mess-mate wrote: > Tom Eastep <[EMAIL PROTECTED]> wrote: > | mess-mate wrote: > ...snip... > | Ok -- it looks like you have configured DNAT so that hosts in your local > | network (connected to eth1) will have TCP connections to 86.192.32.248:80 > | redirected to 192.168.20.1 (which is in your DMZ connected to eth2). But in > | the day and a half since you last [re]started Shorewall, not even one TCP > | connection to 86.192.32.248:80 has arrived on eth1! > > Uhh..you mean eth2 ? ( dmz on eth2)
But 'loc' is eth1! are you trying to browse from the DMZ? You have only set up DNAT from the 'loc' zone (eth1). > > | How are you trying to test this? You can't test in from the router itself -- > | you must test from a system behind the router that has it's default gateway > | configured with IP address 192.168.10.254. > | > | And start by trying to browse http://86.192.32.248/ rather than by DNS name. > > Trying both http://86.192.32.248 and http://www.mywebsite.fr from a > desktop behind the firewall/router give me 'Connection to > 86.192.32.248 Failed' > > | > Shorewall-3.2.6 Dump at router - Mon Mar 26 11:00:29 CEST 2007 > | > | > Counters reset Sat Mar 24 17:15:49 CET 2007 > | > Chain loc2dmz (1 references) > | > pkts bytes target prot opt in out source > destination > | > 0 0 ACCEPT 0 -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > | > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:22 > | > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 icmp type 8 > | > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > 192.168.20.1 tcp dpt:80 ctorigdst 86.192.32.248 > | > | When you try to browse http://86.192.32.248/, you should see the 'pkts' and > | 'bytes' counts above incrementing. > > Didn't change. Then are you seeing a reject message in your log? > > | > 0 0 ACCEPT 0 -- * * 0.0.0.0/0 > 0.0.0.0/0 > | > > | > NAT Table > | > > | > Chain PREROUTING (policy ACCEPT 117K packets, 33M bytes) > | > pkts bytes target prot opt in out source > destination > | > 1922 280K net_dnat 0 -- ppp0 * 0.0.0.0/0 > 0.0.0.0/0 policy match dir in pol none > | > 115K 32M loc_dnat 0 -- eth1 * 0.0.0.0/0 > 0.0.0.0/0 policy match dir in pol none > | > | > Chain loc_dnat (1 references) > | > pkts bytes target prot opt in out source > destination > | > 0 0 DNAT tcp -- * * 0.0.0.0/0 > 86.192.32.248 tcp dpt:80 to:192.168.20.1 > | > | When you try to browse http://86.192.32.248/, you should see the 'pkts' and > | 'bytes' counts above incrementing. > > Yes, it does. Ok -- so to make sure that I understand -- the rule in 'loc_dnat' increments but the one in loc2dmz does not? That doesn't make much sense unless something is broken in your system. 192.168.20.1 is in the DMZ > > Someone accessed my website at 18.01. That was probably me ;-) > So it works from outside, not from inside except a > http://192.168.20.1/ > > mess-mate Please: a) shorewall reset (this clears the counters). b) start a browser (don't use one that is already running) and try to connect to http://86.192.32.248. c) shorewall dump > dump.txt Forward the 'dump.txt' file. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
