Hi Folks,
I'm new to the list, so please be kind.
Running shorewall 4.0.12.
I have a problem regarding DNATing syslog messages to an internal host. My
firewall is inside a corporate network, protecting a department network, and
i want to allow that some hosts in the company send their syslog messages to
one of our syslog servers that is protected by this firewall. My problem is
that this is working for some hosts but not all: for instance:
- I want that hosts in network 10.250.251.0/24 (outside the firewall) can
log their syslog messages to the protected host 10.200.200.130 (syslog
server) that is placed in a dmz.
- Firewall IP address is 10.79.79.1
What is happening is that it works for some hosts, e.g., 10.250.251.137, but
not for others, e.g., 10.250.251.136 here i got the following DROP (see
rules below):
Jul 21 18:26:42 fireball kernel: Shorewall:net2fw:DROP:IN=eth1 OUT=
MAC=00:02:a5:60:c8:0c:00:15:fa:d7:89:20:08:00 SRC=10.250.251.136 DST=
10.79.79.1 LEN=200 TOS=0x00 PREC=0x00 TTL=254 ID=5422 PROTO=UDP SPT=514
DPT=514 LEN=180
I have the following relevant config (some entries removed for
clarification):
/etc/shorewall/zones:
fw firewall
lan ipv4 # downstream 2nd-level firewall
net ipv4 # corporate network
dmz0 ipv4 # dmz0 - frontend service DMZ
/etc/shorewall/interfaces:
lan eth0 detect
net eth1 detect tcpflags,routefilter,nosmurfs,logmartians
dmz0 eth3 detect
/etc/shorewall/policy:
fw all DROP info
net all DROP info
dmz0 all DROP info
lan all DROP info
all all REJECT info
/etc/shorewall/masq:
eth1 eth0
eth1 eth3
/etc/shorewall/rules (relevant entries only):
Syslog/DNAT net:10.250.251.133 dmz0:10.200.200.130
Syslog/DNAT net:10.250.251.134 dmz0:10.200.200.130
Syslog/DNAT net:10.250.251.135 dmz0:10.200.200.130
Syslog/DNAT net:10.250.251.136 dmz0:10.200.200.130
Syslog/DNAT net:10.250.251.137 dmz0:10.200.200.130
Syslog/DNAT net:10.250.251.181 dmz0:10.200.200.130
Syslog/DNAT net:10.250.251.180 dmz0:10.200.200.130
My nat counters show that:
# shorewall show nat
[...]
Chain net_dnat (1 references)
pkts bytes target prot opt in out source
destination
0 0 DNAT udp -- * * 10.250.251.133
0.0.0.0/0 udp dpt:514 to:10.200.200.130
0 0 DNAT udp -- * * 10.250.251.134
0.0.0.0/0 udp dpt:514 to:10.200.200.130
0 0 DNAT udp -- * * 10.250.251.135
0.0.0.0/0 udp dpt:514 to:10.200.200.130
0 0 DNAT udp -- * * 10.250.251.136
0.0.0.0/0 udp dpt:514 to:10.200.200.130
3 445 DNAT udp -- * * 10.250.251.137
0.0.0.0/0 udp dpt:514 to:10.200.200.130
0 0 DNAT udp -- * * 10.250.251.181
0.0.0.0/0 udp dpt:514 to:10.200.200.130
0 0 DNAT udp -- * * 10.250.251.180
0.0.0.0/0 udp dpt:514 to:10.200.200.130
Any ideas?
Thanks,
Tunga
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
