros just a phone call > away. >>> http://p.sf.net/sfu/theplanet-com >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >>> >> > ---------------------------------------------------------------------------- >> -- >>> The Planet: dedicated and managed hosting, cloud storage, colocation >>> Stay online with enterprise data centers and the best network in the >> business >>> Choose flexible plans and management services without long-term contracts >>> Personal 24x7 support from experience hosting pros just a phone call > away. >>> http://p.sf.net/sfu/theplanet-com >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> > ---------------------------------------------------------------------------- >> -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the >> business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone call away. >> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> > ---------------------------------------------------------------------------- > -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the > business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone call away. >> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ---------------------------------------------------------------------------- > -- > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the > business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ------------------------------------------------------------------------------ > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
Did you do telnet -b 192.168.8.37 5.4.3.2 55000 or telnet 5.4.3.2 55000 (what of course wont do what you want!) from your local client P? -----Ursprüngliche Nachricht----- Von: sangprabv [mailto:sangprabv@gmail.com] Gesendet: Samstag, 6. Februar 2010 11:50 An: Shorewall Users Betreff: Re: [Shorewall-users] DNAT Problem I have tried your suggestion but now if I do tcpdump, the connection from 192.168.8.37 to 5.4.3.2:55000 is read from 192.168.8.1 (the firewall IP) sangprabv sangprabv@gmail.com On Feb 6, 2010, at 5:03 PM, Michael Weickel - iQom Business Services GmbH wrote:> > Again, you dont need the nat for make your target working. > > Throw away your config as outlined and do it like this. > > /etc/shorewall/masq (order of lines is quite important) > > eth0 192.168.8.35 1.2.3.4 tcp 11008 > eth0 192.168.8.37 1.2.3.5 tcp 55000 > eth0 eth1 > > or > > eth0:9.8.7.6 192.168.8.35 1.2.3.4 tcp 11008 > eth0:5.4.3.2 192.168.8.37 1.2.3.5 tcp 55000 > eth0 eth1 > > Both masq will work, it depends what you want to have. First example will > always map telnet to 1.2.3.4 or 1.2.3.5 if you telnet to the given ports > where second example will only do if you telnet to 9.8.7.6 or 5.4.3.2 > > /etc/shorewall/rules > > ACCEPT loc:192.168.8.35 net:9.8.7.6 > ACCEPT loc:192.168.8.37 net:5.4.3.2 > > Your client routing should be kept. > >> route add 9.8.7.6. gw 192.168.8.1 >> route add 5.4.3.2 gw 192.168.8.1 > > You dont need your outlined nat entry, you dont need your outlined rules > entry. Take mine. > > > > -----Ursprüngliche Nachricht----- > Von: sangprabv [mailto:sangprabv@gmail.com] > Gesendet: Samstag, 6. Februar 2010 10:49 > An: Shorewall Users > Betreff: Re: [Shorewall-users] DNAT Problem > > net:.5.4.3.2 just an illustration, it''s not the real IP and it''s just a > typo. > If I disable the nat entry in nat file 192.168.8.35 can not telnet to > 9.8.7.6:11008 > > > > > sangprabv > sangprabv@gmail.com > > > On Feb 6, 2010, at 3:18 PM, Michael Weickel - iQom Business Services GmbH > wrote: > >> >> What is this? net:.5.4.3.2 >> I guess you copy pasted it? The leading "." should be removed >> Else config looks fine but I think you dont need that nat rules for the >> things you plan to do. Your entries in masq, rules and interfaces will >> manage to do what you want >> >> -----Ursprüngliche Nachricht----- >> Von: sangprabv [mailto:sangprabv@gmail.com] >> Gesendet: Samstag, 6. Februar 2010 02:11 >> An: Shorewall Users >> Betreff: Re: [Shorewall-users] DNAT Problem >> >> 9.8.7.6 is my partner A IP >> 5.4.3.2 is my partner B IP >> >> 192.168.8.35 is my local server P IP behind firewall >> 192.168.8.37 is my local server P virtual IP behind firewall >> >> 192.168.8.1 is my firewall eth1 IP >> >> 1.2.3.1 is my firewall eth0 IP >> 1.2.3.4 is my firewall eth0:4 virtual IP >> 1.2.3.5 is my firewall eth0:5 virtual IP >> >> >> I want connection to 9.8.7.6 port 11008 from server P IP 192.168.8.35 use >> 1.2.3.4 so I have rules: >> ACCEPT loc:192.168.8.35 net:9.8.7.6 tcp > 11008 - >> 1.2.3.4 >> And nat: >> 1.2.3.4 eth0 192.168.8.35 >> >> I want connection to 5.4.3.2 port 55000 from server P virtual IP >> 192.168.8.37 use 1.2.3.5 so I have rules: >> ACCEPT loc:192.168.8.37 net:.5.4.3.2 tcp > 55000 - >> 1.2.3.5 >> And nat: >> 1.2.3.5 eth0 192.168.8.37 >> >> I have masq value: >> eth0 eth1 >> >> On server P I have added route >> route add 9.8.7.6. gw 192.168.8.1 >> route add 5.4.3.2 gw 192.168.8.1 >> >> Connection to partner A 9.8.7.6:11008 is OK , I checked TCPDUMP it shows > the >> connection to 9.8.7.6 uses 1.2.3.4 >> Connection to partner B 5.4.3.2:55000 is FAILED, I checked TCPDUMP it > shows >> the connection to 5.4.3.2 uses 1.2.3.4 instead of 1.2.3.5 >> >> >> sangprabv >> sangprabv@gmail.com >> >> >> On Feb 6, 2010, at 1:50 AM, Michael Weickel - iQom Business Services GmbH >> wrote: >> >>> >>> Please be a bit more precise. >>> >>> You telnet 5.4.3.2 from local client and you see a telnet to 9.8.7.6 in >>> tcpdump instead of 5.4.3.2? You did it on eth1, right? >>> >>> If this is true this sounds like you have some wrong DNAT entry similar > to >>> >>> DNAT loc:192.168.8.37 net:9.8.7.6 tcp 55000 - >>> 5.4.3.2 >>> >>> This rule would make that all requests sent from loc:192.168.8.37 which >>> requests a connection to tcp 55000 on ip 5.4.3.2 are send to 9.8.7.6 >>> >>> >>> -----Ursprüngliche Nachricht----- >>> Von: sangprabv [mailto:sangprabv@gmail.com] >>> Gesendet: Freitag, 5. Februar 2010 19:14 >>> An: Shorewall Users >>> Betreff: Re: [Shorewall-users] DNAT Problem >>> >>> I think I found the reason why connection is always failed. I tried to >>> tcpdump and found that telnet to 5.4.3.2 is using 9.8.7.6. I don''t know >> why >>> this happen? >>> >>> >>> sangprabv >>> sangprabv@gmail.com >>> >>> >>> On Feb 6, 2010, at 12:48 AM, Michael Weickel - iQom Business Services > GmbH >>> wrote: >>> >>>> >>>> Maybe nothing runs on the requested port on the other side? >>>> I think without a dump it would be hard to manage your problem by the >>> list. >>>> >>>> >>>> -----Ursprüngliche Nachricht----- >>>> Von: sangprabv [mailto:sangprabv@gmail.com] >>>> Gesendet: Freitag, 5. Februar 2010 18:42 >>>> An: Shorewall Users >>>> Betreff: Re: [Shorewall-users] DNAT Problem >>>> >>>> I use Ubuntu and I don''t think mask is mandatory because if it is >>> mandatory >>>> then why telnet to 9.8.7.6 always success and not with 5.4.3.2. It > makes >>> me >>>> crazy :( >>>> >>>> >>>> >>>> sangprabv >>>> sangprabv@gmail.com >>>> >>>> >>>> On Feb 5, 2010, at 11:35 PM, Michael Weickel - iQom Business Services >> GmbH >>>> wrote: >>>> >>>>> >>>>> This looks ok. >>>>> >>>>> I suggest you make a quick try with >>>>> >>>>> (policy file) >>>>> >>>>> loc net ACCEPT >>>>> >>>>> If you still cannot access to the internet by telnet something with > your >>>>> routing is wrong or you have conflicts in your policy or rules file. >>>>> To check this I think a shorewall dump is needed. But if this would be >>>> true >>>>> you should maybe see something in your messages. A tcpdump outputcould>>>> help >>>>> as well. >>>>> >>>>> Routing seems to be ok if you still have >>>>> >>>>> But if this is kernel route command I miss the netmask parameter. I >> dont >>>>> know anything about your distribution but to add routes there shouldbe>>>>> always a netmask parameter. Try to trace the internet ip >>>>> >>>>>> route add 9.8.7.6 gw 192.168.8.1 >>>>>> route add 5.4.3.2 gw 192.168.8.1 >>>>> >>>>> >>>>> >>>>> Cheers >>>>> Mike >>>>> >>>>> >>>>> >>>>> -----Ursprüngliche Nachricht----- >>>>> Von: sangprabv [mailto:sangprabv@gmail.com] >>>>> Gesendet: Freitag, 5. Februar 2010 17:23 >>>>> An: Shorewall Users >>>>> Betreff: Re: [Shorewall-users] DNAT Problem >>>>> >>>>> Thanks for the reply, I have this setting in >>>>> /etc/shorewall/masq: >>>>> eth0 eth1 >>>>> >>>>> eth0 is the public IP, while eth1 is the private network >>>>> >>>>> I have tried your solution but it doesn''t work as well. >>>>> >>>>> >>>>> >>>>> >>>>> sangprabv >>>>> sangprabv@gmail.com >>>>> >>>>> >>>>> On Feb 5, 2010, at 3:51 PM, Michael Weickel - iQom Business Services >> GmbH >>>>> wrote: >>>>> >>>>>> >>>>>> If you want to let your local machines access the internet by telnet >>> than >>>>>> DNAT is the wrong choice. DNAT is for access from internet to local >>>>>> machines. >>>>>> >>>>>> You should try something like (rules file) >>>>>> >>>>>> ACCEPT loc:192.168.8.37 net:5.4.3.2 tcp >>>>>> 55000 >>>>>> >>>>>> If you have policy >>>>>> >>>>>> ACCEPT loc net >>>>>> >>>>>> The rule will be useless. >>>>>> >>>>>> If your first client can but your sencond cant access, I guess you >>>> already >>>>>> have some rules or policies allowing this. >>>>>> >>>>>> In this case I suggest to doublecheck your masq file whether you only >>>> masq >>>>>> 192.168.8.35 or the whole network e.g. 192.168.8.0/24? >>>>>> >>>>>> >>>>>> Cheers >>>>>> Mike >>>>>> >>>>>> -----Ursprüngliche Nachricht----- >>>>>> Von: sangprabv [mailto:sangprabv@gmail.com] >>>>>> Gesendet: Freitag, 5. Februar 2010 09:28 >>>>>> An: Shorewall Users >>>>>> Betreff: [Shorewall-users] DNAT Problem >>>>>> >>>>>> Hi, >>>>>> I have a client behind shorewall which has 2 IP: >>>>>> 192.168.8.35 is the real IP and 192.168.8.37 is the virtual IP. >>>>>> I have added DNAT rules into shorewall: >>>>>> DNAT net loc:192.168.8.35 >>>>> tcp >>>>>> 11008 - 1.2.3.4 >>>>>> DNAT net loc:192.168.8.37 >>>>> tcp >>>>>> 55000 - 1.2.3.5 >>>>>> >>>>>> 1.2.3.4 and 1.2.3.5 is virtual IP on firewall side >>>>>> >>>>>> I want 192.168.8.35 able to telnet to my partner IP 9.8.7.6:11008 and >> it >>>>> can >>>>>> connect OK. >>>>>> And I want also 192.168.8.37 able to my partner IP 5.4.3.2:55000 and >>> this >>>>>> one FAIL. >>>>>> If i try telnet my.partner.ip.add:55000 -b 1.2.3.5 at firewall it is >> OK. >>>>>> >>>>>> I have manually added >>>>>> route add 9.8.7.6 gw 192.168.8.1 >>>>>> route add 5.4.3.2 gw 192.168.8.1 >>>>>> Both added to the client routing table. What''s wrong with my >>>>> configuration? >>>>>> Many thanks for help. >>>>>> >>>>>> >>>>>> >>>>>> sangprabv >>>>>> sangprabv@gmail.com >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> >---------------------------------------------------------------------------->>>>>> -- >>>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>>> Stay online with enterprise data centers and the best network in the >>>>>> business >>>>>> Choose flexible plans and management services without long-term >>> contracts >>>>>> Personal 24x7 support from experience hosting pros just a phone call >>>> away. >>>>>> http://p.sf.net/sfu/theplanet-com >>>>>> _______________________________________________ >>>>>> Shorewall-users mailing list >>>>>> Shorewall-users@lists.sourceforge.net >>>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> >---------------------------------------------------------------------------->>>>> -- >>>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>>> Stay online with enterprise data centers and the best network in the >>>>> business >>>>>> Choose flexible plans and management services without long-term >>> contracts >>>>>> Personal 24x7 support from experience hosting pros just a phone call >>>> away. >>>>>> http://p.sf.net/sfu/theplanet-com >>>>>> _______________________________________________ >>>>>> Shorewall-users mailing list >>>>>> Shorewall-users@lists.sourceforge.net >>>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>>> >>>>> >>>>> >>>> >>> >> >---------------------------------------------------------------------------->>>>> -- >>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>> Stay online with enterprise data centers and the best network in the >>>>> business >>>>> Choose flexible plans and management services without long-term >> contracts >>>>> Personal 24x7 support from experience hosting pros just a phone call >>> away. >>>>> http://p.sf.net/sfu/theplanet-com >>>>> _______________________________________________ >>>>> Shorewall-users mailing list >>>>> Shorewall-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>>> >>>>> >>>>> >>>> >>> >> >---------------------------------------------------------------------------->>>> -- >>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>> Stay online with enterprise data centers and the best network in the >>>> business >>>>> Choose flexible plans and management services without long-term >> contracts >>>>> Personal 24x7 support from experience hosting pros just a phone call >>> away. >>>>> http://p.sf.net/sfu/theplanet-com >>>>> _______________________________________________ >>>>> Shorewall-users mailing list >>>>> Shorewall-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>> >>>> >>>> >>> >> >---------------------------------------------------------------------------->>>> -- >>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>> Stay online with enterprise data centers and the best network in the >>>> business >>>> Choose flexible plans and management services without long-term > contracts >>>> Personal 24x7 support from experience hosting pros just a phone call >> away. >>>> http://p.sf.net/sfu/theplanet-com >>>> _______________________________________________ >>>> Shorewall-users mailing list >>>> Shorewall-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>> >>>> >>>> >>> >> >---------------------------------------------------------------------------->>> -- >>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>> Stay online with enterprise data centers and the best network in the >>> business >>>> Choose flexible plans and management services without long-term > contracts >>>> Personal 24x7 support from experience hosting pros just a phone call >> away. >>>> http://p.sf.net/sfu/theplanet-com >>>> _______________________________________________ >>>> Shorewall-users mailing list >>>> Shorewall-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >>> >> >---------------------------------------------------------------------------->>> -- >>> The Planet: dedicated and managed hosting, cloud storage, colocation >>> Stay online with enterprise data centers and the best network in the >>> business >>> Choose flexible plans and management services without long-termcontracts>>> Personal 24x7 support from experience hosting pros just a phone call > away. >>> http://p.sf.net/sfu/theplanet-com >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >>> >> >---------------------------------------------------------------------------->> -- >>> The Planet: dedicated and managed hosting, cloud storage, colocation >>> Stay online with enterprise data centers and the best network in the >> business >>> Choose flexible plans and management services without long-termcontracts>>> Personal 24x7 support from experience hosting pros just a phone call > away. >>> http://p.sf.net/sfu/theplanet-com >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> >---------------------------------------------------------------------------->> -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the >> business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone callaway.>> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> >----------------------------------------------------------------------------> -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the > business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone callaway.>> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >----------------------------------------------------------------------------> -- > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the > business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >---------------------------------------------------------------------------- --> The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in thebusiness> Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users---------------------------------------------------------------------------- -- The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
Yes sure I did it, I think there is something else causing this problem. I will look over it and let you updated. Many thanks MW :) sangprabv sangprabv@gmail.com On Feb 6, 2010, at 6:11 PM, Michael Weickel - iQom Business Services GmbH wrote:> > Did you do > > telnet -b 192.168.8.37 5.4.3.2 55000 > > or > > telnet 5.4.3.2 55000 (what of course wont do what you want!) > > from your local client P? > > > -----Ursprüngliche Nachricht----- > Von: sangprabv [mailto:sangprabv@gmail.com] > Gesendet: Samstag, 6. Februar 2010 11:50 > An: Shorewall Users > Betreff: Re: [Shorewall-users] DNAT Problem > > I have tried your suggestion but now if I do tcpdump, the connection from > 192.168.8.37 to 5.4.3.2:55000 is read from 192.168.8.1 (the firewall IP) > > > > sangprabv > sangprabv@gmail.com > > > On Feb 6, 2010, at 5:03 PM, Michael Weickel - iQom Business Services GmbH > wrote: > >> >> Again, you dont need the nat for make your target working. >> >> Throw away your config as outlined and do it like this. >> >> /etc/shorewall/masq (order of lines is quite important) >> >> eth0 192.168.8.35 1.2.3.4 tcp 11008 >> eth0 192.168.8.37 1.2.3.5 tcp 55000 >> eth0 eth1 >> >> or >> >> eth0:9.8.7.6 192.168.8.35 1.2.3.4 tcp 11008 >> eth0:5.4.3.2 192.168.8.37 1.2.3.5 tcp 55000 >> eth0 eth1 >> >> Both masq will work, it depends what you want to have. First example will >> always map telnet to 1.2.3.4 or 1.2.3.5 if you telnet to the given ports >> where second example will only do if you telnet to 9.8.7.6 or 5.4.3.2 >> >> /etc/shorewall/rules >> >> ACCEPT loc:192.168.8.35 net:9.8.7.6 >> ACCEPT loc:192.168.8.37 net:5.4.3.2 >> >> Your client routing should be kept. >> >>> route add 9.8.7.6. gw 192.168.8.1 >>> route add 5.4.3.2 gw 192.168.8.1 >> >> You don’t need your outlined nat entry, you don’t need your outlined rules >> entry. Take mine. >> >> >> >> -----Ursprüngliche Nachricht----- >> Von: sangprabv [mailto:sangprabv@gmail.com] >> Gesendet: Samstag, 6. Februar 2010 10:49 >> An: Shorewall Users >> Betreff: Re: [Shorewall-users] DNAT Problem >> >> net:.5.4.3.2 just an illustration, it''s not the real IP and it''s just a >> typo. >> If I disable the nat entry in nat file 192.168.8.35 can not telnet to >> 9.8.7.6:11008 >> >> >> >> >> sangprabv >> sangprabv@gmail.com >> >> >> On Feb 6, 2010, at 3:18 PM, Michael Weickel - iQom Business Services GmbH >> wrote: >> >>> >>> What is this? net:.5.4.3.2 >>> I guess you copy pasted it? The leading "." should be removed >>> Else config looks fine but I think you dont need that nat rules for the >>> things you plan to do. Your entries in masq, rules and interfaces will >>> manage to do what you want >>> >>> -----Ursprüngliche Nachricht----- >>> Von: sangprabv [mailto:sangprabv@gmail.com] >>> Gesendet: Samstag, 6. Februar 2010 02:11 >>> An: Shorewall Users >>> Betreff: Re: [Shorewall-users] DNAT Problem >>> >>> 9.8.7.6 is my partner A IP >>> 5.4.3.2 is my partner B IP >>> >>> 192.168.8.35 is my local server P IP behind firewall >>> 192.168.8.37 is my local server P virtual IP behind firewall >>> >>> 192.168.8.1 is my firewall eth1 IP >>> >>> 1.2.3.1 is my firewall eth0 IP >>> 1.2.3.4 is my firewall eth0:4 virtual IP >>> 1.2.3.5 is my firewall eth0:5 virtual IP >>> >>> >>> I want connection to 9.8.7.6 port 11008 from server P IP 192.168.8.35 use >>> 1.2.3.4 so I have rules: >>> ACCEPT loc:192.168.8.35 net:9.8.7.6 tcp >> 11008 - >>> 1.2.3.4 >>> And nat: >>> 1.2.3.4 eth0 192.168.8.35 >>> >>> I want connection to 5.4.3.2 port 55000 from server P virtual IP >>> 192.168.8.37 use 1.2.3.5 so I have rules: >>> ACCEPT loc:192.168.8.37 net:.5.4.3.2 tcp >> 55000 - >>> 1.2.3.5 >>> And nat: >>> 1.2.3.5 eth0 192.168.8.37 >>> >>> I have masq value: >>> eth0 eth1 >>> >>> On server P I have added route >>> route add 9.8.7.6. gw 192.168.8.1 >>> route add 5.4.3.2 gw 192.168.8.1 >>> >>> Connection to partner A 9.8.7.6:11008 is OK , I checked TCPDUMP it shows >> the >>> connection to 9.8.7.6 uses 1.2.3.4 >>> Connection to partner B 5.4.3.2:55000 is FAILED, I checked TCPDUMP it >> shows >>> the connection to 5.4.3.2 uses 1.2.3.4 instead of 1.2.3.5 >>> >>> >>> sangprabv >>> sangprabv@gmail.com >>> >>> >>> On Feb 6, 2010, at 1:50 AM, Michael Weickel - iQom Business Services GmbH >>> wrote: >>> >>>> >>>> Please be a bit more precise. >>>> >>>> You telnet 5.4.3.2 from local client and you see a telnet to 9.8.7.6 in >>>> tcpdump instead of 5.4.3.2? You did it on eth1, right? >>>> >>>> If this is true this sounds like you have some wrong DNAT entry similar >> to >>>> >>>> DNAT loc:192.168.8.37 net:9.8.7.6 tcp 55000 - >>>> 5.4.3.2 >>>> >>>> This rule would make that all requests sent from loc:192.168.8.37 which >>>> requests a connection to tcp 55000 on ip 5.4.3.2 are send to 9.8.7.6 >>>> >>>> >>>> -----Ursprüngliche Nachricht----- >>>> Von: sangprabv [mailto:sangprabv@gmail.com] >>>> Gesendet: Freitag, 5. Februar 2010 19:14 >>>> An: Shorewall Users >>>> Betreff: Re: [Shorewall-users] DNAT Problem >>>> >>>> I think I found the reason why connection is always failed. I tried to >>>> tcpdump and found that telnet to 5.4.3.2 is using 9.8.7.6. I don''t know >>> why >>>> this happen? >>>> >>>> >>>> sangprabv >>>> sangprabv@gmail.com >>>> >>>> >>>> On Feb 6, 2010, at 12:48 AM, Michael Weickel - iQom Business Services >> GmbH >>>> wrote: >>>> >>>>> >>>>> Maybe nothing runs on the requested port on the other side? >>>>> I think without a dump it would be hard to manage your problem by the >>>> list. >>>>> >>>>> >>>>> -----Ursprüngliche Nachricht----- >>>>> Von: sangprabv [mailto:sangprabv@gmail.com] >>>>> Gesendet: Freitag, 5. Februar 2010 18:42 >>>>> An: Shorewall Users >>>>> Betreff: Re: [Shorewall-users] DNAT Problem >>>>> >>>>> I use Ubuntu and I don''t think mask is mandatory because if it is >>>> mandatory >>>>> then why telnet to 9.8.7.6 always success and not with 5.4.3.2. It >> makes >>>> me >>>>> crazy :( >>>>> >>>>> >>>>> >>>>> sangprabv >>>>> sangprabv@gmail.com >>>>> >>>>> >>>>> On Feb 5, 2010, at 11:35 PM, Michael Weickel - iQom Business Services >>> GmbH >>>>> wrote: >>>>> >>>>>> >>>>>> This looks ok. >>>>>> >>>>>> I suggest you make a quick try with >>>>>> >>>>>> (policy file) >>>>>> >>>>>> loc net ACCEPT >>>>>> >>>>>> If you still cannot access to the internet by telnet something with >> your >>>>>> routing is wrong or you have conflicts in your policy or rules file. >>>>>> To check this I think a shorewall dump is needed. But if this would be >>>>> true >>>>>> you should maybe see something in your messages. A tcpdump output > could >>>>> help >>>>>> as well. >>>>>> >>>>>> Routing seems to be ok if you still have >>>>>> >>>>>> But if this is kernel route command I miss the netmask parameter. I >>> don’t >>>>>> know anything about your distribution but to add routes there should > be >>>>>> always a netmask parameter. Try to trace the internet ip >>>>>> >>>>>>> route add 9.8.7.6 gw 192.168.8.1 >>>>>>> route add 5.4.3.2 gw 192.168.8.1 >>>>>> >>>>>> >>>>>> >>>>>> Cheers >>>>>> Mike >>>>>> >>>>>> >>>>>> >>>>>> -----Ursprüngliche Nachricht----- >>>>>> Von: sangprabv [mailto:sangprabv@gmail.com] >>>>>> Gesendet: Freitag, 5. Februar 2010 17:23 >>>>>> An: Shorewall Users >>>>>> Betreff: Re: [Shorewall-users] DNAT Problem >>>>>> >>>>>> Thanks for the reply, I have this setting in >>>>>> /etc/shorewall/masq: >>>>>> eth0 eth1 >>>>>> >>>>>> eth0 is the public IP, while eth1 is the private network >>>>>> >>>>>> I have tried your solution but it doesn''t work as well. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> sangprabv >>>>>> sangprabv@gmail.com >>>>>> >>>>>> >>>>>> On Feb 5, 2010, at 3:51 PM, Michael Weickel - iQom Business Services >>> GmbH >>>>>> wrote: >>>>>> >>>>>>> >>>>>>> If you want to let your local machines access the internet by telnet >>>> than >>>>>>> DNAT is the wrong choice. DNAT is for access from internet to local >>>>>>> machines. >>>>>>> >>>>>>> You should try something like (rules file) >>>>>>> >>>>>>> ACCEPT loc:192.168.8.37 net:5.4.3.2 tcp >>>>>>> 55000 >>>>>>> >>>>>>> If you have policy >>>>>>> >>>>>>> ACCEPT loc net >>>>>>> >>>>>>> The rule will be useless. >>>>>>> >>>>>>> If your first client can but your sencond cant access, I guess you >>>>> already >>>>>>> have some rules or policies allowing this. >>>>>>> >>>>>>> In this case I suggest to doublecheck your masq file whether you only >>>>> masq >>>>>>> 192.168.8.35 or the whole network e.g. 192.168.8.0/24? >>>>>>> >>>>>>> >>>>>>> Cheers >>>>>>> Mike >>>>>>> >>>>>>> -----Ursprüngliche Nachricht----- >>>>>>> Von: sangprabv [mailto:sangprabv@gmail.com] >>>>>>> Gesendet: Freitag, 5. Februar 2010 09:28 >>>>>>> An: Shorewall Users >>>>>>> Betreff: [Shorewall-users] DNAT Problem >>>>>>> >>>>>>> Hi, >>>>>>> I have a client behind shorewall which has 2 IP: >>>>>>> 192.168.8.35 is the real IP and 192.168.8.37 is the virtual IP. >>>>>>> I have added DNAT rules into shorewall: >>>>>>> DNAT net loc:192.168.8.35 >>>>>> tcp >>>>>>> 11008 - 1.2.3.4 >>>>>>> DNAT net loc:192.168.8.37 >>>>>> tcp >>>>>>> 55000 - 1.2.3.5 >>>>>>> >>>>>>> 1.2.3.4 and 1.2.3.5 is virtual IP on firewall side >>>>>>> >>>>>>> I want 192.168.8.35 able to telnet to my partner IP 9.8.7.6:11008 and >>> it >>>>>> can >>>>>>> connect OK. >>>>>>> And I want also 192.168.8.37 able to my partner IP 5.4.3.2:55000 and >>>> this >>>>>>> one FAIL. >>>>>>> If i try telnet my.partner.ip.add:55000 -b 1.2.3.5 at firewall it is >>> OK. >>>>>>> >>>>>>> I have manually added >>>>>>> route add 9.8.7.6 gw 192.168.8.1 >>>>>>> route add 5.4.3.2 gw 192.168.8.1 >>>>>>> Both added to the client routing table. What''s wrong with my >>>>>> configuration? >>>>>>> Many thanks for help. >>>>>>> >>>>>>> >>>>>>> >>>>>>> sangprabv >>>>>>> sangprabv@gmail.com >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>>>>> -- >>>>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>>>> Stay online with enterprise data centers and the best network in the >>>>>>> business >>>>>>> Choose flexible plans and management services without long-term >>>> contracts >>>>>>> Personal 24x7 support from experience hosting pros just a phone call >>>>> away. >>>>>>> http://p.sf.net/sfu/theplanet-com >>>>>>> _______________________________________________ >>>>>>> Shorewall-users mailing list >>>>>>> Shorewall-users@lists.sourceforge.net >>>>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>>>> -- >>>>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>>>> Stay online with enterprise data centers and the best network in the >>>>>> business >>>>>>> Choose flexible plans and management services without long-term >>>> contracts >>>>>>> Personal 24x7 support from experience hosting pros just a phone call >>>>> away. >>>>>>> http://p.sf.net/sfu/theplanet-com >>>>>>> _______________________________________________ >>>>>>> Shorewall-users mailing list >>>>>>> Shorewall-users@lists.sourceforge.net >>>>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>>>> -- >>>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>>> Stay online with enterprise data centers and the best network in the >>>>>> business >>>>>> Choose flexible plans and management services without long-term >>> contracts >>>>>> Personal 24x7 support from experience hosting pros just a phone call >>>> away. >>>>>> http://p.sf.net/sfu/theplanet-com >>>>>> _______________________________________________ >>>>>> Shorewall-users mailing list >>>>>> Shorewall-users@lists.sourceforge.net >>>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>>> -- >>>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>>> Stay online with enterprise data centers and the best network in the >>>>> business >>>>>> Choose flexible plans and management services without long-term >>> contracts >>>>>> Personal 24x7 support from experience hosting pros just a phone call >>>> away. >>>>>> http://p.sf.net/sfu/theplanet-com >>>>>> _______________________________________________ >>>>>> Shorewall-users mailing list >>>>>> Shorewall-users@lists.sourceforge.net >>>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>>> >>>>> >>>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>>> -- >>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>> Stay online with enterprise data centers and the best network in the >>>>> business >>>>> Choose flexible plans and management services without long-term >> contracts >>>>> Personal 24x7 support from experience hosting pros just a phone call >>> away. >>>>> http://p.sf.net/sfu/theplanet-com >>>>> _______________________________________________ >>>>> Shorewall-users mailing list >>>>> Shorewall-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>>> >>>>> >>>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>> -- >>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>> Stay online with enterprise data centers and the best network in the >>>> business >>>>> Choose flexible plans and management services without long-term >> contracts >>>>> Personal 24x7 support from experience hosting pros just a phone call >>> away. >>>>> http://p.sf.net/sfu/theplanet-com >>>>> _______________________________________________ >>>>> Shorewall-users mailing list >>>>> Shorewall-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>> >>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>> -- >>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>> Stay online with enterprise data centers and the best network in the >>>> business >>>> Choose flexible plans and management services without long-term > contracts >>>> Personal 24x7 support from experience hosting pros just a phone call >> away. >>>> http://p.sf.net/sfu/theplanet-com >>>> _______________________________________________ >>>> Shorewall-users mailing list >>>> Shorewall-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>> >>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>> -- >>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>> Stay online with enterprise data centers and the best network in the >>> business >>>> Choose flexible plans and management services without long-term > contracts >>>> Personal 24x7 support from experience hosting pros just a phone call >> away. >>>> http://p.sf.net/sfu/theplanet-com >>>> _______________________________________________ >>>> Shorewall-users mailing list >>>> Shorewall-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >>> >> > ---------------------------------------------------------------------------- >>> -- >>> The Planet: dedicated and managed hosting, cloud storage, colocation >>> Stay online with enterprise data centers and the best network in the >>> business >>> Choose flexible plans and management services without long-term contracts >>> Personal 24x7 support from experience hosting pros just a phone call > away. >>> http://p.sf.net/sfu/theplanet-com >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >>> >> > ---------------------------------------------------------------------------- >> -- >>> The Planet: dedicated and managed hosting, cloud storage, colocation >>> Stay online with enterprise data centers and the best network in the >> business >>> Choose flexible plans and management services without long-term contracts >>> Personal 24x7 support from experience hosting pros just a phone call > away. >>> http://p.sf.net/sfu/theplanet-com >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> > ---------------------------------------------------------------------------- >> -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the >> business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone call away. >> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> > ---------------------------------------------------------------------------- > -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the > business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone call away. >> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ---------------------------------------------------------------------------- > -- > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the > business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ------------------------------------------------------------------------------ > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
I think if you send a dump, shorewall developers can help you with this. My last idea would be to put the config lines at the top of each file to ensure that you you dont have conflicts in your file hierarchy. Since we dont know too much about your routing, it could be located there as well. Cheers Mike -----Ursprüngliche Nachricht----- Von: sangprabv [mailto:sangprabv@gmail.com] Gesendet: Samstag, 6. Februar 2010 12:57 An: Shorewall Users Betreff: Re: [Shorewall-users] DNAT Problem Yes sure I did it, I think there is something else causing this problem. I will look over it and let you updated. Many thanks MW :) sangprabv sangprabv@gmail.com On Feb 6, 2010, at 6:11 PM, Michael Weickel - iQom Business Services GmbH wrote:> > Did you do > > telnet -b 192.168.8.37 5.4.3.2 55000 > > or > > telnet 5.4.3.2 55000 (what of course wont do what you want!) > > from your local client P? > > > -----Ursprüngliche Nachricht----- > Von: sangprabv [mailto:sangprabv@gmail.com] > Gesendet: Samstag, 6. Februar 2010 11:50 > An: Shorewall Users > Betreff: Re: [Shorewall-users] DNAT Problem > > I have tried your suggestion but now if I do tcpdump, the connection from > 192.168.8.37 to 5.4.3.2:55000 is read from 192.168.8.1 (the firewall IP) > > > > sangprabv > sangprabv@gmail.com > > > On Feb 6, 2010, at 5:03 PM, Michael Weickel - iQom Business Services GmbH > wrote: > >> >> Again, you dont need the nat for make your target working. >> >> Throw away your config as outlined and do it like this. >> >> /etc/shorewall/masq (order of lines is quite important) >> >> eth0 192.168.8.35 1.2.3.4 tcp 11008 >> eth0 192.168.8.37 1.2.3.5 tcp 55000 >> eth0 eth1 >> >> or >> >> eth0:9.8.7.6 192.168.8.35 1.2.3.4 tcp 11008 >> eth0:5.4.3.2 192.168.8.37 1.2.3.5 tcp 55000 >> eth0 eth1 >> >> Both masq will work, it depends what you want to have. First example will >> always map telnet to 1.2.3.4 or 1.2.3.5 if you telnet to the given ports >> where second example will only do if you telnet to 9.8.7.6 or 5.4.3.2 >> >> /etc/shorewall/rules >> >> ACCEPT loc:192.168.8.35 net:9.8.7.6 >> ACCEPT loc:192.168.8.37 net:5.4.3.2 >> >> Your client routing should be kept. >> >>> route add 9.8.7.6. gw 192.168.8.1 >>> route add 5.4.3.2 gw 192.168.8.1 >> >> You dont need your outlined nat entry, you dont need your outlinedrules>> entry. Take mine. >> >> >> >> -----Ursprüngliche Nachricht----- >> Von: sangprabv [mailto:sangprabv@gmail.com] >> Gesendet: Samstag, 6. Februar 2010 10:49 >> An: Shorewall Users >> Betreff: Re: [Shorewall-users] DNAT Problem >> >> net:.5.4.3.2 just an illustration, it''s not the real IP and it''s just a >> typo. >> If I disable the nat entry in nat file 192.168.8.35 can not telnet to >> 9.8.7.6:11008 >> >> >> >> >> sangprabv >> sangprabv@gmail.com >> >> >> On Feb 6, 2010, at 3:18 PM, Michael Weickel - iQom Business Services GmbH >> wrote: >> >>> >>> What is this? net:.5.4.3.2 >>> I guess you copy pasted it? The leading "." should be removed >>> Else config looks fine but I think you dont need that nat rules for the >>> things you plan to do. Your entries in masq, rules and interfaces will >>> manage to do what you want >>> >>> -----Ursprüngliche Nachricht----- >>> Von: sangprabv [mailto:sangprabv@gmail.com] >>> Gesendet: Samstag, 6. Februar 2010 02:11 >>> An: Shorewall Users >>> Betreff: Re: [Shorewall-users] DNAT Problem >>> >>> 9.8.7.6 is my partner A IP >>> 5.4.3.2 is my partner B IP >>> >>> 192.168.8.35 is my local server P IP behind firewall >>> 192.168.8.37 is my local server P virtual IP behind firewall >>> >>> 192.168.8.1 is my firewall eth1 IP >>> >>> 1.2.3.1 is my firewall eth0 IP >>> 1.2.3.4 is my firewall eth0:4 virtual IP >>> 1.2.3.5 is my firewall eth0:5 virtual IP >>> >>> >>> I want connection to 9.8.7.6 port 11008 from server P IP 192.168.8.35use>>> 1.2.3.4 so I have rules: >>> ACCEPT loc:192.168.8.35 net:9.8.7.6 tcp >> 11008 - >>> 1.2.3.4 >>> And nat: >>> 1.2.3.4 eth0 192.168.8.35 >>> >>> I want connection to 5.4.3.2 port 55000 from server P virtual IP >>> 192.168.8.37 use 1.2.3.5 so I have rules: >>> ACCEPT loc:192.168.8.37 net:.5.4.3.2 tcp >> 55000 - >>> 1.2.3.5 >>> And nat: >>> 1.2.3.5 eth0 192.168.8.37 >>> >>> I have masq value: >>> eth0 eth1 >>> >>> On server P I have added route >>> route add 9.8.7.6. gw 192.168.8.1 >>> route add 5.4.3.2 gw 192.168.8.1 >>> >>> Connection to partner A 9.8.7.6:11008 is OK , I checked TCPDUMP it shows >> the >>> connection to 9.8.7.6 uses 1.2.3.4 >>> Connection to partner B 5.4.3.2:55000 is FAILED, I checked TCPDUMP it >> shows >>> the connection to 5.4.3.2 uses 1.2.3.4 instead of 1.2.3.5 >>> >>> >>> sangprabv >>> sangprabv@gmail.com >>> >>> >>> On Feb 6, 2010, at 1:50 AM, Michael Weickel - iQom Business ServicesGmbH>>> wrote: >>> >>>> >>>> Please be a bit more precise. >>>> >>>> You telnet 5.4.3.2 from local client and you see a telnet to 9.8.7.6 in >>>> tcpdump instead of 5.4.3.2? You did it on eth1, right? >>>> >>>> If this is true this sounds like you have some wrong DNAT entry similar >> to >>>> >>>> DNAT loc:192.168.8.37 net:9.8.7.6 tcp 55000 - >>>> 5.4.3.2 >>>> >>>> This rule would make that all requests sent from loc:192.168.8.37 which >>>> requests a connection to tcp 55000 on ip 5.4.3.2 are send to 9.8.7.6 >>>> >>>> >>>> -----Ursprüngliche Nachricht----- >>>> Von: sangprabv [mailto:sangprabv@gmail.com] >>>> Gesendet: Freitag, 5. Februar 2010 19:14 >>>> An: Shorewall Users >>>> Betreff: Re: [Shorewall-users] DNAT Problem >>>> >>>> I think I found the reason why connection is always failed. I tried to >>>> tcpdump and found that telnet to 5.4.3.2 is using 9.8.7.6. I don''tknow>>> why >>>> this happen? >>>> >>>> >>>> sangprabv >>>> sangprabv@gmail.com >>>> >>>> >>>> On Feb 6, 2010, at 12:48 AM, Michael Weickel - iQom Business Services >> GmbH >>>> wrote: >>>> >>>>> >>>>> Maybe nothing runs on the requested port on the other side? >>>>> I think without a dump it would be hard to manage your problem by the >>>> list. >>>>> >>>>> >>>>> -----Ursprüngliche Nachricht----- >>>>> Von: sangprabv [mailto:sangprabv@gmail.com] >>>>> Gesendet: Freitag, 5. Februar 2010 18:42 >>>>> An: Shorewall Users >>>>> Betreff: Re: [Shorewall-users] DNAT Problem >>>>> >>>>> I use Ubuntu and I don''t think mask is mandatory because if it is >>>> mandatory >>>>> then why telnet to 9.8.7.6 always success and not with 5.4.3.2. It >> makes >>>> me >>>>> crazy :( >>>>> >>>>> >>>>> >>>>> sangprabv >>>>> sangprabv@gmail.com >>>>> >>>>> >>>>> On Feb 5, 2010, at 11:35 PM, Michael Weickel - iQom Business Services >>> GmbH >>>>> wrote: >>>>> >>>>>> >>>>>> This looks ok. >>>>>> >>>>>> I suggest you make a quick try with >>>>>> >>>>>> (policy file) >>>>>> >>>>>> loc net ACCEPT >>>>>> >>>>>> If you still cannot access to the internet by telnet something with >> your >>>>>> routing is wrong or you have conflicts in your policy or rules file. >>>>>> To check this I think a shorewall dump is needed. But if this wouldbe>>>>> true >>>>>> you should maybe see something in your messages. A tcpdump output > could >>>>> help >>>>>> as well. >>>>>> >>>>>> Routing seems to be ok if you still have >>>>>> >>>>>> But if this is kernel route command I miss the netmask parameter. I >>> dont >>>>>> know anything about your distribution but to add routes there should > be >>>>>> always a netmask parameter. Try to trace the internet ip >>>>>> >>>>>>> route add 9.8.7.6 gw 192.168.8.1 >>>>>>> route add 5.4.3.2 gw 192.168.8.1 >>>>>> >>>>>> >>>>>> >>>>>> Cheers >>>>>> Mike >>>>>> >>>>>> >>>>>> >>>>>> -----Ursprüngliche Nachricht----- >>>>>> Von: sangprabv [mailto:sangprabv@gmail.com] >>>>>> Gesendet: Freitag, 5. Februar 2010 17:23 >>>>>> An: Shorewall Users >>>>>> Betreff: Re: [Shorewall-users] DNAT Problem >>>>>> >>>>>> Thanks for the reply, I have this setting in >>>>>> /etc/shorewall/masq: >>>>>> eth0 eth1 >>>>>> >>>>>> eth0 is the public IP, while eth1 is the private network >>>>>> >>>>>> I have tried your solution but it doesn''t work as well. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> sangprabv >>>>>> sangprabv@gmail.com >>>>>> >>>>>> >>>>>> On Feb 5, 2010, at 3:51 PM, Michael Weickel - iQom Business Services >>> GmbH >>>>>> wrote: >>>>>> >>>>>>> >>>>>>> If you want to let your local machines access the internet by telnet >>>> than >>>>>>> DNAT is the wrong choice. DNAT is for access from internet to local >>>>>>> machines. >>>>>>> >>>>>>> You should try something like (rules file) >>>>>>> >>>>>>> ACCEPT loc:192.168.8.37 net:5.4.3.2 tcp >>>>>>> 55000 >>>>>>> >>>>>>> If you have policy >>>>>>> >>>>>>> ACCEPT loc net >>>>>>> >>>>>>> The rule will be useless. >>>>>>> >>>>>>> If your first client can but your sencond cant access, I guess you >>>>> already >>>>>>> have some rules or policies allowing this. >>>>>>> >>>>>>> In this case I suggest to doublecheck your masq file whether youonly>>>>> masq >>>>>>> 192.168.8.35 or the whole network e.g. 192.168.8.0/24? >>>>>>> >>>>>>> >>>>>>> Cheers >>>>>>> Mike >>>>>>> >>>>>>> -----Ursprüngliche Nachricht----- >>>>>>> Von: sangprabv [mailto:sangprabv@gmail.com] >>>>>>> Gesendet: Freitag, 5. Februar 2010 09:28 >>>>>>> An: Shorewall Users >>>>>>> Betreff: [Shorewall-users] DNAT Problem >>>>>>> >>>>>>> Hi, >>>>>>> I have a client behind shorewall which has 2 IP: >>>>>>> 192.168.8.35 is the real IP and 192.168.8.37 is the virtual IP. >>>>>>> I have added DNAT rules into shorewall: >>>>>>> DNAT net loc:192.168.8.35 >>>>>> tcp >>>>>>> 11008 - 1.2.3.4 >>>>>>> DNAT net loc:192.168.8.37 >>>>>> tcp >>>>>>> 55000 - 1.2.3.5 >>>>>>> >>>>>>> 1.2.3.4 and 1.2.3.5 is virtual IP on firewall side >>>>>>> >>>>>>> I want 192.168.8.35 able to telnet to my partner IP 9.8.7.6:11008and>>> it >>>>>> can >>>>>>> connect OK. >>>>>>> And I want also 192.168.8.37 able to my partner IP 5.4.3.2:55000 and >>>> this >>>>>>> one FAIL. >>>>>>> If i try telnet my.partner.ip.add:55000 -b 1.2.3.5 at firewall it is >>> OK. >>>>>>> >>>>>>> I have manually added >>>>>>> route add 9.8.7.6 gw 192.168.8.1 >>>>>>> route add 5.4.3.2 gw 192.168.8.1 >>>>>>> Both added to the client routing table. What''s wrong with my >>>>>> configuration? >>>>>>> Many thanks for help. >>>>>>> >>>>>>> >>>>>>> >>>>>>> sangprabv >>>>>>> sangprabv@gmail.com >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >---------------------------------------------------------------------------->>>>>>> -- >>>>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>>>> Stay online with enterprise data centers and the best network in the >>>>>>> business >>>>>>> Choose flexible plans and management services without long-term >>>> contracts >>>>>>> Personal 24x7 support from experience hosting pros just a phone call >>>>> away. >>>>>>> http://p.sf.net/sfu/theplanet-com >>>>>>> _______________________________________________ >>>>>>> Shorewall-users mailing list >>>>>>> Shorewall-users@lists.sourceforge.net >>>>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >---------------------------------------------------------------------------->>>>>> -- >>>>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>>>> Stay online with enterprise data centers and the best network in the >>>>>> business >>>>>>> Choose flexible plans and management services without long-term >>>> contracts >>>>>>> Personal 24x7 support from experience hosting pros just a phone call >>>>> away. >>>>>>> http://p.sf.net/sfu/theplanet-com >>>>>>> _______________________________________________ >>>>>>> Shorewall-users mailing list >>>>>>> Shorewall-users@lists.sourceforge.net >>>>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> >---------------------------------------------------------------------------->>>>>> -- >>>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>>> Stay online with enterprise data centers and the best network in the >>>>>> business >>>>>> Choose flexible plans and management services without long-term >>> contracts >>>>>> Personal 24x7 support from experience hosting pros just a phone call >>>> away. >>>>>> http://p.sf.net/sfu/theplanet-com >>>>>> _______________________________________________ >>>>>> Shorewall-users mailing list >>>>>> Shorewall-users@lists.sourceforge.net >>>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> >---------------------------------------------------------------------------->>>>> -- >>>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>>> Stay online with enterprise data centers and the best network in the >>>>> business >>>>>> Choose flexible plans and management services without long-term >>> contracts >>>>>> Personal 24x7 support from experience hosting pros just a phone call >>>> away. >>>>>> http://p.sf.net/sfu/theplanet-com >>>>>> _______________________________________________ >>>>>> Shorewall-users mailing list >>>>>> Shorewall-users@lists.sourceforge.net >>>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>>> >>>>> >>>>> >>>> >>> >> >---------------------------------------------------------------------------->>>>> -- >>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>> Stay online with enterprise data centers and the best network in the >>>>> business >>>>> Choose flexible plans and management services without long-term >> contracts >>>>> Personal 24x7 support from experience hosting pros just a phone call >>> away. >>>>> http://p.sf.net/sfu/theplanet-com >>>>> _______________________________________________ >>>>> Shorewall-users mailing list >>>>> Shorewall-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>>> >>>>> >>>>> >>>> >>> >> >---------------------------------------------------------------------------->>>> -- >>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>> Stay online with enterprise data centers and the best network in the >>>> business >>>>> Choose flexible plans and management services without long-term >> contracts >>>>> Personal 24x7 support from experience hosting pros just a phone call >>> away. >>>>> http://p.sf.net/sfu/theplanet-com >>>>> _______________________________________________ >>>>> Shorewall-users mailing list >>>>> Shorewall-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>> >>>> >>>> >>> >> >---------------------------------------------------------------------------->>>> -- >>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>> Stay online with enterprise data centers and the best network in the >>>> business >>>> Choose flexible plans and management services without long-term > contracts >>>> Personal 24x7 support from experience hosting pros just a phone call >> away. >>>> http://p.sf.net/sfu/theplanet-com >>>> _______________________________________________ >>>> Shorewall-users mailing list >>>> Shorewall-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>> >>>> >>>> >>> >> >---------------------------------------------------------------------------->>> -- >>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>> Stay online with enterprise data centers and the best network in the >>> business >>>> Choose flexible plans and management services without long-term > contracts >>>> Personal 24x7 support from experience hosting pros just a phone call >> away. >>>> http://p.sf.net/sfu/theplanet-com >>>> _______________________________________________ >>>> Shorewall-users mailing list >>>> Shorewall-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >>> >> >---------------------------------------------------------------------------->>> -- >>> The Planet: dedicated and managed hosting, cloud storage, colocation >>> Stay online with enterprise data centers and the best network in the >>> business >>> Choose flexible plans and management services without long-termcontracts>>> Personal 24x7 support from experience hosting pros just a phone call > away. >>> http://p.sf.net/sfu/theplanet-com >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >>> >> >---------------------------------------------------------------------------->> -- >>> The Planet: dedicated and managed hosting, cloud storage, colocation >>> Stay online with enterprise data centers and the best network in the >> business >>> Choose flexible plans and management services without long-termcontracts>>> Personal 24x7 support from experience hosting pros just a phone call > away. >>> http://p.sf.net/sfu/theplanet-com >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> >---------------------------------------------------------------------------->> -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the >> business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone callaway.>> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> >----------------------------------------------------------------------------> -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the > business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone callaway.>> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >----------------------------------------------------------------------------> -- > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the > business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >---------------------------------------------------------------------------- --> The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in thebusiness> Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users---------------------------------------------------------------------------- -- The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
Just got the root of problem. Somebody plays with IPTABLES manually on client side. I just flush it and it can connect now. Hopefully it''s OK now. Many thanks for your replies MW. sangprabv sangprabv@gmail.com On Feb 6, 2010, at 7:01 PM, Michael Weickel - iQom Business Services GmbH wrote:> > I think if you send a dump, shorewall developers can help you with this. > > My last idea would be to put the config lines at the top of each file to > ensure that you you don’t have conflicts in your file hierarchy. > > Since we don’t know too much about your routing, it could be located there > as well. > > > Cheers > Mike > > -----Ursprüngliche Nachricht----- > Von: sangprabv [mailto:sangprabv@gmail.com] > Gesendet: Samstag, 6. Februar 2010 12:57 > An: Shorewall Users > Betreff: Re: [Shorewall-users] DNAT Problem > > Yes sure I did it, I think there is something else causing this problem. I > will look over it and let you updated. Many thanks MW :) > > > > sangprabv > sangprabv@gmail.com > > > On Feb 6, 2010, at 6:11 PM, Michael Weickel - iQom Business Services GmbH > wrote: > >> >> Did you do >> >> telnet -b 192.168.8.37 5.4.3.2 55000 >> >> or >> >> telnet 5.4.3.2 55000 (what of course wont do what you want!) >> >> from your local client P? >> >> >> -----Ursprüngliche Nachricht----- >> Von: sangprabv [mailto:sangprabv@gmail.com] >> Gesendet: Samstag, 6. Februar 2010 11:50 >> An: Shorewall Users >> Betreff: Re: [Shorewall-users] DNAT Problem >> >> I have tried your suggestion but now if I do tcpdump, the connection from >> 192.168.8.37 to 5.4.3.2:55000 is read from 192.168.8.1 (the firewall IP) >> >> >> >> sangprabv >> sangprabv@gmail.com >> >> >> On Feb 6, 2010, at 5:03 PM, Michael Weickel - iQom Business Services GmbH >> wrote: >> >>> >>> Again, you dont need the nat for make your target working. >>> >>> Throw away your config as outlined and do it like this. >>> >>> /etc/shorewall/masq (order of lines is quite important) >>> >>> eth0 192.168.8.35 1.2.3.4 tcp 11008 >>> eth0 192.168.8.37 1.2.3.5 tcp 55000 >>> eth0 eth1 >>> >>> or >>> >>> eth0:9.8.7.6 192.168.8.35 1.2.3.4 tcp 11008 >>> eth0:5.4.3.2 192.168.8.37 1.2.3.5 tcp 55000 >>> eth0 eth1 >>> >>> Both masq will work, it depends what you want to have. First example will >>> always map telnet to 1.2.3.4 or 1.2.3.5 if you telnet to the given ports >>> where second example will only do if you telnet to 9.8.7.6 or 5.4.3.2 >>> >>> /etc/shorewall/rules >>> >>> ACCEPT loc:192.168.8.35 net:9.8.7.6 >>> ACCEPT loc:192.168.8.37 net:5.4.3.2 >>> >>> Your client routing should be kept. >>> >>>> route add 9.8.7.6. gw 192.168.8.1 >>>> route add 5.4.3.2 gw 192.168.8.1 >>> >>> You don’t need your outlined nat entry, you don’t need your outlined > rules >>> entry. Take mine. >>> >>> >>> >>> -----Ursprüngliche Nachricht----- >>> Von: sangprabv [mailto:sangprabv@gmail.com] >>> Gesendet: Samstag, 6. Februar 2010 10:49 >>> An: Shorewall Users >>> Betreff: Re: [Shorewall-users] DNAT Problem >>> >>> net:.5.4.3.2 just an illustration, it''s not the real IP and it''s just a >>> typo. >>> If I disable the nat entry in nat file 192.168.8.35 can not telnet to >>> 9.8.7.6:11008 >>> >>> >>> >>> >>> sangprabv >>> sangprabv@gmail.com >>> >>> >>> On Feb 6, 2010, at 3:18 PM, Michael Weickel - iQom Business Services GmbH >>> wrote: >>> >>>> >>>> What is this? net:.5.4.3.2 >>>> I guess you copy pasted it? The leading "." should be removed >>>> Else config looks fine but I think you dont need that nat rules for the >>>> things you plan to do. Your entries in masq, rules and interfaces will >>>> manage to do what you want >>>> >>>> -----Ursprüngliche Nachricht----- >>>> Von: sangprabv [mailto:sangprabv@gmail.com] >>>> Gesendet: Samstag, 6. Februar 2010 02:11 >>>> An: Shorewall Users >>>> Betreff: Re: [Shorewall-users] DNAT Problem >>>> >>>> 9.8.7.6 is my partner A IP >>>> 5.4.3.2 is my partner B IP >>>> >>>> 192.168.8.35 is my local server P IP behind firewall >>>> 192.168.8.37 is my local server P virtual IP behind firewall >>>> >>>> 192.168.8.1 is my firewall eth1 IP >>>> >>>> 1.2.3.1 is my firewall eth0 IP >>>> 1.2.3.4 is my firewall eth0:4 virtual IP >>>> 1.2.3.5 is my firewall eth0:5 virtual IP >>>> >>>> >>>> I want connection to 9.8.7.6 port 11008 from server P IP 192.168.8.35 > use >>>> 1.2.3.4 so I have rules: >>>> ACCEPT loc:192.168.8.35 net:9.8.7.6 tcp >>> 11008 - >>>> 1.2.3.4 >>>> And nat: >>>> 1.2.3.4 eth0 192.168.8.35 >>>> >>>> I want connection to 5.4.3.2 port 55000 from server P virtual IP >>>> 192.168.8.37 use 1.2.3.5 so I have rules: >>>> ACCEPT loc:192.168.8.37 net:.5.4.3.2 tcp >>> 55000 - >>>> 1.2.3.5 >>>> And nat: >>>> 1.2.3.5 eth0 192.168.8.37 >>>> >>>> I have masq value: >>>> eth0 eth1 >>>> >>>> On server P I have added route >>>> route add 9.8.7.6. gw 192.168.8.1 >>>> route add 5.4.3.2 gw 192.168.8.1 >>>> >>>> Connection to partner A 9.8.7.6:11008 is OK , I checked TCPDUMP it shows >>> the >>>> connection to 9.8.7.6 uses 1.2.3.4 >>>> Connection to partner B 5.4.3.2:55000 is FAILED, I checked TCPDUMP it >>> shows >>>> the connection to 5.4.3.2 uses 1.2.3.4 instead of 1.2.3.5 >>>> >>>> >>>> sangprabv >>>> sangprabv@gmail.com >>>> >>>> >>>> On Feb 6, 2010, at 1:50 AM, Michael Weickel - iQom Business Services > GmbH >>>> wrote: >>>> >>>>> >>>>> Please be a bit more precise. >>>>> >>>>> You telnet 5.4.3.2 from local client and you see a telnet to 9.8.7.6 in >>>>> tcpdump instead of 5.4.3.2? You did it on eth1, right? >>>>> >>>>> If this is true this sounds like you have some wrong DNAT entry similar >>> to >>>>> >>>>> DNAT loc:192.168.8.37 net:9.8.7.6 tcp 55000 - >>>>> 5.4.3.2 >>>>> >>>>> This rule would make that all requests sent from loc:192.168.8.37 which >>>>> requests a connection to tcp 55000 on ip 5.4.3.2 are send to 9.8.7.6 >>>>> >>>>> >>>>> -----Ursprüngliche Nachricht----- >>>>> Von: sangprabv [mailto:sangprabv@gmail.com] >>>>> Gesendet: Freitag, 5. Februar 2010 19:14 >>>>> An: Shorewall Users >>>>> Betreff: Re: [Shorewall-users] DNAT Problem >>>>> >>>>> I think I found the reason why connection is always failed. I tried to >>>>> tcpdump and found that telnet to 5.4.3.2 is using 9.8.7.6. I don''t > know >>>> why >>>>> this happen? >>>>> >>>>> >>>>> sangprabv >>>>> sangprabv@gmail.com >>>>> >>>>> >>>>> On Feb 6, 2010, at 12:48 AM, Michael Weickel - iQom Business Services >>> GmbH >>>>> wrote: >>>>> >>>>>> >>>>>> Maybe nothing runs on the requested port on the other side? >>>>>> I think without a dump it would be hard to manage your problem by the >>>>> list. >>>>>> >>>>>> >>>>>> -----Ursprüngliche Nachricht----- >>>>>> Von: sangprabv [mailto:sangprabv@gmail.com] >>>>>> Gesendet: Freitag, 5. Februar 2010 18:42 >>>>>> An: Shorewall Users >>>>>> Betreff: Re: [Shorewall-users] DNAT Problem >>>>>> >>>>>> I use Ubuntu and I don''t think mask is mandatory because if it is >>>>> mandatory >>>>>> then why telnet to 9.8.7.6 always success and not with 5.4.3.2. It >>> makes >>>>> me >>>>>> crazy :( >>>>>> >>>>>> >>>>>> >>>>>> sangprabv >>>>>> sangprabv@gmail.com >>>>>> >>>>>> >>>>>> On Feb 5, 2010, at 11:35 PM, Michael Weickel - iQom Business Services >>>> GmbH >>>>>> wrote: >>>>>> >>>>>>> >>>>>>> This looks ok. >>>>>>> >>>>>>> I suggest you make a quick try with >>>>>>> >>>>>>> (policy file) >>>>>>> >>>>>>> loc net ACCEPT >>>>>>> >>>>>>> If you still cannot access to the internet by telnet something with >>> your >>>>>>> routing is wrong or you have conflicts in your policy or rules file. >>>>>>> To check this I think a shorewall dump is needed. But if this would > be >>>>>> true >>>>>>> you should maybe see something in your messages. A tcpdump output >> could >>>>>> help >>>>>>> as well. >>>>>>> >>>>>>> Routing seems to be ok if you still have >>>>>>> >>>>>>> But if this is kernel route command I miss the netmask parameter. I >>>> don’t >>>>>>> know anything about your distribution but to add routes there should >> be >>>>>>> always a netmask parameter. Try to trace the internet ip >>>>>>> >>>>>>>> route add 9.8.7.6 gw 192.168.8.1 >>>>>>>> route add 5.4.3.2 gw 192.168.8.1 >>>>>>> >>>>>>> >>>>>>> >>>>>>> Cheers >>>>>>> Mike >>>>>>> >>>>>>> >>>>>>> >>>>>>> -----Ursprüngliche Nachricht----- >>>>>>> Von: sangprabv [mailto:sangprabv@gmail.com] >>>>>>> Gesendet: Freitag, 5. Februar 2010 17:23 >>>>>>> An: Shorewall Users >>>>>>> Betreff: Re: [Shorewall-users] DNAT Problem >>>>>>> >>>>>>> Thanks for the reply, I have this setting in >>>>>>> /etc/shorewall/masq: >>>>>>> eth0 eth1 >>>>>>> >>>>>>> eth0 is the public IP, while eth1 is the private network >>>>>>> >>>>>>> I have tried your solution but it doesn''t work as well. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> sangprabv >>>>>>> sangprabv@gmail.com >>>>>>> >>>>>>> >>>>>>> On Feb 5, 2010, at 3:51 PM, Michael Weickel - iQom Business Services >>>> GmbH >>>>>>> wrote: >>>>>>> >>>>>>>> >>>>>>>> If you want to let your local machines access the internet by telnet >>>>> than >>>>>>>> DNAT is the wrong choice. DNAT is for access from internet to local >>>>>>>> machines. >>>>>>>> >>>>>>>> You should try something like (rules file) >>>>>>>> >>>>>>>> ACCEPT loc:192.168.8.37 net:5.4.3.2 tcp >>>>>>>> 55000 >>>>>>>> >>>>>>>> If you have policy >>>>>>>> >>>>>>>> ACCEPT loc net >>>>>>>> >>>>>>>> The rule will be useless. >>>>>>>> >>>>>>>> If your first client can but your sencond cant access, I guess you >>>>>> already >>>>>>>> have some rules or policies allowing this. >>>>>>>> >>>>>>>> In this case I suggest to doublecheck your masq file whether you > only >>>>>> masq >>>>>>>> 192.168.8.35 or the whole network e.g. 192.168.8.0/24? >>>>>>>> >>>>>>>> >>>>>>>> Cheers >>>>>>>> Mike >>>>>>>> >>>>>>>> -----Ursprüngliche Nachricht----- >>>>>>>> Von: sangprabv [mailto:sangprabv@gmail.com] >>>>>>>> Gesendet: Freitag, 5. Februar 2010 09:28 >>>>>>>> An: Shorewall Users >>>>>>>> Betreff: [Shorewall-users] DNAT Problem >>>>>>>> >>>>>>>> Hi, >>>>>>>> I have a client behind shorewall which has 2 IP: >>>>>>>> 192.168.8.35 is the real IP and 192.168.8.37 is the virtual IP. >>>>>>>> I have added DNAT rules into shorewall: >>>>>>>> DNAT net loc:192.168.8.35 >>>>>>> tcp >>>>>>>> 11008 - 1.2.3.4 >>>>>>>> DNAT net loc:192.168.8.37 >>>>>>> tcp >>>>>>>> 55000 - 1.2.3.5 >>>>>>>> >>>>>>>> 1.2.3.4 and 1.2.3.5 is virtual IP on firewall side >>>>>>>> >>>>>>>> I want 192.168.8.35 able to telnet to my partner IP 9.8.7.6:11008 > and >>>> it >>>>>>> can >>>>>>>> connect OK. >>>>>>>> And I want also 192.168.8.37 able to my partner IP 5.4.3.2:55000 and >>>>> this >>>>>>>> one FAIL. >>>>>>>> If i try telnet my.partner.ip.add:55000 -b 1.2.3.5 at firewall it is >>>> OK. >>>>>>>> >>>>>>>> I have manually added >>>>>>>> route add 9.8.7.6 gw 192.168.8.1 >>>>>>>> route add 5.4.3.2 gw 192.168.8.1 >>>>>>>> Both added to the client routing table. What''s wrong with my >>>>>>> configuration? >>>>>>>> Many thanks for help. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> sangprabv >>>>>>>> sangprabv@gmail.com >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>>>>>> -- >>>>>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>>>>> Stay online with enterprise data centers and the best network in the >>>>>>>> business >>>>>>>> Choose flexible plans and management services without long-term >>>>> contracts >>>>>>>> Personal 24x7 support from experience hosting pros just a phone call >>>>>> away. >>>>>>>> http://p.sf.net/sfu/theplanet-com >>>>>>>> _______________________________________________ >>>>>>>> Shorewall-users mailing list >>>>>>>> Shorewall-users@lists.sourceforge.net >>>>>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>>>>> -- >>>>>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>>>>> Stay online with enterprise data centers and the best network in the >>>>>>> business >>>>>>>> Choose flexible plans and management services without long-term >>>>> contracts >>>>>>>> Personal 24x7 support from experience hosting pros just a phone call >>>>>> away. >>>>>>>> http://p.sf.net/sfu/theplanet-com >>>>>>>> _______________________________________________ >>>>>>>> Shorewall-users mailing list >>>>>>>> Shorewall-users@lists.sourceforge.net >>>>>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>>>>> -- >>>>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>>>> Stay online with enterprise data centers and the best network in the >>>>>>> business >>>>>>> Choose flexible plans and management services without long-term >>>> contracts >>>>>>> Personal 24x7 support from experience hosting pros just a phone call >>>>> away. >>>>>>> http://p.sf.net/sfu/theplanet-com >>>>>>> _______________________________________________ >>>>>>> Shorewall-users mailing list >>>>>>> Shorewall-users@lists.sourceforge.net >>>>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>>>> -- >>>>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>>>> Stay online with enterprise data centers and the best network in the >>>>>> business >>>>>>> Choose flexible plans and management services without long-term >>>> contracts >>>>>>> Personal 24x7 support from experience hosting pros just a phone call >>>>> away. >>>>>>> http://p.sf.net/sfu/theplanet-com >>>>>>> _______________________________________________ >>>>>>> Shorewall-users mailing list >>>>>>> Shorewall-users@lists.sourceforge.net >>>>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>>>> -- >>>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>>> Stay online with enterprise data centers and the best network in the >>>>>> business >>>>>> Choose flexible plans and management services without long-term >>> contracts >>>>>> Personal 24x7 support from experience hosting pros just a phone call >>>> away. >>>>>> http://p.sf.net/sfu/theplanet-com >>>>>> _______________________________________________ >>>>>> Shorewall-users mailing list >>>>>> Shorewall-users@lists.sourceforge.net >>>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>>> -- >>>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>>> Stay online with enterprise data centers and the best network in the >>>>> business >>>>>> Choose flexible plans and management services without long-term >>> contracts >>>>>> Personal 24x7 support from experience hosting pros just a phone call >>>> away. >>>>>> http://p.sf.net/sfu/theplanet-com >>>>>> _______________________________________________ >>>>>> Shorewall-users mailing list >>>>>> Shorewall-users@lists.sourceforge.net >>>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>>> >>>>> >>>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>>> -- >>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>> Stay online with enterprise data centers and the best network in the >>>>> business >>>>> Choose flexible plans and management services without long-term >> contracts >>>>> Personal 24x7 support from experience hosting pros just a phone call >>> away. >>>>> http://p.sf.net/sfu/theplanet-com >>>>> _______________________________________________ >>>>> Shorewall-users mailing list >>>>> Shorewall-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>>> >>>>> >>>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>> -- >>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>> Stay online with enterprise data centers and the best network in the >>>> business >>>>> Choose flexible plans and management services without long-term >> contracts >>>>> Personal 24x7 support from experience hosting pros just a phone call >>> away. >>>>> http://p.sf.net/sfu/theplanet-com >>>>> _______________________________________________ >>>>> Shorewall-users mailing list >>>>> Shorewall-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>> >>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>> -- >>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>> Stay online with enterprise data centers and the best network in the >>>> business >>>> Choose flexible plans and management services without long-term > contracts >>>> Personal 24x7 support from experience hosting pros just a phone call >> away. >>>> http://p.sf.net/sfu/theplanet-com >>>> _______________________________________________ >>>> Shorewall-users mailing list >>>> Shorewall-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>> >>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>> -- >>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>> Stay online with enterprise data centers and the best network in the >>> business >>>> Choose flexible plans and management services without long-term > contracts >>>> Personal 24x7 support from experience hosting pros just a phone call >> away. >>>> http://p.sf.net/sfu/theplanet-com >>>> _______________________________________________ >>>> Shorewall-users mailing list >>>> Shorewall-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >>> >> > ---------------------------------------------------------------------------- >>> -- >>> The Planet: dedicated and managed hosting, cloud storage, colocation >>> Stay online with enterprise data centers and the best network in the >>> business >>> Choose flexible plans and management services without long-term contracts >>> Personal 24x7 support from experience hosting pros just a phone call > away. >>> http://p.sf.net/sfu/theplanet-com >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >>> >> > ---------------------------------------------------------------------------- >> -- >>> The Planet: dedicated and managed hosting, cloud storage, colocation >>> Stay online with enterprise data centers and the best network in the >> business >>> Choose flexible plans and management services without long-term contracts >>> Personal 24x7 support from experience hosting pros just a phone call > away. >>> http://p.sf.net/sfu/theplanet-com >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> > ---------------------------------------------------------------------------- >> -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the >> business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone call away. >> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> > ---------------------------------------------------------------------------- > -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the > business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone call away. >> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ---------------------------------------------------------------------------- > -- > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the > business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ------------------------------------------------------------------------------ > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com