Re: [Shorewall-users] DNAT Not Working

2017-11-19 Thread Colony.three via Shorewall-users 
I've set ACCEPT rules for net to $FW and net to dmz (not sure which applies) 
for http and https.

Going through the FAQ here:  http://shorewall.net/FAQ.htm#faq1a
- I'm testing from a remote OpenStack VM (Internap) using:
# curl -v http://50.35.109.212
* About to connect() to 50.35.109.212 port 80 (#0)
*   Trying 50.35.109.212...
* Connection timed out
* Failed connect to 50.35.109.212:80; Connection timed out
* Closing connection 0
curl: (7) Failed connect to 50.35.109.212:80; Connection timed out

- The gateway on the dmz server is set to 10.15.15.2, which is the dmz inside 
interface on the router.  And it can access The Internets fine using SNAT.
- I've previously confirmed that 80 can reach through my ISP.
- Running CentOS7.4.

http://shorewall.net/FAQ.htm#faq1b
(On router)
# shorewall reset
Shorewall Counters Reset
# shorewall show nat
pkts bytes target prot opt in out source   destination
2   128 DNAT   tcp  --  *  *   0.0.0.0/00.0.0.0/0   
 multipo
... note: instantly there is a count of 2 when I haven't done anything.
(On router)
# shorewall reset
# shorewall show nat
   2   128 DNAT   tcp  --  *  *   0.0.0.0/00.0.0.0/0
multiport dports 80,443 to:10.1.1.30
(On remote)
# curl -v http://50.35.109.212
(On router)
# shorewall show nat
   2   128 DNAT   tcp  --  *  *   0.0.0.0/00.0.0.0/0
multiport dports 80,443 to:10.1.1.30
... note count remains 2.

- I'd previously set my SSHd server on the router to listen on 80, 443, 587, 
etc, and I could always SSH in to the router from the remote machine.  So those 
ports aren't blocked, unless it's a protocol-sensitive block.
-  I can not understand this second possibility:  "you are trying to connect to 
a secondary IP address on your firewall and your rule is only redirecting the 
primary IP address (You need to specify the secondary IP address in the “ORIG. 
DEST.” column in your DNAT rule); or"
- (On router - 50.35.109.212)
# tcpdump |grep 72.251.232.105
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
(On remote machine - 72.251.232.105)
# curl -v http://50.35.109.212
(On router, zip, even after curl times out.

- And the last possibility (On router):
# ifconfig
eth0: flags=4163  mtu 1500
inet 50.35.109.212  netmask 255.255.240.0  broadcast 50.35.111.255

I can't see what is wrong.--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] DNAT Not Working

2017-11-19 Thread Les Niles 
Do you have firewall rules to allow that traffic through?  Pretty much every 
time I can’t get something like this to work it turns out to be because it’s 
blocked by the firewall.

  -Les



> On 19 Nov 2017, at 13:01, Colony.three via Shorewall-users 
>  wrote:
> 
> Hello, I can not get DNAT to work to save my life.
> 
> All machines are CentOS7 KVM virtual machines, one the internet-connected 
> router, and the other in the DMZ.
> 
> I've gone through the docs and there seem to be two methods of 
> port-forwarding, and neither works in the router:
> DNAT   net dmz:10.1.1.30 tcp http,https
> ... and
> Web(DNAT) net   dmz:10.1.1.30
> Web(ACCEPT) local dmz:10.1.1.30
> (Of course10.1.1.30 is the dmx web server)
> 
> 
> 
> I checked both using a remote Openstack VM.  And I'd previously used that OS 
> VM to check that port 80, 443, etc could get through my ISP to the 
> router/firewall, and they can.  But port-forwarding simply does not work in 
> the router.  I even tried the port 5000 mapped to 80 trick and no dice.
> 
> I turned off SELinux, and set aside my sysctl.conf security file, and no 
> better.  I can reach the webserver in the dmz from the local LAN, so the 
> problem must be in port forwarding.  There are no error messages in dmesg.
> 
> I've forwarded the dump to Tom.
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! 
> http://sdm.link/slashdot___
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users



signature.asc
Description: Message signed with OpenPGP using GPGMail
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] DNAT Not Working

2017-11-19 Thread Colony.three via Shorewall-users 
> Do you have firewall rules to allow that traffic through?  Pretty much every 
> time
> I  can’t get something like this to work it turns out to be because it’s 
> blocked by
> the firewall.

>   -Les

Sure.  That's the purpose of the NAT command isn't it?

Anyway, there are no error messages in dmesg whatsoever related to the source 
IP.  It should log them if it's blocking something, right?  policy is set to:
local   all REJECT  info(uid,tcp_options)
net all DROPinfo(uid,tcp_options)
dmz all DROPinfo(uid,tcp_options)
all all REJECT  info(uid,tcp_options)

If not, this is the reason I said earlier that half the time Shorewall blocks 
but doesn't log messages.--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] DNAT Not Working

2017-11-19 Thread Colony.three via Shorewall-users 
Hello, I can not get DNAT to work to save my life.

All machines are CentOS7 KVM virtual machines, one the internet-connected 
router, and the other in the DMZ.

I've gone through the docs and there seem to be two methods of port-forwarding, 
and neither works in the router:
DNAT   net dmz:10.1.1.30 tcp http,https
... and
Web(DNAT) net   dmz:10.1.1.30
Web(ACCEPT) local dmz:10.1.1.30
(Of course10.1.1.30 is the dmx web server)

I checked both using a remote Openstack VM.  And I'd previously used that OS VM 
to check that port 80, 443, etc could get through my ISP to the 
router/firewall, and they can.  But port-forwarding simply does not work in the 
router.  I even tried the port 5000 mapped to 80 trick and no dice.

I turned off SELinux, and set aside my sysctl.conf security file, and no 
better.  I can reach the webserver in the dmz from the local LAN, so the 
problem must be in port forwarding.  There are no error messages in dmesg.

I've forwarded the dump to Tom.--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users