Re: [Shorewall-users] DNAT Not Working
I've set ACCEPT rules for net to $FW and net to dmz (not sure which applies) for http and https. Going through the FAQ here: http://shorewall.net/FAQ.htm#faq1a - I'm testing from a remote OpenStack VM (Internap) using: # curl -v http://50.35.109.212 * About to connect() to 50.35.109.212 port 80 (#0) * Trying 50.35.109.212... * Connection timed out * Failed connect to 50.35.109.212:80; Connection timed out * Closing connection 0 curl: (7) Failed connect to 50.35.109.212:80; Connection timed out - The gateway on the dmz server is set to 10.15.15.2, which is the dmz inside interface on the router. And it can access The Internets fine using SNAT. - I've previously confirmed that 80 can reach through my ISP. - Running CentOS7.4. http://shorewall.net/FAQ.htm#faq1b (On router) # shorewall reset Shorewall Counters Reset # shorewall show nat pkts bytes target prot opt in out source destination 2 128 DNAT tcp -- * * 0.0.0.0/00.0.0.0/0 multipo ... note: instantly there is a count of 2 when I haven't done anything. (On router) # shorewall reset # shorewall show nat 2 128 DNAT tcp -- * * 0.0.0.0/00.0.0.0/0 multiport dports 80,443 to:10.1.1.30 (On remote) # curl -v http://50.35.109.212 (On router) # shorewall show nat 2 128 DNAT tcp -- * * 0.0.0.0/00.0.0.0/0 multiport dports 80,443 to:10.1.1.30 ... note count remains 2. - I'd previously set my SSHd server on the router to listen on 80, 443, 587, etc, and I could always SSH in to the router from the remote machine. So those ports aren't blocked, unless it's a protocol-sensitive block. - I can not understand this second possibility: "you are trying to connect to a secondary IP address on your firewall and your rule is only redirecting the primary IP address (You need to specify the secondary IP address in the “ORIG. DEST.” column in your DNAT rule); or" - (On router - 50.35.109.212) # tcpdump |grep 72.251.232.105 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes (On remote machine - 72.251.232.105) # curl -v http://50.35.109.212 (On router, zip, even after curl times out. - And the last possibility (On router): # ifconfig eth0: flags=4163mtu 1500 inet 50.35.109.212 netmask 255.255.240.0 broadcast 50.35.111.255 I can't see what is wrong.-- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] DNAT Not Working
Do you have firewall rules to allow that traffic through? Pretty much every time I can’t get something like this to work it turns out to be because it’s blocked by the firewall. -Les > On 19 Nov 2017, at 13:01, Colony.three via Shorewall-users >wrote: > > Hello, I can not get DNAT to work to save my life. > > All machines are CentOS7 KVM virtual machines, one the internet-connected > router, and the other in the DMZ. > > I've gone through the docs and there seem to be two methods of > port-forwarding, and neither works in the router: > DNAT net dmz:10.1.1.30 tcp http,https > ... and > Web(DNAT) net dmz:10.1.1.30 > Web(ACCEPT) local dmz:10.1.1.30 > (Of course10.1.1.30 is the dmx web server) > > > > I checked both using a remote Openstack VM. And I'd previously used that OS > VM to check that port 80, 443, etc could get through my ISP to the > router/firewall, and they can. But port-forwarding simply does not work in > the router. I even tried the port 5000 mapped to 80 trick and no dice. > > I turned off SELinux, and set aside my sysctl.conf security file, and no > better. I can reach the webserver in the dmz from the local LAN, so the > problem must be in port forwarding. There are no error messages in dmesg. > > I've forwarded the dump to Tom. > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! > http://sdm.link/slashdot___ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users signature.asc Description: Message signed with OpenPGP using GPGMail -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] DNAT Not Working
> Do you have firewall rules to allow that traffic through? Pretty much every > time > I can’t get something like this to work it turns out to be because it’s > blocked by > the firewall. > -Les Sure. That's the purpose of the NAT command isn't it? Anyway, there are no error messages in dmesg whatsoever related to the source IP. It should log them if it's blocking something, right? policy is set to: local all REJECT info(uid,tcp_options) net all DROPinfo(uid,tcp_options) dmz all DROPinfo(uid,tcp_options) all all REJECT info(uid,tcp_options) If not, this is the reason I said earlier that half the time Shorewall blocks but doesn't log messages.-- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] DNAT Not Working
Hello, I can not get DNAT to work to save my life. All machines are CentOS7 KVM virtual machines, one the internet-connected router, and the other in the DMZ. I've gone through the docs and there seem to be two methods of port-forwarding, and neither works in the router: DNAT net dmz:10.1.1.30 tcp http,https ... and Web(DNAT) net dmz:10.1.1.30 Web(ACCEPT) local dmz:10.1.1.30 (Of course10.1.1.30 is the dmx web server) I checked both using a remote Openstack VM. And I'd previously used that OS VM to check that port 80, 443, etc could get through my ISP to the router/firewall, and they can. But port-forwarding simply does not work in the router. I even tried the port 5000 mapped to 80 trick and no dice. I turned off SELinux, and set aside my sysctl.conf security file, and no better. I can reach the webserver in the dmz from the local LAN, so the problem must be in port forwarding. There are no error messages in dmesg. I've forwarded the dump to Tom.-- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users