Shorewall users - Apr 2012 - Shorewall 4.4.26.1-1 on Ubuntu precise - NAT LOCALE not working

Hi All,   

I had same setup on Lucid and everything works fine, now I moved to precise and
have same config files and one feature stopped working


X.X.196.79 eth1 10.7.0.16 Yes Yes

But the machine (10.7.0.16) can not see it self via public X.X.196.79 it just
disappears on the Router (which is Dom0)

I am using 3.2.0-20-generic  + XEN 4.1  

I cam see the right DNAT record in iptables

Chain eth1_in (1 references)
target     prot opt source               destination          
DNAT       all  --  0.0.0.0/0            X.X.196.97      to:10.7.0.16


Any idea? As this is bad problem for me atm and can not just move to different
kernel :(

THanks



petr červenka
website development

macdaddy pty ltd
main 1300 767 777  
tel 08 64200468
fax 02 9130 5767
mob 0430 007 831
email petr@ʎppɐpɔɐɯ.com (mailto:petr@xn--ppp-dsbbx4q7i.com)
3/ 88 brighton bvd, bondi beach nsw 2026
 www.macdaddy.com.au (http://www.macdaddy.com.au/)

The contents of this e-mail are confidential. If you are not the intended
recipient, you must not disclose, copy or use the contents in any way.If
this is the case please contact the sender immediately. Any views  
expressed in this e-mail are not to be taken as the views of the company.

P  Please consider the environment before you print this email.



------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

On 04/11/2012 09:30 PM, Petr Cervenka wrote:
> Hi All, 
> 
> I had same setup on Lucid and everything works fine, now I moved to
> precise and have same config files and one feature stopped working 
> 
> 
> X.X.196.79eth110.7.0.16YesYes
> 
> But the machine (10.7.0.16) can not see it self via public X.X.196.79 it
> just disappears on the Router (which is Dom0) 
> 
> I am using 3.2.0-20-generic  + XEN 4.1 
> 
> I cam see the right DNAT record in iptables
> 
> Chain eth1_in (1 references)
> target     prot opt source               destination         
> DNAT       all  --  0.0.0.0/0            X.X.196.97      to:10.7.0.16
> 
> Any idea? As this is bad problem for me atm and can not just move to
> different kernel :(
Same version of Shorewall in both cases?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

Hi  

Well almost  on working one i have lucid:
shorewall                       4.4.6-1  

Current 
shorewall                            4.4.26.1-1 


But kernel is different too. I am not sure if i am missing some options? 
ta
> On 04/11/2012 09:30 PM, Petr Cervenka wrote:
> > Hi All, 
> > 
> > I had same setup on Lucid and everything works fine, now I moved to
> > precise and have same config files and one feature stopped working 
> > 
> > 
> > X.X.196.79eth110.7.0.16YesYes
> > 
> > But the machine (10.7.0.16) can not see it self via public X.X.196.79
it
> > just disappears on the Router (which is Dom0) 
> > 
> > I am using 3.2.0-20-generic + XEN 4.1 
> > 
> > I cam see the right DNAT record in iptables
> > 
> > Chain eth1_in (1 references)
> > target prot opt source destination 
> > DNAT all -- 0.0.0.0/0 X.X.196.97 to:10.7.0.16
> > 
> > Any idea? As this is bad problem for me atm and can not just move to
> > different kernel :(
> > 
> 
> 
> Same version of Shorewall in both cases?
> 
> -Tom
> -- 
> Tom Eastep \ When I die, I want to go like my Grandfather who
> Shoreline, \ died peacefully in his sleep. Not screaming like
> Washington, USA \ all of the passengers in his car
> http://shorewall.net \________________________________________________
> 
>
------------------------------------------------------------------------------
> For Developers, A Lot Can Happen In A Second.
> Boundary is the first to Know...and Tell You.
> Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
> http://p.sf.net/sfu/Boundary-d2dvs2
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
(mailto:Shorewall-users@lists.sourceforge.net)
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 
> 



------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

On 04/12/2012 06:30 AM, Petr Cervenka wrote:
> Hi 
> 
> Well almost  on working one i have lucid:
> shorewall                       4.4.6-1  
> 
> Current 
> shorewall                            4.4.26.1-1
Those two releases were a year apart (and please don''t top-post).
> 
> 
> But kernel is different too. I am not sure if i am missing some options? 
> ta
> 
>> On 04/11/2012 09:30 PM, Petr Cervenka wrote:
>>> Hi All,
>>>
>>> I had same setup on Lucid and everything works fine, now I moved to
>>> precise and have same config files and one feature stopped working
>>>
>>>
>>> X.X.196.79eth110.7.0.16YesYes
>>>
>>> But the machine (10.7.0.16) can not see it self via public
X.X.196.79 it
>>> just disappears on the Router (which is Dom0)
>>>
>>> I am using 3.2.0-20-generic + XEN 4.1
>>>
>>> I cam see the right DNAT record in iptables
>>>
>>> Chain eth1_in (1 references)
>>> target prot opt source destination
>>> DNAT all -- 0.0.0.0/0 X.X.196.97 to:10.7.0.16
>>>
>>> Any idea? As this is bad problem for me atm and can not just move
to
>>> different kernel :(
>>
>> Same version of Shorewall in both cases?
Do you have ''routeback'' specified on eth1 in
/etc/shorewall/interfaces?
 If so, then please send me the output of ''shorewall dump''
collected as
described at http://www.shorewall.net/support.htm#Guidelines.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

On Thursday, 12 April 2012 at 9:40 PM, Tom Eastep wrote:
> On 04/12/2012 06:30 AM, Petr Cervenka wrote:
> > Hi 
> > 
> > Well almost on working one i have lucid:
> > shorewall 4.4.6-1 
> > 
> > Current 
> > shorewall 4.4.26.1-1
> > 
> 
> 
> Those two releases were a year apart (and please don''t top-post).
> 
Sorry i did not know this term before. 
> 
> > 
> > 
> > But kernel is different too. I am not sure if i am missing some
options?
> > ta
> > 
> > > On 04/11/2012 09:30 PM, Petr Cervenka wrote:
> > > > Hi All,
> > > > 
> > > > I had same setup on Lucid and everything works fine, now I
moved to
> > > > precise and have same config files and one feature stopped
working
> > > > 
> > > > 
> > > > X.X.196.79eth110.7.0.16YesYes
> > > > 
> > > > But the machine (10.7.0.16) can not see it self via public
X.X.196.79 it
> > > > just disappears on the Router (which is Dom0)
> > > > 
> > > > I am using 3.2.0-20-generic + XEN 4.1
> > > > 
> > > > I cam see the right DNAT record in iptables
> > > > 
> > > > Chain eth1_in (1 references)
> > > > target prot opt source destination
> > > > DNAT all -- 0.0.0.0/0 X.X.196.97 to:10.7.0.16
> > > > 
> > > > Any idea? As this is bad problem for me atm and can not just
move to
> > > > different kernel :(
> > > > 
> > > 
> > > 
> > > Same version of Shorewall in both cases?
> 
> Do you have ''routeback'' specified on eth1 in
/etc/shorewall/interfaces?
I have it like this 

#ZONE INTERFACE BROADCAST OPTIONS
loc eth0 detect
net eth1 detect        routeback 
vms dummy0 detect bridge,routeback,nosmurfs 

But i never had to have route back on eth1, but even when i add it nothing.
 
> If so, then please send me the output of ''shorewall dump''
collected as
> described at http://www.shorewall.net/support.htm#Guidelines.
> 
> 
Here is my trace  , i won''t post it here , but here is link :
http://dl.dropbox.com/u/361686/trace
> 
> Thanks,
Thanks 
> -Tom
> -- 
> Tom Eastep \ When I die, I want to go like my Grandfather who
> Shoreline, \ died peacefully in his sleep. Not screaming like
> Washington, USA \ all of the passengers in his car
> http://shorewall.net \________________________________________________
> 
>
------------------------------------------------------------------------------
> For Developers, A Lot Can Happen In A Second.
> Boundary is the first to Know...and Tell You.
> Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
> http://p.sf.net/sfu/Boundary-d2dvs2
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
(mailto:Shorewall-users@lists.sourceforge.net)
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 
> 



------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

On 04/12/2012 06:53 AM, Petr Cervenka wrote:
> Here is my trace  , i won''t post it here , but here is link
> : http://dl.dropbox.com/u/361686/trace
I need to see the output of ''shorewall dump'' rather than a
trace; a
trace is only useful when Shorewall fails to start.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

On 04/12/2012 07:09 AM, Tom Eastep wrote:
> On 04/12/2012 06:53 AM, Petr Cervenka wrote:
> 
>> Here is my trace  , i won''t post it here , but here is link
> 
>> : http://dl.dropbox.com/u/361686/trace
> 
> I need to see the output of ''shorewall dump'' rather than
a trace; a
> trace is only useful when Shorewall fails to start.
You can send it to me personally if you are uncomfortable with posting
it on the net.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2