-------- Original Message -------- Subject: Re: [Shorewall-users] rules file is not working Date: Thu, 06 Nov 2008 12:44:21 -0800 From: Tom Eastep <[EMAIL PROTECTED]> To: viuwier <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
viuwier wrote: > Hello Tom > >> The firewall has sent the SYN packet to 192.168.0.22 who has not >> responded. You must be changing things faster than I can read your posts >> since you will notice that the port was being forward to .22 in the dump >> you sent while now you claim to be forwarding the connections to .42. > > Sorry for changing, thanks for your help ! > > Now my rules file: > #Maciek rules: > DNAT net loc:192.168.0.42:3389 tcp 3389 - > DNAT net loc:192.168.0.42:3389 udp 3389 - > > ACCEPT loc:192.168.0.42 net tcp 3389 - > ACCEPT loc:192.168.0.42 net udp 3389 - > > Now there is nothing in nat file. > > And I've tried to connect to 83.14.53.12 (it is my gateway to local > network with computer 192.168.0.42), connection no working: > > [EMAIL PROTECTED]:/etc/shorewall# shorewall show nat > Shorewall 4.2.0 NAT Table at bramka - Thu Nov 6 21:13:40 CET 2008 > > Counters reset Thu Nov 6 21:12:47 CET 2008 > > Chain PREROUTING (policy ACCEPT 464 packets, 36501 bytes) > pkts bytes target prot opt in out source > destination > 85 6586 net_dnat all -- eth1 * 0.0.0.0/0 0.0.0.0/0 > > Chain POSTROUTING (policy ACCEPT 2 packets, 105 bytes) > pkts bytes target prot opt in out source > destination > 343 19963 eth1_masq all -- * eth1 0.0.0.0/0 0.0.0.0/0 > > Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > > Chain eth1_masq (1 references) > pkts bytes target prot opt in out source > destination > 343 19963 MASQUERADE all -- * * 192.168.0.0/24 0.0.0.0/0 > > Chain net_dnat (1 references) > pkts bytes target prot opt in out source > destination > 1 52 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 > tcp dpt:3389 to:192.168.0.42:3389 > 0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 > udp dpt:3389 to:192.168.0.42:3389 > > > My new dup file is attached. Earlier it was always working :( > > > > From the dump, the connection is being forwarded but the local host isn't responding. NOT ALL CONNECTION PROBLEMS ARE FIREWALL PROBLEMS. I suggest that you put a packet sniffer on the local interface (eth0) and be sure that the SYN packet is going out. Then if you don't see a SYN/ACK coming back (or if it comes back with the wrong layer 2 destination address), then you will know what the problem is. And if the SYN goes out but you don't see any response, then run a packet sniffer on the server (192.168.0.42) and see if the SYN is getting to that system. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
