Re: [Shorewall-users] DNAT'ing Standard Ports Problem

Mon, 19 Mar 2007 11:45:00 -0800 

Jon wrote:
> With Shorewall running, no loc <->loc traffic works despite their being
> a loc loc ACCEPT policy in effect. 
> 
> When I attempt to ping, telnet, ssh, etc from 10.0.50.10 with Shorewall
> on, I get a connection refused error. With Shorewall cleared, the
> connection succeeds. The routing table looks the same,

How many times must I explain to you that Shorewall doesn't change your
routing table?

> but with
> shorewall on an attempt to ping 10.0.50.50 from 10.0.50.10 results in a
> 'destination host unreachable' error.

First of all, 10.0.50.10 is the IP address of eth1 on your firewall. So when
you ping 10.0.50.50 from 10.0.50.10, the initial connection is from the
firewall ($FW = 'fw') to 'loc', not loc->loc.

Your fw->loc rules are:

    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           multiport dports 137,138,139,445
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0           multiport dports 53,135,137,138,139,445,1900,40000
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
10.0.60.255         multiport dports 135,137,138,139,445
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0           icmp type 8
    0     0 all2all    all  --  *      *       0.0.0.0/0
0.0.0.0/0

which looks like you are accepting SMB, DNS, UPnP and UDP 40000 (whatever
that is). You also are accepting 'ping' which makes be very curious why you
would get 'destination host unreachable' -- are there log messages generated
when you try this 'ping'?

At any rate, all this is unlikely to have any relevance to your primary DNAT
problem.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Attachment: signature.asc
Description: OpenPGP digital signature

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to