Here are some more observations. Tom Eastep wrote: > Adam Niedzwiedzki wrote:
< old configuration worked> >> So I setup a new machine, new shorewall 3.4.5 version and can't get a simple >> DNAT to work. >> I don't get denies in shorewall.log and shorewall show nat shows the >> counters on that rule incrementing, I did the read the FAQ about gateway on >> machine etc, but it all worked perfectly on the old setup. The only thing >> that has changed is the new shorewall box. "I can't get a simple DNAT to work" What does that mean? - "shorewall start" fails? (probably not since we have 'dump' output) - "shorewall start" causes the firewall to burst into flames? (maybe, if you were fast in collecting the dump). - TCP connection attempts from "somewhere" to the firewall's external interface port 80 fail in some way? That's my guess but we don't know if DNS lookups fail, timeouts occur, connections are refused, server 500 errors are returned, images of Bill Gates fill your browser's window, ... From the "dump" output that you sent, the Shorewall configuration is correct. Connection requests from the net to TCP port 80 are being DNATed and forwarded to 10.0.10.40 in the 'loc' zone. The fact that there are no conntrack entries for these connections, suggest that the connections are being refused by the server but that's only a guess. One more observation. Any system that has been connected to the internet for 10 minutes or more should have been probed by someone. So the fact that your shorewall.log is empty suggests to me that you have a logging configuration problem and your assertion that "I don't get denies in shorewall.log" is probably not relevant. But, again, it looks like connection requests on TCP port 80 are being forwarded correctly. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
