similar to: masq - pings and connections get dropped after PREROUTING?

I have a debian woody machine acting as a firewall for a small network. I am trying to do a simple DNAT to port 80 on the protected webserver and masquerade all traffic from the protect subnet outbound. After having read the FAQ and various posts regarding problems with DNAT I''m afraid I''m no closer to a solution. Based on the output from "shorewall show nat" I

My experimentation with a Perl-based compiler for Shorewall is beginning to bear fruit. Here is a timing from the main firewall at shorewall.net using the Perl-based compiler. That compiler generates a script that uses iptables-restore to configure Netfilter. root@lists:~/shorewall# shorewall restart . Compiling... Shorewall configuration compiled to /var/lib/shorewall/.restart Restarting

Ok, shaping on Linux is new to me.. so bear with me if i am just stupid. curtain:/etc/shorewall# grep TC shorewall.conf | grep -v ^# TCP_FLAGS_LOG_LEVEL=info TC_ENABLED=Yes CLEAR_TC=Yes TCP_FLAGS_DISPOSITION=DROP curtain:/etc/shorewall# So it should be enabled, right? ---- tcrules ---- 1 eth0 0.0.0.0/0 all 2 eth1 0.0.0.0/0 all 2 eth2 0.0.0.0/0

Firewall users, My apologies as I''m not on this list, so please respond directly as well as to the list. I did try to search the archives and didn''t find any hits, although the search did not like searching for terms with underscores in them (both clear_firewall and ip_forward). I was trying to understand why, when running shorewall stop, even though it echoes IP

Hi, I have three linux machines, and I want to let one of them forward packets betwen the other two. The forwarding node has two ethernet cards, connecting the two two machines respectively. However, when I ping between the two end points, the forwarding node can receive the ping requests at its eth0, but it never forwards them to its eth1. So is the reverse direction. The forwarding node is

Hello all, I''m somewhat new to networking, and I''m having trouble masquerading connections that are coming over a bridge. The bridge only has a single port for now, but I''m going to add more ports later. I''m basing my configuration on the two-interface quick start guide. I''m using Shorewall 3.0.4 on Ubuntu Dapper. My network looks like this: * The

I have followed the instructions at http://shorewall.net/FAQ.htm#faq2 along with some coaching on IRC from _Omache to get a machine (with IP address 66.93.22.233) to forward all port 25 traffic to another host in my network (with IP 66.93.22.254). This has not worked. I have tested by trying `telnet 66.93.22.233 25`, expecting to see the SMTP banner on 66.93.22.254. Of course, I don''t

Dear all: Im using shorewall 2.0.3a (debian) w/ ULOG. shorewall starts ok, and the firewall is running, but nothing is printed on the logs. I try, for example, to do a connection to a port that is opened on the server but closed by the FW and I get a connection refused. If I stop the firewall, this port is accesible from the outside. I think I''ve followed all the steps on

Is there a way to add a rule to the nat table (CentOS 5.7) that would alter the port number of tcp packets destined for the server itself? I have ip_forwarding enabled, but the packets don't seem to hit the prerouting chain. I have the following redirect rule in the prerouting table. I also tried DNAT, but if the packets don't hit PREROUTING, it won't work either. iptables -t nat

Can someone tell me what concept I''m missing here. The setup is simple. I have two default routes after ifup operations. I use "ip route del" to remove one, but then decide to add it back. The attempt is refused. Why? # ip route ls 66.95.83.208/28 dev eth1 proto kernel scope link src 66.95.83.210 65.84.205.96/27 dev eth2 proto kernel scope link src 65.84.205.104

Hello, My hoster updated its kernel packages... It contained some old problems that should have been fixed. My servers have now a wonderful 2.6.21.5 kernel + grsec running. Both are running Debian 4.0 (stable release). mx:/etc/shorewall# iptables --version iptables v1.3.6 mx:/etc/shorewall# uname -a Linux mx.network-hosting.com 2.6.21.5-grsec-xxxx-grs-ipv4-32 #1 SMP Fri Jul 27 17:18:23 CEST

Hi List, I have a new install of CentOS 6.2 and shorewall 4.5.1-2. I usually have no issues with shorewall until now. When I execute < #shorewall start > I get the following error. root@poweredge > /etc/shorewall# shorewall start Compiling... Can''t locate Shorewall/Compiler.pm in @INC (@INC contains: /usr/share/shorewall /usr/local/lib/perl5 /usr/local/share/perl5

Hi all, I''m trying to set up a computer with 2 routes to the internet, much as described at http://lartc.org/howto/lartc.rpdb.multiple-links.html .One of my interfaces (eth5, 192.168.2.2) is only used for traffic originating inside the network. The other (eth1, 192.168.1.2) is only used for a VPN, where all (udp) traffic originates from outside our network. I have created a second

Hi all, This is your standard "I can''t *see* the internet" problem, except I think I''ve exhausted all the standard solutions. The only thing different is that my house experienced a power outage and now (after the FW rebooted) local machines can''t "see" out. I''ve got a 2-interface setup, using Shorewall 2.0.15 (installed via Debian).

Hi all, I Try use shorewall rules with time element but its never works, the rules look like this HTTPS(REJECT) loc net:69.63.181.11,69.63.181.12,69.63.184.142,69.63.187.17,69.63.187.19 localtz&timestart=20:00&timestop=20:10&weekdays=Mon,Tue,Wed,Thu,Fri This rules for block https access to facebook site at working hours & day My system is Debian lenny, shorewall 4.4.4.2 kernel

Hi, Sorry, not an experienced shorewall user, this is my first basic setup. This starts to drive me crazy. I wanted to use DNAT to forward port 33890 to an internal machine (windows) port 3389. To reach my workstation when I''m not home. In my rules : DNAT:debug net loc:192.168.0.11:3389 tcp 33890 - pub.lic.ip.add #SECTION BLACKLIST #well known port scans DROP net

Beta 1 is now available for testing. One of the problems I''ve had with the Shorewall products is trying to keep them all in sync. There have been two copies of each shell library and four CLI programs. To simplify maintenance, I have collapsed each of the library pairs into a single library and have reduced the number of CLI programs from four to two (one for the

Beta 1 is now available for testing. One of the problems I''ve had with the Shorewall products is trying to keep them all in sync. There have been two copies of each shell library and four CLI programs. To simplify maintenance, I have collapsed each of the library pairs into a single library and have reduced the number of CLI programs from four to two (one for the

Can anyone tell me whether I have a routing problem, or an openVPN problem, or something else? I''ve stared at this for so long I think I must be looking in the wrong place! I have 3 machines: Machine A has single ethernet card, eth0, 192.168.5.5 Machine B has eth0, 192.168.5.? on the local net, eth1, 81.2.x.y to the internet, and

Hello Shorewall list, I''m a happy Shorewall user since a few years now and everything works fine for me except one thing that I try to implement since a week, the multi-isp. I''ve downloaded the 2.4.0 Stable release yesterday and tried the RC2 since a week. My config is a Debian running a kernel 2.4.27 home made with the CONNMARK.diff patch applied I''m using 2 ISP,