Shorewall users - Jul 2011 - Problems with dnat.

Hello
Sorry for my poor English.
I will explain my problem:

I can not connect from an external web server ip that is in the DMZ.
Both the firewall and the web server receives but does not end the
connection to be established. The connection appears on the client as "
RCV_SYNC."

These are my configuration files.
> cat interfaces
#ZONE INTERFACE BROADCAST OPTIONS

net eth0 detect
dhcp,routeback,blacklist,tcpflags,nosmurfs,routefilter,logmartians

net eth1 detect
dhcp,routeback,blacklist,tcpflags,nosmurfs,routefilter,logmartians

loc eth2 detect
dhcp,routeback,blacklist,tcpflags,nosmurfs,routefilter,logmartians

dmz eth3 detect
dhcp,routeback,blacklist,tcpflags,nosmurfs,routefilter,logmartians

 > cat zones

#ZONE TYPE OPTIONS IN OUT OPTIONS OPTIONS

fw firewall

net ipv4

loc ipv4

dmz ipv4

 > cat providers

#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY

ADSL2 2 0x2 main eth1 8x.xx.1x7.1 track,balance eth2,eth3

ADSL1 1 0x1 main eth0 8y.yy.2y1.2 track,balance eth2,eth3

 > cat mask

#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK

eth0 8y.yy.2y1.yy6 8x.xx.1x7.xx2

eth0 eth2 8y.yy.2y1.yy6

eth0 eth3 8y.yy.2y1.yy6

eth1 8x.xx.1x7.xx2 8y.yy.2y1.yy6

eth1 eth2 8x.xx.1x7.xx2

eth1 eth3 8x.xx.1x7.xx2

 > cat rules

DROP:info net:192.168.0.0/24 all

DROP:info net:192.168.4.0/22 all

DNS(ACCEPT) $FW net:eth0

DNS(ACCEPT) dmz net:eth0

HTTP(ACCEPT) dmz net:eth0

HTTPS(ACCEPT) dmz net:eth0

ACCEPT net:eth0 dmz

DNAT net:eth0 dmz:192.168.0.252 tcp 80

Ping(DROP) net:eth1 $FW

Ping(DROP) net:eth0 $FW

Ping(ACCEPT) loc $FW

Ping(ACCEPT) loc dmz

Ping(ACCEPT) dmz loc

Ping(ACCEPT) dmz net:eth0

Ping(ACCEPT) dmz $FW

ACCEPT $FW loc icmp

ACCEPT $FW dmz icmp

SSH(ACCEPT) dmz $FW

 > cat tcrules

#MARK SOURCE DEST PROTO DEST_PORT(S)

1:P 192.168.0.0/24 -

2:P 192.168.4.0/22 -

1 $FW

-- 
   Un saludo .

---------------------------------------------------------------------------------------------------------------
            Jose María Iranzo Marín -------- joirma@gmail.com
---------------------------------------------------------------------------------------------------------------


------------------------------------------------------------------------------
Storage Efficiency Calculator
This modeling tool is based on patent-pending intellectual property that
has been used successfully in hundreds of IBM storage optimization engage-
ments, worldwide.  Store less, Store more with what you own, Move data to 
the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/

On Mon, 2011-07-25 at 14:57 +0200, Jose Maria Iranzo wrote:
> I can not connect from an external web server ip that is in the DMZ.
> Both the firewall and the web server receives but does not end the
> connection to be established. The connection appears on the client as
> "RCV_SYNC."
> 
Sounds like the default gateway on the server is set incorrectly.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Storage Efficiency Calculator
This modeling tool is based on patent-pending intellectual property that
has been used successfully in hundreds of IBM storage optimization engage-
ments, worldwide.  Store less, Store more with what you own, Move data to 
the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/

Yes,

is 192.168.0.250

2011/7/25 Tom Eastep <teastep@shorewall.net>
> On Mon, 2011-07-25 at 14:57 +0200, Jose Maria Iranzo wrote:
>
> > I can not connect from an external web server ip that is in the DMZ.
> > Both the firewall and the web server receives but does not end the
> > connection to be established. The connection appears on the client as
> > "RCV_SYNC."
> >
>
> Sounds like the default gateway on the server is set incorrectly.
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
>
------------------------------------------------------------------------------
> Storage Efficiency Calculator
> This modeling tool is based on patent-pending intellectual property that
> has been used successfully in hundreds of IBM storage optimization engage-
> ments, worldwide.  Store less, Store more with what you own, Move data to
> the right place. Try It Now!
> http://www.accelacomm.com/jaw/sfnl/114/51427378/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

-- 
   Un saludo .

---------------------------------------------------------------------------------------------------------------
            Jose María Iranzo Marín -------- joirma@gmail.com
---------------------------------------------------------------------------------------------------------------


------------------------------------------------------------------------------
Storage Efficiency Calculator
This modeling tool is based on patent-pending intellectual property that
has been used successfully in hundreds of IBM storage optimization engage-
ments, worldwide.  Store less, Store more with what you own, Move data to 
the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/

I attach to this mail my shorewall dump.



2011/7/25 Jose Maria Iranzo <joirma@gmail.com>
>
> Yes,
>
> is 192.168.0.250
>
>   2011/7/25 Tom Eastep <teastep@shorewall.net>
>
>>   On Mon, 2011-07-25 at 14:57 +0200, Jose Maria Iranzo wrote:
>>
>> > I can not connect from an external web server ip that is in the
DMZ.
>> > Both the firewall and the web server receives but does not end the
>> > connection to be established. The connection appears on the client
as
>> > "RCV_SYNC."
>> >
>>
>> Sounds like the default gateway on the server is set incorrectly.
>>
>> -Tom
>> --
>> Tom Eastep        \ When I die, I want to go like my Grandfather who
>> Shoreline,         \ died peacefully in his sleep. Not screaming like
>> Washington, USA     \ all of the passengers in his car
>> http://shorewall.net \________________________________________________
>>
>>
>>
>>
------------------------------------------------------------------------------
>> Storage Efficiency Calculator
>> This modeling tool is based on patent-pending intellectual property
that
>> has been used successfully in hundreds of IBM storage optimization
engage-
>> ments, worldwide.  Store less, Store more with what you own, Move data
to
>> the right place. Try It Now!
>> http://www.accelacomm.com/jaw/sfnl/114/51427378/
>> _______________________________________________
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>
>>
>
>
> --
>    Un saludo .
>
>
>
---------------------------------------------------------------------------------------------------------------
>             Jose María Iranzo Marín -------- joirma@gmail.com
>
>
---------------------------------------------------------------------------------------------------------------
>


-- 
   Un saludo .

---------------------------------------------------------------------------------------------------------------
            Jose María Iranzo Marín -------- joirma@gmail.com
---------------------------------------------------------------------------------------------------------------



------------------------------------------------------------------------------
Storage Efficiency Calculator
This modeling tool is based on patent-pending intellectual property that
has been used successfully in hundreds of IBM storage optimization engage-
ments, worldwide.  Store less, Store more with what you own, Move data to 
the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/

On Mon, 2011-07-25 at 16:21 +0200, Jose Maria Iranzo
wrote:
>  
> I attach to this mail my shorewall dump.
I see nothing wrong in your configuration.

A couple of things:

a) Please allow ping from fw->net so your log isn''t full of rejected
ping requests. There have been 9 logged net->fw connection requests
since Shorewall is restarted, but given the flood of REJECTed pings, we
can''t see what they were.

b) There have been no attempts to connect to your web server since
Shorewall was last restarted:

Chain net_dnat (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0           
8x.xx.1x7.xx2       tcp dpt:80 to:192.168.0.252
    -------
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0           
8y.yy.2y1.yy6        tcp dpt:80 to:192.168.0.252
    -------

c) If, as you said in your previous email, requests are reaching the
server (192.168.0.252), then your Shorewall configuration is correct! In
that case, you should perform the troubleshooting steps outlined in FAQs
1a and 1b. And if you run tcpdump on the firewall''s DMZ interface
(eth3), do you see the server''s SYN,ACK response?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Storage Efficiency Calculator
This modeling tool is based on patent-pending intellectual property that
has been used successfully in hundreds of IBM storage optimization engage-
ments, worldwide.  Store less, Store more with what you own, Move data to 
the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/

More info, where can be see, in the count pakts, how to i can connect to the
80 port but not is establised the conection.


shorewall show nat
Shorewall 4.4.6 NAT Table at Smooth-Sec - Mon Jul 25 16:52:07 CEST 2011

Counters reset Mon Jul 25 16:43:25 CEST 2011

Chain PREROUTING (policy ACCEPT 97 packets, 5481 bytes)
 pkts bytes target     prot opt in     out     source
destination
  105  5865 dnat       all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 39 packets, 2244 bytes)
 pkts bytes target     prot opt in     out     source
destination
   73  3546 eth0_masq  all  --  *      eth0    0.0.0.0/0
0.0.0.0/0
    0     0 eth1_masq  all  --  *      eth1    0.0.0.0/0
0.0.0.0/0

Chain OUTPUT (policy ACCEPT 31 packets, 1860 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain dnat (1 references)
 pkts bytes target     prot opt in     out     source
destination
   30  1846 net_dnat   all  --  eth0   *       0.0.0.0/0
0.0.0.0/0
    0     0 net_dnat   all  --  eth1   *       0.0.0.0/0
0.0.0.0/0

Chain eth0_masq (1 references)
 pkts bytes target     prot opt in     out     source
destination
   73  3546 SNAT       all  --  *      *       0.0.0.0/0
0.0.0.0/0           to:80.33.201.196

Chain eth1_masq (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 SNAT       all  --  *      *       192.168.4.0/22
0.0.0.0/0           to:80.37.147.212

Chain net_dnat (2 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0
8x.xx.1x7.xx2       tcp dpt:80 to:192.168.0.252
    8   384 DNAT       tcp  --  eth0   *       0.0.0.0/0
8y.yy.2y1.yy6
tcp dpt:80 to:192.168.0.252


2011/7/25 Jose Maria Iranzo <joirma@gmail.com>
>
> I attach to this mail my shorewall dump.
>
>
>
> 2011/7/25 Jose Maria Iranzo <joirma@gmail.com>
>
>>
>> Yes,
>>
>> is 192.168.0.250
>>
>>   2011/7/25 Tom Eastep <teastep@shorewall.net>
>>
>>>   On Mon, 2011-07-25 at 14:57 +0200, Jose Maria Iranzo wrote:
>>>
>>> > I can not connect from an external web server ip that is in
the DMZ.
>>> > Both the firewall and the web server receives but does not end
the
>>> > connection to be established. The connection appears on the
client as
>>> > "RCV_SYNC."
>>> >
>>>
>>> Sounds like the default gateway on the server is set incorrectly.
>>>
>>> -Tom
>>> --
>>> Tom Eastep        \ When I die, I want to go like my Grandfather
who
>>> Shoreline,         \ died peacefully in his sleep. Not screaming
like
>>> Washington, USA     \ all of the passengers in his car
>>> http://shorewall.net
\________________________________________________
>>>
>>>
>>>
>>>
------------------------------------------------------------------------------
>>> Storage Efficiency Calculator
>>> This modeling tool is based on patent-pending intellectual property
that
>>> has been used successfully in hundreds of IBM storage optimization
>>> engage-
>>> ments, worldwide.  Store less, Store more with what you own, Move
data to
>>> the right place. Try It Now!
>>> http://www.accelacomm.com/jaw/sfnl/114/51427378/
>>> _______________________________________________
>>> Shorewall-users mailing list
>>> Shorewall-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>>
>>>
>>
>>
>> --
>>    Un saludo .
>>
>>
>>
---------------------------------------------------------------------------------------------------------------
>>             Jose María Iranzo Marín -------- joirma@gmail.com
>>
>>
---------------------------------------------------------------------------------------------------------------
>>
>
>
>
> --
>    Un saludo .
>
>
>
---------------------------------------------------------------------------------------------------------------
>             Jose María Iranzo Marín -------- joirma@gmail.com
>
>
---------------------------------------------------------------------------------------------------------------
>


-- 
   Un saludo .

---------------------------------------------------------------------------------------------------------------
            Jose María Iranzo Marín -------- joirma@gmail.com
---------------------------------------------------------------------------------------------------------------


------------------------------------------------------------------------------
Storage Efficiency Calculator
This modeling tool is based on patent-pending intellectual property that
has been used successfully in hundreds of IBM storage optimization engage-
ments, worldwide.  Store less, Store more with what you own, Move data to 
the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/

On Mon, 2011-07-25 at 16:59 +0200, Jose Maria Iranzo
wrote:
>  
> More info, where can be see, in the count pakts, how to i can connect
> to the 80 port but not is establised the conection.
You need to follow the instructions in FAQs 1a and 1b to determine why
the connection isn''t working!!! And follow my advice about using
tcpdump.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Storage Efficiency Calculator
This modeling tool is based on patent-pending intellectual property that
has been used successfully in hundreds of IBM storage optimization engage-
ments, worldwide.  Store less, Store more with what you own, Move data to 
the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/

Thank you very much.

I was going crazy.

The problem seems solved.
The problem seems to be in ADSL1, the dnat in ADSL2 works perfect.


2011/7/25 Tom Eastep <teastep@shorewall.net>
> On Mon, 2011-07-25 at 16:59 +0200, Jose Maria Iranzo wrote:
> >
> > More info, where can be see, in the count pakts, how to i can connect
> > to the 80 port but not is establised the conection.
>
> You need to follow the instructions in FAQs 1a and 1b to determine why
> the connection isn''t working!!! And follow my advice about using
> tcpdump.
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
>
------------------------------------------------------------------------------
> Storage Efficiency Calculator
> This modeling tool is based on patent-pending intellectual property that
> has been used successfully in hundreds of IBM storage optimization engage-
> ments, worldwide.  Store less, Store more with what you own, Move data to
> the right place. Try It Now!
> http://www.accelacomm.com/jaw/sfnl/114/51427378/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

-- 
   Un saludo .

---------------------------------------------------------------------------------------------------------------
            Jose María Iranzo Marín -------- joirma@gmail.com
---------------------------------------------------------------------------------------------------------------


------------------------------------------------------------------------------
Storage Efficiency Calculator
This modeling tool is based on patent-pending intellectual property that
has been used successfully in hundreds of IBM storage optimization engage-
ments, worldwide.  Store less, Store more with what you own, Move data to 
the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/