Howdy Tom, Thank you so much for your response ,always love the tongue in cheek ones, and of course my firewall is still in tact, no flames ;). All is working now (and I can admit all I did was reboot everything, server, dsl, firewall) and once it was all back up everything worked..
I feel kinda embarrassed I didn't do that first :s Hmm as for the logging any suggestions? I'm using ULOG in my policy file, where else could I look to see about logging? Cheers Ad -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Eastep Sent: Friday, 20 July 2007 12:43 PM To: Shorewall Users Subject: Re: [Shorewall-users] DNAT (port foward not working, I know I've missed something simple) Here are some more observations. Tom Eastep wrote: > Adam Niedzwiedzki wrote: < old configuration worked> >> So I setup a new machine, new shorewall 3.4.5 version and can't get a >> simple DNAT to work. >> I don't get denies in shorewall.log and shorewall show nat shows the >> counters on that rule incrementing, I did the read the FAQ about >> gateway on machine etc, but it all worked perfectly on the old setup. >> The only thing that has changed is the new shorewall box. "I can't get a simple DNAT to work" What does that mean? - "shorewall start" fails? (probably not since we have 'dump' output) - "shorewall start" causes the firewall to burst into flames? (maybe, if you were fast in collecting the dump). - TCP connection attempts from "somewhere" to the firewall's external interface port 80 fail in some way? That's my guess but we don't know if DNS lookups fail, timeouts occur, connections are refused, server 500 errors are returned, images of Bill Gates fill your browser's window, ... >From the "dump" output that you sent, the Shorewall configuration is correct. Connection requests from the net to TCP port 80 are being DNATed and forwarded to 10.0.10.40 in the 'loc' zone. The fact that there are no conntrack entries for these connections, suggest that the connections are being refused by the server but that's only a guess. One more observation. Any system that has been connected to the internet for 10 minutes or more should have been probed by someone. So the fact that your shorewall.log is empty suggests to me that you have a logging configuration problem and your assertion that "I don't get denies in shorewall.log" is probably not relevant. But, again, it looks like connection requests on TCP port 80 are being forwarded correctly. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
