Hi, I am having trouble getting a DNAT to work like so: in rules: DNAT net:+cust_eth2 colo:PPP.PPP.P.PPP:22 tcp 2222 - XXX.XXX.XX.XX snipped config files: zones: net ipv4 cust:net ipv4 interfaces: net eth2 detect hosts: cust eth2:+cust_eth2 # ipset -L Name: cust_eth2 Type: iphash References: 9 Header: hashsize: 1024 probes: 8 resize: 50 Members: XXX.XXX.87.173 When I connect from the the ip .87.173 as listed in the ipset, it doesn''t work as per this log message: Shorewall:cust2fw:REJECT:IN=eth2 OUT= MAC=0000000000 SRC=XXX.XX.87.173 DST=XXX.XXX.XXX.XX LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=5116 DF PROTO=TCP SPT=52521 DPT=2222 WINDOW=8192 RES=0x00 SYN URGP=0 I also tried in hosts: cust eth2:dynamic Weird thing is, if I remove the ipset restriction on the DNAT, it still blocks me, until I remove my ip from the ipset. Any pointers? have I missed something obvious. I know the logmsg says cust2fw, but I assume thats because the DNAT is failing to add and accompanying ACCEPT rule for the ipset. No idea why though. thanks in advance! Dave ------------------------------------------------------------------------------ EMC VNX: the world''s simplest storage, starting under $10K The only unified storage solution that offers unified management Up to 160% more powerful than alternatives and 25% more efficient. Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
On Mon, 2011-08-29 at 21:04 +1000, Dave Kempe wrote:> Hi, > > I am having trouble getting a DNAT to work like so: > > in rules: > DNAT net:+cust_eth2 colo:PPP.PPP.P.PPP:22 tcp 2222 > - XXX.XXX.XX.XX > > snipped config files: > > zones: > net ipv4 > cust:net ipv4 > > interfaces: > net eth2 detect > > hosts: > cust eth2:+cust_eth2 > > # ipset -L > Name: cust_eth2 > Type: iphash > References: 9 > Header: hashsize: 1024 probes: 8 resize: 50 > Members: > XXX.XXX.87.173 > > > When I connect from the the ip .87.173 as listed in the ipset, it > doesn''t work as per this log message: > Shorewall:cust2fw:REJECT:IN=eth2 OUT= MAC=0000000000 > SRC=XXX.XX.87.173 DST=XXX.XXX.XXX.XX LEN=48 TOS=0x00 PREC=0x00 TTL=120 > ID=5116 DF PROTO=TCP SPT=52521 DPT=2222 WINDOW=8192 RES=0x00 SYN > URGP=0 > > > I also tried in hosts: > cust eth2:dynamicBecause the> > Weird thing is, if I remove the ipset restriction on the DNAT, it > still blocks me, until I remove my ip from the ipset.I don''t understand what that means.> > Any pointers? have I missed something obvious. I know the logmsg says > cust2fw, but I assume thats because the DNAT is failing to add and > accompanying ACCEPT rule for the ipset. No idea why though.We won''t know until we see the output of ''shorewall dump'' collected as described at http://www.shorewall.net/support.htm#Guidelines. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ EMC VNX: the world''s simplest storage, starting under $10K The only unified storage solution that offers unified management Up to 160% more powerful than alternatives and 25% more efficient. Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
On Mon, 2011-08-29 at 21:04 +1000, Dave Kempe wrote:> > Any pointers? have I missed something obvious. I know the logmsg says > cust2fw, but I assume thats because the DNAT is failing to add and > accompanying ACCEPT rule for the ipset.The DNAT is not occurring, so the connection is being sent down the cust2fw chain. Note that the destination address is still XXX.XXX.XXX.XX and the dest port is 2222. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ EMC VNX: the world''s simplest storage, starting under $10K The only unified storage solution that offers unified management Up to 160% more powerful than alternatives and 25% more efficient. Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
thanks Tom, apologies for the obscured output, I am not at liberty to put the full dump on the mailing list, as much as I would like to, and I know it annoys you. I will see how I go about gathering more info and get back to the list. my ipset only contains sources, and I want to only allow the port forward from those sources. shorewall show dynamic cust gives no output, but ipset -L does as per above. is that a clue? ------------------------------------------------------------------------------ EMC VNX: the world''s simplest storage, starting under $10K The only unified storage solution that offers unified management Up to 160% more powerful than alternatives and 25% more efficient. Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
On Mon, 2011-08-29 at 21:04 +1000, Dave Kempe wrote:> Hi, > > I am having trouble getting a DNAT to work like so: > > in rules: > DNAT net:+cust_eth2 colo:PPP.PPP.P.PPP:22 tcp 2222 > - XXX.XXX.XX.XXShouldn''t that be: DNAT cust:+cust_eth2 ...> > snipped config files: > > zones: > net ipv4 > cust:net ipv4 > > interfaces: > net eth2 detect > > hosts: > cust eth2:+cust_eth2 >-Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ EMC VNX: the world''s simplest storage, starting under $10K The only unified storage solution that offers unified management Up to 160% more powerful than alternatives and 25% more efficient. Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
On 30 August 2011 00:34, Tom Eastep <teastep@shorewall.net> wrote:> > Shouldn''t that be: > > DNAT cust:+cust_eth2 ... >Bingo. thanks! champion as always. Dave ------------------------------------------------------------------------------ EMC VNX: the world''s simplest storage, starting under $10K The only unified storage solution that offers unified management Up to 160% more powerful than alternatives and 25% more efficient. Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev