Hello,
I have shorewall version 4.5.4.2 installed.
I have multiple isp configured and the following zones:
fw firewall
net ipv4
loc ipv4
tux:net ipv4
In the interfaces file i have:
loc eth0 - routeback
net eth1 - dhcp,routeback
net eth3 - dhcp,routeback
eth1 and eth3 are the interfaces connected to the internet.
The hosts file has:
tux eth1:8.8.8.8
tux eth3:8.8.8.8
What i have in dnat chain the ips 8.8.8.8? Because of that DNAT rules from the
internet to my local servers don''t get applied and i get
"connection refused".
Chain dnat (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- eth1 * 8.8.8.8.8 0.0.0.0/0
0 0 RETURN all -- eth3 * 8.8.8.8.8 0.0.0.0/0
986 66082 net_dnat all -- eth1 * 0.0.0.0/0 0.0.0.0/0
60 2411 net_dnat all -- eth3 * 0.0.0.0/0 0.0.0.0/0
Does anyone know what is the reason or what can i do to correct that?
Thanks,
Nuno Fernandes
P.S. - Changed the real IP to 8.8.8.8
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 09/25/2012 09:38 AM, Nuno Fernandes wrote:> Hello, > > I have shorewall version 4.5.4.2 installed. > > I have multiple isp configured and the following zones: > > fw firewall > > net ipv4 > > loc ipv4 > > tux:net ipv4 > > In the interfaces file i have: > > loc eth0 - routeback > > net eth1 - dhcp,routeback > > net eth3 - dhcp,routeback > > eth1 and eth3 are the interfaces connected to the internet. > > The hosts file has: > > tux eth1:8.8.8.8 > > tux eth3:8.8.8.8 > > What i have in dnat chain the ips 8.8.8.8? Because of that DNAT rules > from the internet to my local servers don''t get applied and i get > "connection refused". > > Chain dnat (1 references) > > pkts bytes target prot opt in out source destination > > 0 0 RETURN all -- eth1 * 8.8.8.8.8 0.0.0.0/0 > > 0 0 RETURN all -- eth3 * 8.8.8.8.8 0.0.0.0/0 > > 986 66082 net_dnat all -- eth1 * 0.0.0.0/0 0.0.0.0/0 > > 60 2411 net_dnat all -- eth3 * 0.0.0.0/0 0.0.0.0/0 > > Does anyone know what is the reason or what can i do to correct that? >What is your setting for IMPLICIT_CONTINUE? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On Tuesday 25 September 2012 10:05:56 Tom Eastep wrote:> On 09/25/2012 09:38 AM, Nuno Fernandes wrote: > > Hello, > > > > I have shorewall version 4.5.4.2 installed. > > > > I have multiple isp configured and the following zones: > > > > fw firewall > > > > net ipv4 > > > > loc ipv4 > > > > tux:net ipv4 > > > > In the interfaces file i have: > > > > loc eth0 - routeback > > > > net eth1 - dhcp,routeback > > > > net eth3 - dhcp,routeback > > > > eth1 and eth3 are the interfaces connected to the internet. > > > > The hosts file has: > > > > tux eth1:8.8.8.8 > > > > tux eth3:8.8.8.8 > > > > What i have in dnat chain the ips 8.8.8.8? Because of that DNAT rules > > from the internet to my local servers don''t get applied and i get > > "connection refused". > > > > Chain dnat (1 references) > > > > pkts bytes target prot opt in out source destination > > > > 0 0 RETURN all -- eth1 * 8.8.8.8.8 0.0.0.0/0 > > > > 0 0 RETURN all -- eth3 * 8.8.8.8.8 0.0.0.0/0 > > > > 986 66082 net_dnat all -- eth1 * 0.0.0.0/0 0.0.0.0/0 > > > > 60 2411 net_dnat all -- eth3 * 0.0.0.0/0 0.0.0.0/0 > > > > Does anyone know what is the reason or what can i do to correct that? > > What is your setting for IMPLICIT_CONTINUE? > > -TomHello, # grep IMPLICIT_CONTINUE /etc/shorewall/shorewall.conf IMPLICIT_CONTINUE=No I''ll read more info on that at home... Best regards, Nuno Fernandes ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Hello, # grep IMPLICIT_CONTINUE /etc/shorewall/shorewall.conf IMPLICIT_CONTINUE=No I''ll read more info on that at home... Best regards, Nuno Fernandes Hello, I''ve changed the IMPLICIT_CONTINUE to yes and the dnat table remains the same. Any ideas? Thanks, Nuno Fernandes ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 09/26/2012 01:26 AM, Nuno Fernandes wrote:> Hello, > > # grep IMPLICIT_CONTINUE /etc/shorewall/shorewall.conf > > IMPLICIT_CONTINUE=No > > I''ll read more info on that at home... > > Best regards, > > Nuno Fernandes > > > > Hello, > > I''ve changed the IMPLICIT_CONTINUE to yes and the dnat table remains the > same. Any ideas? >Hmmm -- I''m not able to reproduce your problem with 4.5.6.2. I have zones: fw firewall net ipv4 loc ipv4 chld:net ipv4 interfaces: net eth0 ... net eth2 ... loc eth1 ... hosts: chld eth0:1.2.3.4 chld eth2:1.2.3.4 rules: DNAT net loc:10.0.0.1 tcp 444 This is generating (with OPTIMIZE=0): *nat :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :eth0_masq - [0:0] :net_dnat - [0:0] -A PREROUTING -i eth0 -j net_dnat -A PREROUTING -i eth2 -j net_dnat -A POSTROUTING -o eth0 -j eth0_masq -A eth0_masq -s 10.0.0.0/8 -j MASQUERADE -A eth0_masq -s 169.254.0.0/16 -j MASQUERADE -A eth0_masq -s 172.16.0.0/12 -j MASQUERADE -A eth0_masq -s 192.168.0.0/16 -j MASQUERADE -A net_dnat -p 6 --dport 444 -j DNAT --to-destination 10.0.0.1 COMMIT If you will send me privately a tarball of /etc/shorewall (with capabilities file), I''ll try to determine what''s going on. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 09/26/2012 08:54 AM, Nuno Fernandes wrote: > Hello, > > Attached i''m sending the tgz of /etc/shorewall as a shorewall dump of > the server. Since my last email i''ve added 2 new interface cards > (eth4 and eth5) to new providers. > > When i''m on the internet and try: > > $ telnet EXTERNAL_IP 443 > > Trying EXTERNAL_IP... > > Connected to EXTERNAL_IP. > > Escape character is ''^]''. > > I get the connection, but when i''m on trying to connect from the tux > hosts: > > $ telnet EXTERNAL_IP 443 > > Trying EXTERNAL_IP... > > telnet: connect to address EXTERNAL_IP: Connection refused > > Hope you can help, The problem is that you have this in /etc/shorewall/policy: tux loc ACCEPT IMPLICIT_CONTINUE won''t override that policy. So you either need to remove that policy or change it to tun loc CONTINUE If you take the latter approach (which I recommend), then you can set IMPLICIT_CONTINUE=No, since it is no longer necessary. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ How fast is your code? 3 out of 4 devs don\\\''t know how their code performs in production. Find out how slow your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219672;13503038;z? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 09/27/2012 01:51 AM, Nuno Fernandes wrote:> > Hello, > > Tarball sent :) >And I responded immediately on the mailing list with the solution. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On Thursday 27 September 2012 07:13:54 Tom Eastep wrote:> On 09/27/2012 01:51 AM, Nuno Fernandes wrote: > > Hello, > > > > Tarball sent :) > > And I responded immediately on the mailing list with the solution. > > -TomMissed that email :) Sorry about that. Thank you.. your solution worked perfectly. Best regards, Nuno Fernandes ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html