Hello all, Running version 4.4.6 A resume of what I would like to archieve: ip xxx.xxx.xxx.xxx (fixed) -> eth0 -> apache on localhost tcp 9000 ip yyy.yyy.yyy.yyy (fixed) -> eth0 -> eth1 -> apache on 192.168.1.100 tcp 9000 Basically ip xxx.xxx.xxx.xxx goes the Apache on localhost (ok): ACCEPT net:xxx.xxx.xxx.xxx $FW tcp 9000 I would like traffic from IP yyy.yyy.yyy.yyy to be routed to another server. I have tried DNAT but it doesn''t forward to the second server: DNAT net:yyy.yyy.yyy.yyy loc:192.168.1.100:9000 tcp 9000 Thanks in advance for your time if you can assist a bit. Nicolas ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar
On 03/19/2013 05:40 AM, me@electronico.nc wrote:> Hello all, > > Running version 4.4.6That was released over 3 years ago. You should consider an upgrade.> > A resume of what I would like to archieve: > ip xxx.xxx.xxx.xxx (fixed) -> eth0 -> apache on localhost tcp 9000 > ip yyy.yyy.yyy.yyy (fixed) -> eth0 -> eth1 -> apache on 192.168.1.100 > tcp 9000 > > Basically ip xxx.xxx.xxx.xxx goes the Apache on localhost (ok): > ACCEPT net:xxx.xxx.xxx.xxx $FW tcp 9000 > > I would like traffic from IP yyy.yyy.yyy.yyy to be routed to another server. > > I have tried DNAT but it doesn''t forward to the second server: > DNAT net:yyy.yyy.yyy.yyy loc:192.168.1.100:9000 tcp 9000 >That rule looks correct, so something else is going on in your configuration. With that rule in place, please capture the output of ''shorewall dump'' and forward it as a compressed attachment. You may send it to me privately, if you like. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar
On 03/19/2013 07:07 AM, Tom Eastep wrote:> > That rule looks correct, so something else is going on in your > configuration. With that rule in place, please capture the output of > ''shorewall dump'' and forward it as a compressed attachment. You may send > it to me privately, if you like. >Although, before you do that, you might try going through the DNAT troubleshooting steps outlined in FAQs 1a and 1b. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar
Thanks Tom for your fast answer ! Le 20/03/2013 01:07, Tom Eastep a écrit :> On 03/19/2013 05:40 AM, me@electronico.nc wrote: >> Hello all, >> >> Running version 4.4.6 > That was released over 3 years ago. You should consider an upgrade.It will become 4.4.26 as soon as the server will be OK.> >> A resume of what I would like to archieve: >> ip xxx.xxx.xxx.xxx (fixed) -> eth0 -> apache on localhost tcp 9000 >> ip yyy.yyy.yyy.yyy (fixed) -> eth0 -> eth1 -> apache on 192.168.1.100 >> tcp 9000 >> >> Basically ip xxx.xxx.xxx.xxx goes the Apache on localhost (ok): >> ACCEPT net:xxx.xxx.xxx.xxx $FW tcp 9000 >> >> I would like traffic from IP yyy.yyy.yyy.yyy to be routed to another server. >> >> I have tried DNAT but it doesn''t forward to the second server: >> DNAT net:yyy.yyy.yyy.yyy loc:192.168.1.100:9000 tcp 9000 >> > That rule looks correct, so something else is going on in your > configuration. With that rule in place, please capture the output of > ''shorewall dump'' and forward it as a compressed attachment. You may send > it to me privately, if you like. > > Thanks, > -Tom >I feel ashamed : it turned out I hadn''t written net.ipv4.ip_forward = 1 permanently and rebooted the server. The rule is OK now, thanks again ! Nicolas ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar
On 03/20/2013 09:37 AM, me@electronico.nc wrote:> ... > I feel ashamed : it turned out I hadn''t written net.ipv4.ip_forward = 1 > permanently and rebooted the server. > The rule is OK now, thanks again !The preferred way to do this with shorewall is IP_FORWARDING=On in /etc/shorewall/shorewall.conf - then you can leave it off in sysctl.conf and you won''t have forwarding on until there is a firewall there to protect it. Paul ------------------------------------------------------------------------------ Own the Future-Intel® Level Up Game Demo Contest 2013 Rise to greatness in Intel''s independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d