Shorewall users - Mar 2010 - DNAT Problem

Hi everyone!

I''m having time out problems when using a DNAT rule.

Rule:
DNAT:info       cmtc    loc:192.168.0.158       tcp     8011

Log:
Mar 17 17:50:17 gw kernel: [1583997.524924] 
Shorewall:cmtc_dnat:DNAT:IN=eth3 OUT= SRC=10.1.0.2 DST=10.0.0.2 LEN=60 
TOS=0x10 PREC=0x00 TTL=62 ID=4279 DF PROTO=TCP SPT=32791 DPT=8011 
WINDOW=5840 RES=0x00 SYN URGP=0

Telnet:
root@emudar:~# telnet 10.0.0.2 8011
Trying 10.0.0.2...
telnet: connect to address 10.0.0.2: Connection timed out

Inside my local network, the service running on 192.168.0.158 works 
fine. However, I can''t connect from any other zone I have(DMZ, NET and 
CMTC). Using wireshark on this local server, I figured out that any 
connection arriving from anywhere but LOC, don''t ACK.

I tried the interface routeback option and looking into Shorewall FAQ I 
found a masq issue that could fix the problem. I added the following 
line inside masq file:

eth3:10.1.0.2           0.0.0.0/0       10.0.0.2        tcp     8011

Even using this solutions I couldn''t make this work.

Can you help me?

João K.


------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

Hi,

Change the rule to this..:

DNAT:info       cmtc    loc:192.168.0.158:23       tcp     8011

Or change the telnet service on the target machine to listen on port 8011 rather
than port 23

... and another thing to be careful of is that there must be a rout back to the
source of the connection from the target of the DNAT rule.

Regards,
T
_______________________________________
From: João Alberto Kuchnier [joao.kuchnier@dataprom.com]
Sent: Thursday, 18 March 2010 7:04 AM
To: shorewall-users@lists.sourceforge.net
Subject: [Shorewall-users] DNAT Problem

Hi everyone!

I''m having time out problems when using a DNAT rule.

Rule:
DNAT:info       cmtc    loc:192.168.0.158       tcp     8011

Log:
Mar 17 17:50:17 gw kernel: [1583997.524924]
Shorewall:cmtc_dnat:DNAT:IN=eth3 OUT= SRC=10.1.0.2 DST=10.0.0.2 LEN=60
TOS=0x10 PREC=0x00 TTL=62 ID=4279 DF PROTO=TCP SPT=32791 DPT=8011
WINDOW=5840 RES=0x00 SYN URGP=0

Telnet:
root@emudar:~# telnet 10.0.0.2 8011
Trying 10.0.0.2...
telnet: connect to address 10.0.0.2: Connection timed out

Inside my local network, the service running on 192.168.0.158 works
fine. However, I can''t connect from any other zone I have(DMZ, NET and
CMTC). Using wireshark on this local server, I figured out that any
connection arriving from anywhere but LOC, don''t ACK.

I tried the interface routeback option and looking into Shorewall FAQ I
found a masq issue that could fix the problem. I added the following
line inside masq file:

eth3:10.1.0.2           0.0.0.0/0       10.0.0.2        tcp     8011

Even using this solutions I couldn''t make this work.

Can you help me?

João K.


------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
NOTE: URL removed for security purposes - contact terry.gilsenan@interoil.com
for support.
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

Terry Gilsenan wrote:
> Hi,
> 
> Change the rule to this..:
> 
> DNAT:info       cmtc    loc:192.168.0.158:23       tcp     8011
> 
> Or change the telnet service on the target machine to listen on port 8011
rather than port 23
> 
> ... and another thing to be careful of is that there must be a rout back to
the source of the connection from the target of the DNAT rule.
Also, FAQs 1a and 1b provide additional DNAT debugging tips.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev