Re: [Shorewall-users] DNAT Not Working

2017-11-20 Thread Tom Eastep 
On 11/20/2017 11:30 AM, Colony.three via Shorewall-users wrote:
>>> If necessary, can I somehow enter it here as a system variable?
>>
>>
>> You can use 
>>
>> -Tom
> 
> Holy cow, this saves all kinds of scripted checks and saves!
> 
> Thanks for all your help Tom.
> 

You're most welcome.

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] DNAT Not Working

2017-11-20 Thread Colony.three via Shorewall-users 
>> If necessary, can I somehow enter it here as a system variable?

>> You can use 
>>
>> -Tom

Holy cow, this saves all kinds of scripted checks and saves!

Thanks for all your help Tom.--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] DNAT Not Working

2017-11-20 Thread Tom Eastep 
On 11/20/2017 10:40 AM, Colony.three via Shorewall-users wrote:

> 
> By the mighty Hammer Of Thor, it works.  I don't understand why my
> remote curl or nc attempts didn't work.
> 
> When using:  Web(DNAT)    loc   dmz   -     - -   50.35.109.212
> ... is that last 50.35.109.212 necessary? (It may change periodically) 

Yes -- without it, all connections from the LAN to port 80 will go to
your DMZ server :-)

> If necessary, can I somehow enter it here as a system variable?

You can use 

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] DNAT Not Working

2017-11-20 Thread Colony.three via Shorewall-users 
> On 11/20/2017 09:27 AM, Colony.three via Shorewall-users wrote:
>
>>> Are you sure this isn't working. I can connect to the firewall's
>>> external IP on port 80 and I get the Quantum Equities web site.
>>>
>>> -Tom
>>>
>>> ___
>>
>> Hm, that's odd.  My remote OpenStack instance is CentOS Minimal so no
>> GUI.  I have to use curl to test, and it times out.  nc also times out.
>> This is from a VM at Internap, which I ssh in to from my LAN.  No dmesg
>> errors anywhere.  The shorewall counter increments to 2 immediately on
>> clear, but never increments on curl nor nc from Internap.
>>
>> Well -- I can browse quantum-equities.com from my local LAN just fine.
>> And from inside my LAN I can't pull up quantum-equities.com. (LAN
>> laptop==>routerSNAT==>internet/50.35.109.212
>> http://50.35.109.212==>routerNATxxx)
>> You mention several times in the docs that accessing it from inside
>> doesn't work, but I don't understand the dynamics.  I should be able to
>> pull up this domain name from inside the LAN through the router's
>> external interface, as a regular website shouldn't I?
>>
>> From inside the LAN connected to the Shorewall system, you must also use
>> DNAT if you want to access DMZ servers via the firewall external IP:
>>
>> DNAT loc dmz tcp 80 - 50.35.109.212
>>
>> or
>>
>> Web(DNAT) loc dmz - - - 50.35.109.212
>>
>> The latter also DNATs port 443 which apparently isn't being used on the
>> Quantum website.
>>
>> -Tom

By the mighty Hammer Of Thor, it works.  I don't understand why my remote curl 
or nc attempts didn't work.

When using:  Web(DNAT)loc   dmz   - - -   50.35.109.212
... is that last 50.35.109.212 necessary? (It may change periodically)  If 
necessary, can I somehow enter it here as a system variable?

I haven't been able to get SSL running as certbot (LetsEncrypt) couldn't verify 
my domain.  But now it should be able to.--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] DNAT Not Working

2017-11-20 Thread Tom Eastep 
On 11/20/2017 09:27 AM, Colony.three via Shorewall-users wrote:
> 
>> Are you sure this isn't working. I can connect to the firewall's
>> external IP on port 80 and I get the Quantum Equities web site.
>>
>> -Tom
>>
>>
>> ___
>>
> 
> Hm, that's odd.  My remote OpenStack instance is CentOS Minimal so no
> GUI.  I have to use curl to test, and it times out.  nc also times out. 
> This is from a VM at Internap, which I ssh in to from my LAN.  No dmesg
> errors anywhere.  The shorewall counter increments to 2 immediately on
> clear, but never increments on curl nor nc from Internap.

Well -- I can browse quantum-equities.com from my local LAN just fine.
> 
> And from inside my LAN I can't pull up quantum-equities.com. (LAN
> laptop==>routerSNAT==>internet/50.35.109.212
> ==>routerNATxxx)
> 
> You mention several times in the docs that accessing it from inside
> doesn't work, but I don't understand the dynamics.  I should be able to
> pull up this domain name from inside the LAN through the router's
> external interface, as a regular website shouldn't I?

From inside the LAN connected to the Shorewall system, you must also use
DNAT if you want to access DMZ servers via the firewall external IP:

DNATloc dmz tcp 80  - 50.35.109.212

or

Web(DNAT)  loc  dmz -   -   - 50.35.109.122

The latter also DNATs port 443 which apparently isn't being used on the
Quantum website.

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] DNAT Not Working

2017-11-20 Thread Colony.three via Shorewall-users 
> Are you sure this isn't working. I can connect to the firewall's
> external IP on port 80 and I get the Quantum Equities web site.
>
> -Tom
>
> ___

Hm, that's odd.  My remote OpenStack instance is CentOS Minimal so no GUI.  I 
have to use curl to test, and it times out.  nc also times out.  This is from a 
VM at Internap, which I ssh in to from my LAN.  No dmesg errors anywhere.  The 
shorewall counter increments to 2 immediately on clear, but never increments on 
curl nor nc from Internap.

And from inside my LAN I can't pull up quantum-equities.com. (LAN 
laptop==>routerSNAT==>internet/50.35.109.212==>routerNATxxx)

You mention several times in the docs that accessing it from inside doesn't 
work, but I don't understand the dynamics.  I should be able to pull up this 
domain name from inside the LAN through the router's external interface, as a 
regular website shouldn't I?

If I can't, this implies that email won't work either.--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] DNAT Not Working

2017-11-20 Thread Tom Eastep 
On 11/19/2017 01:01 PM, Colony.three via Shorewall-users wrote:
> Hello, I can not get DNAT to work to save my life.
> 
> All machines are CentOS7 KVM virtual machines, one the
> internet-connected router, and the other in the DMZ.
> 
> I've gone through the docs and there seem to be two methods of
> port-forwarding, and neither works in the router:
> DNAT   net dmz:10.1.1.30 tcp http,https
> ... and
> Web(DNAT) net   dmz:10.1.1.30
> Web(ACCEPT) local dmz:10.1.1.30
> (Of course10.1.1.30 is the dmx web server)
> 
> 
> 
> I checked both using a remote Openstack VM.  And I'd previously used
> that OS VM to check that port 80, 443, etc could get through my ISP to
> the router/firewall, and they can.  But port-forwarding simply does not
> work in the router.  I even tried the port 5000 mapped to 80 trick and
> no dice.
> 
> I turned off SELinux, and set aside my sysctl.conf security file, and no
> better.  I can reach the webserver in the dmz from the local LAN, so the
> problem must be in port forwarding.  There are no error messages in dmesg.
> 
> I've forwarded the dump to Tom.
> 

Are you sure this isn't working. I can connect to the firewall's
external IP on port 80 and I get the Quantum Equities web site.

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] DNAT Not Working

2017-11-19 Thread Colony.three via Shorewall-users 
I've set ACCEPT rules for net to $FW and net to dmz (not sure which applies) 
for http and https.

Going through the FAQ here:  http://shorewall.net/FAQ.htm#faq1a
- I'm testing from a remote OpenStack VM (Internap) using:
# curl -v http://50.35.109.212
* About to connect() to 50.35.109.212 port 80 (#0)
*   Trying 50.35.109.212...
* Connection timed out
* Failed connect to 50.35.109.212:80; Connection timed out
* Closing connection 0
curl: (7) Failed connect to 50.35.109.212:80; Connection timed out

- The gateway on the dmz server is set to 10.15.15.2, which is the dmz inside 
interface on the router.  And it can access The Internets fine using SNAT.
- I've previously confirmed that 80 can reach through my ISP.
- Running CentOS7.4.

http://shorewall.net/FAQ.htm#faq1b
(On router)
# shorewall reset
Shorewall Counters Reset
# shorewall show nat
pkts bytes target prot opt in out source   destination
2   128 DNAT   tcp  --  *  *   0.0.0.0/00.0.0.0/0   
 multipo
... note: instantly there is a count of 2 when I haven't done anything.
(On router)
# shorewall reset
# shorewall show nat
   2   128 DNAT   tcp  --  *  *   0.0.0.0/00.0.0.0/0
multiport dports 80,443 to:10.1.1.30
(On remote)
# curl -v http://50.35.109.212
(On router)
# shorewall show nat
   2   128 DNAT   tcp  --  *  *   0.0.0.0/00.0.0.0/0
multiport dports 80,443 to:10.1.1.30
... note count remains 2.

- I'd previously set my SSHd server on the router to listen on 80, 443, 587, 
etc, and I could always SSH in to the router from the remote machine.  So those 
ports aren't blocked, unless it's a protocol-sensitive block.
-  I can not understand this second possibility:  "you are trying to connect to 
a secondary IP address on your firewall and your rule is only redirecting the 
primary IP address (You need to specify the secondary IP address in the “ORIG. 
DEST.” column in your DNAT rule); or"
- (On router - 50.35.109.212)
# tcpdump |grep 72.251.232.105
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
(On remote machine - 72.251.232.105)
# curl -v http://50.35.109.212
(On router, zip, even after curl times out.

- And the last possibility (On router):
# ifconfig
eth0: flags=4163  mtu 1500
inet 50.35.109.212  netmask 255.255.240.0  broadcast 50.35.111.255

I can't see what is wrong.--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] DNAT Not Working

2017-11-19 Thread Les Niles 
Do you have firewall rules to allow that traffic through?  Pretty much every 
time I can’t get something like this to work it turns out to be because it’s 
blocked by the firewall.

  -Les



> On 19 Nov 2017, at 13:01, Colony.three via Shorewall-users 
>  wrote:
> 
> Hello, I can not get DNAT to work to save my life.
> 
> All machines are CentOS7 KVM virtual machines, one the internet-connected 
> router, and the other in the DMZ.
> 
> I've gone through the docs and there seem to be two methods of 
> port-forwarding, and neither works in the router:
> DNAT   net dmz:10.1.1.30 tcp http,https
> ... and
> Web(DNAT) net   dmz:10.1.1.30
> Web(ACCEPT) local dmz:10.1.1.30
> (Of course10.1.1.30 is the dmx web server)
> 
> 
> 
> I checked both using a remote Openstack VM.  And I'd previously used that OS 
> VM to check that port 80, 443, etc could get through my ISP to the 
> router/firewall, and they can.  But port-forwarding simply does not work in 
> the router.  I even tried the port 5000 mapped to 80 trick and no dice.
> 
> I turned off SELinux, and set aside my sysctl.conf security file, and no 
> better.  I can reach the webserver in the dmz from the local LAN, so the 
> problem must be in port forwarding.  There are no error messages in dmesg.
> 
> I've forwarded the dump to Tom.
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! 
> http://sdm.link/slashdot___
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users



signature.asc
Description: Message signed with OpenPGP using GPGMail
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] DNAT Not Working

2017-11-19 Thread Colony.three via Shorewall-users 
> Do you have firewall rules to allow that traffic through?  Pretty much every 
> time
> I  can’t get something like this to work it turns out to be because it’s 
> blocked by
> the firewall.

>   -Les

Sure.  That's the purpose of the NAT command isn't it?

Anyway, there are no error messages in dmesg whatsoever related to the source 
IP.  It should log them if it's blocking something, right?  policy is set to:
local   all REJECT  info(uid,tcp_options)
net all DROPinfo(uid,tcp_options)
dmz all DROPinfo(uid,tcp_options)
all all REJECT  info(uid,tcp_options)

If not, this is the reason I said earlier that half the time Shorewall blocks 
but doesn't log messages.--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] DNAT Not Working

2017-11-19 Thread Colony.three via Shorewall-users 
Hello, I can not get DNAT to work to save my life.

All machines are CentOS7 KVM virtual machines, one the internet-connected 
router, and the other in the DMZ.

I've gone through the docs and there seem to be two methods of port-forwarding, 
and neither works in the router:
DNAT   net dmz:10.1.1.30 tcp http,https
... and
Web(DNAT) net   dmz:10.1.1.30
Web(ACCEPT) local dmz:10.1.1.30
(Of course10.1.1.30 is the dmx web server)

I checked both using a remote Openstack VM.  And I'd previously used that OS VM 
to check that port 80, 443, etc could get through my ISP to the 
router/firewall, and they can.  But port-forwarding simply does not work in the 
router.  I even tried the port 5000 mapped to 80 trick and no dice.

I turned off SELinux, and set aside my sysctl.conf security file, and no 
better.  I can reach the webserver in the dmz from the local LAN, so the 
problem must be in port forwarding.  There are no error messages in dmesg.

I've forwarded the dump to Tom.--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] DNAT not working

2013-03-19 Thread Donald S. Doyle 
Hello,

 

I have a DNAT rule to a Linux server and that is working great!  I have
another DNAT rule to a Server 2008 system and I am not getting through.  Now
what the heck am I doing wrong?

 

Have a great day,

 

Donald S. Doyle

President
G.E.M. Computer Consulting, LLC

317.250.4448

 http://www.gemcc.com www.gemcc.com

 

 http://www.gemcc.com/ gem-logo

 

CONFIDENTIALITY NOTICE

The materials enclosed with this electronic transmission are private and
confidential and are the properties of the sender.  The information
contained in the material is privileged and is intended only for the use of
the individual(s) or entity (ies) named above.  If you are not the intended
recipient, be advised that any unauthorized disclosure, copying,
distribution, or the taking of any action in reliance on the contents of
this information is strictly prohibited.  If you have received this
electronic transmission in error, please notify us by telephone.

 

 

image001.png--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] DNAT not working

2013-03-19 Thread Tom Eastep 
On 03/19/2013 11:21 AM, Donald S. Doyle wrote:
 Hello,
 
  
 
 I have a DNAT rule to a Linux server and that is working great!  I have
 another DNAT rule to a Server 2008 system and I am not getting through. 
 Now what the heck am I doing wrong?

Have you followed the DNAT troubleshooting procedure described in FAQs
1a and 1b?

-Tom
-- 
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \



signature.asc
Description: OpenPGP digital signature
--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] DNAT not working

2013-03-19 Thread Donald S. Doyle 
Hi Tom,

I followed them you pointed me in that direction.  I did not make any
changes, but now it works!

Thanks for your help.

Have a great day,

Donald S. Doyle
President
G.E.M. Computer Consulting, LLC
317.250.4448
www.gemcc.com



CONFIDENTIALITY NOTICE
The materials enclosed with this electronic transmission are private and
confidential and are the properties of the sender.  The information
contained in the material is privileged and is intended only for the use of
the individual(s) or entity (ies) named above.  If you are not the intended
recipient, be advised that any unauthorized disclosure, copying,
distribution, or the taking of any action in reliance on the contents of
this information is strictly prohibited.  If you have received this
electronic transmission in error, please notify us by telephone.



-Original Message-
From: Tom Eastep [mailto:teas...@shorewall.net] 
Sent: Tuesday, March 19, 2013 3:47 PM
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] DNAT not working

On 03/19/2013 11:21 AM, Donald S. Doyle wrote:
 Hello,
 
  
 
 I have a DNAT rule to a Linux server and that is working great!  I 
 have another DNAT rule to a Server 2008 system and I am not getting
through.
 Now what the heck am I doing wrong?

Have you followed the DNAT troubleshooting procedure described in FAQs 1a
and 1b?

-Tom
-- 
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \



--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] DNAT not working

2010-03-07 Thread Tom Eastep 
dennis wrote:
 Hi I am having a problem with a DNAT rule where the packets being REJECT'd:
 
 DNAT:info   net priv:192.168.6.15   udp 5060
 
 With the following appearing in the log:
 
 Mar  6 11:59:30 ipcop kernel: Shorewall:net2fw:REJECT:IN=eth3 OUT=
 MAC=00:09:6b:6e:48:e8:00:1d:20:fa:46:90:08:00 SRC=71.216.136.25
 DST=67.138.129.66 LEN=629 TOS=0x10 PREC=0xA0 TTL=50 ID=28000 PROTO=UDP
 SPT=5060 DPT=5060 LEN=609
 Mar  6 11:59:34 ipcop kernel: Shorewall:net2fw:REJECT:IN=eth3 OUT=
 MAC=00:09:6b:6e:48:e8:00:1d:20:fa:46:90:08:00 SRC=71.216.136.25
 DST=67.138.129.66 LEN=629 TOS=0x10 PREC=0xA0 TTL=50 ID=28001 PROTO=UDP
 SPT=5060 DPT=5060 LEN=609
 
 
 I am confused why this is not working. Do I have typo somewhere or is
 there a configuration problem?  My other DNAT's are working just fine.
 Can some please help explain to me what the problem might be.

Most likely, you have networking starting before Shorewall during boot
(this is normal). That leaves an opportunity for SIP packets to arrive
between those start events (after networking is enabled but before the
appropriate DNAT rule is in place). Given that the remote host always
uses source port 5060, once a packet is received the connection tracking
entry is in place.

I recommend that you:

a) Install the conntrack utility.
b) Add this to your /etc/shorewall/started script:

[ $COMMAND = start ]  conntrack -F

Once you have installed the utility, simply runnng 'conntrack -F' as
root should correct the problem.

Warning: That command flushes the connection tracking table so it may
cause some existing connections to be disrupted.

-Tom
-- 
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \



signature.asc
Description: OpenPGP digital signature
--
Download Intel#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] DNAT not working

2010-03-07 Thread dennis 
Thanks for the help.  I tried the command conntrack -F from the 
command line and it had no effect until I restarted shorewall too. I 
guess that was the part I was missing.  So in general is this a race 
condition in iptables that will happend randomly from time to time?  I 
am just trying to understand what is the root cause of this problem and 
if kernel or iptable upgrades will help solve the problem.

Thanks again.

Tom Eastep wrote:
 dennis wrote:
   
 Hi I am having a problem with a DNAT rule where the packets being REJECT'd:

 DNAT:info   net priv:192.168.6.15   udp 5060

 With the following appearing in the log:

 Mar  6 11:59:30 ipcop kernel: Shorewall:net2fw:REJECT:IN=eth3 OUT=
 MAC=00:09:6b:6e:48:e8:00:1d:20:fa:46:90:08:00 SRC=71.216.136.25
 DST=67.138.129.66 LEN=629 TOS=0x10 PREC=0xA0 TTL=50 ID=28000 PROTO=UDP
 SPT=5060 DPT=5060 LEN=609
 Mar  6 11:59:34 ipcop kernel: Shorewall:net2fw:REJECT:IN=eth3 OUT=
 MAC=00:09:6b:6e:48:e8:00:1d:20:fa:46:90:08:00 SRC=71.216.136.25
 DST=67.138.129.66 LEN=629 TOS=0x10 PREC=0xA0 TTL=50 ID=28001 PROTO=UDP
 SPT=5060 DPT=5060 LEN=609


 I am confused why this is not working. Do I have typo somewhere or is
 there a configuration problem?  My other DNAT's are working just fine.
 Can some please help explain to me what the problem might be.
 

 Most likely, you have networking starting before Shorewall during boot
 (this is normal). That leaves an opportunity for SIP packets to arrive
 between those start events (after networking is enabled but before the
 appropriate DNAT rule is in place). Given that the remote host always
 uses source port 5060, once a packet is received the connection tracking
 entry is in place.

 I recommend that you:

 a) Install the conntrack utility.
 b) Add this to your /etc/shorewall/started script:

   [ $COMMAND = start ]  conntrack -F

 Once you have installed the utility, simply runnng 'conntrack -F' as
 root should correct the problem.

 Warning: That command flushes the connection tracking table so it may
 cause some existing connections to be disrupted.

 -Tom
   
 

 --
 Download Intel#174; Parallel Studio Eval
 Try the new software tools for yourself. Speed compiling, find bugs
 proactively, and fine-tune applications for parallel performance.
 See why Intel Parallel Studio got high marks during beta.
 http://p.sf.net/sfu/intel-sw-dev
 

 ___
 Shorewall-users mailing list
 Shorewall-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/shorewall-users
   

--
Download Intel#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] DNAT not working

2010-03-07 Thread Tom Eastep 
dennis wrote:
 So in general is this a race 
 condition in iptables that will happend randomly from time to time?  I 
 am just trying to understand what is the root cause of this problem and 
 if kernel or iptable upgrades will help solve the problem.

I can't possibly answer that question -- you haven't even told us what
version of Shorewall you are running and if you are using
Shorewall-shell or Shorewall-perl.

Hint: /sbin/shorewall version -a

-Tom
-- 
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \



signature.asc
Description: OpenPGP digital signature
--
Download Intel#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] DNAT Not Working; Attempts Not Logged

2006-12-11 Thread Fábio Rabelo 
What distribution ?
Did you set  ip forward = on  in the kernel ??

Fábio Rabelo

[EMAIL PROTECTED] escreveu:
 System: Tinysofa 2 (Odin)
 Shorewall ver. 3.2.5
 interfaces:
 neteth0192.168.111.2 mask 255.255.255.252 gw 192.168.111.1
 loceth1192.168.0.11  mask 255.255.255.0

 trying to forward HTTP connections from 192.168.111.1 (net) on eth0
 (net) to local address 192.168.0.9 (a web server) - attempts not even
 logged (using debug setting for logging all new connections), while SSH
 connections are logged (successful or not).

 rule from /etc/shorewall/rules:

 DNAT   net loc:192.168.0.9tcphttp

 (tried 'DNAT   net   loc:192.168.0.9   tcp   80' - doesn't work
 either).
   


-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] DNAT Not Working; Attempts Not Logged

2006-12-11 Thread g.yordanov 
Distro = tinysofa 2 (kernel 2.6.9)

ip forward = on

Joro

On Mon, 11 Dec 2006 10:14:10 -0200
 Fábio Rabelo [EMAIL PROTECTED] wrote:
 What distribution ?
 Did you set  ip forward = on  in the kernel ??
 
 Fábio Rabelo
 
 [EMAIL PROTECTED] escreveu:
  System: Tinysofa 2 (Odin)
  Shorewall ver. 3.2.5
  interfaces:
  neteth0192.168.111.2 mask 255.255.255.252 gw 192.168.111.1
  loceth1192.168.0.11  mask 255.255.255.0
 
  trying to forward HTTP connections from 192.168.111.1 (net) on eth0
  (net) to local address 192.168.0.9 (a web server) - attempts not
 even
  logged (using debug setting for logging all new connections), while
 SSH
  connections are logged (successful or not).
 
  rule from /etc/shorewall/rules:
 
  DNAT   net loc:192.168.0.9tcphttp
 
  (tried 'DNAT   net   loc:192.168.0.9   tcp   80' - doesn't work
  either).

 
 

-
 Take Surveys. Earn Cash. Influence the Future of IT
 Join SourceForge.net's Techsay panel and you'll get the chance to
 share your
 opinions on IT  business topics through brief surveys - and earn
 cash

http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
 ___
 Shorewall-users mailing list
 Shorewall-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/shorewall-users


-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] DNAT Not Working; Attempts Not Logged

2006-12-11 Thread Kiss Gábor 
[EMAIL PROTECTED] írta:
 rule from /etc/shorewall/rules:

 DNAT   net loc:192.168.0.9tcphttp
   
try this:

DNAT   net loc:192.168.0.9:80tcp80

Gabor Kiss



-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] DNAT Not Working; Attempts Not Logged

2006-12-11 Thread Tom Eastep 
[EMAIL PROTECTED] wrote:
 System: Tinysofa 2 (Odin)
 Shorewall ver. 3.2.5
 interfaces:
 neteth0192.168.111.2 mask 255.255.255.252 gw 192.168.111.1
 loceth1192.168.0.11  mask 255.255.255.0
 
 trying to forward HTTP connections from 192.168.111.1 (net) on eth0
 (net) to local address 192.168.0.9 (a web server) - attempts not even
 logged (using debug setting for logging all new connections), while SSH
 connections are logged (successful or not).
 
 rule from /etc/shorewall/rules:
 
 DNAT   net loc:192.168.0.9tcphttp
 
 (tried 'DNAT   net   loc:192.168.0.9   tcp   80' - doesn't work
 either).
 
 Please help.

Your first rule is correct (and is equivalent to your second rule).

Please follow the DNAT troubleshooting steps outlined in Shorewall FAQs
1a and 1b.

-Tom
-- 
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



signature.asc
Description: OpenPGP digital signature
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users