On Sat, Dec 06, 2008 at 06:40:50AM -0800, Phillipus Gunawan wrote: > I attached rar file > right after i restart shorewall, try to connect to my external ip: > 777.777.777.777:80 > and bang.... still showing my web page... :( > > thanks for the reply
A few things:
1. Please don't mangle the output of 'shorewall dump'. IP addresses
ARE NOT SECRET! All you do is make it more difficult to diangose
the problem and help you.
2. Please consider upgrading to Shorewall-perl (not specifically
related to this problem, but a good idea nonetheless).
3. Please use a standard archive format (hint: RAR is not a standard
archive format). Customarily, for a single file, it is posted as a
.txt.gz, or .txt.bz, or even a .zip file.
4. Please fix your mail client, as it is completely destroying
threading.
The only connections associated with your 777.777.777.777:80
connection look like this:
tcp 6 431792 ESTABLISHED src=10.1.1.12 dst=203.26.28.162 sport=2701
dport=80 packets=8 bytes=3677 src=203.26.28.162 dst=777.777.777.777
sport=80 dport=2701 packets=8 bytes=4649 [ASSURED] mark=0 use=1
So, it looks like you are accessing from within your loc zone. If the
rule is rejecting traffic from the net zone, that will not work. You
need to attempt the connection from a machine completely outside your
network (i.e., from a source address that is in your net zone).
That said, your IP configuration also looks broken:
3: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:e0:4c:50:16:70 brd ff:ff:ff:ff:ff:ff
inet 10.1.1.1/8 brd 10.255.255.255 scope global eth1
10: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1492 qdisc pfifo_fast qlen
3
link/ppp
inet 777.777.777.777 peer 10.20.20.125/32 scope global ppp0
10.20.20.125 dev ppp0 proto kernel scope link src 777.777.777.777
10.0.0.0/8 dev eth1 proto kernel scope link src 10.1.1.1
default dev ppp0 scope link
The address of ppp0 is within the range assigned to eth1.
Also, this section of the dump is blank:
Log (/var/log/messages)
So, unless you completely turned off logging in /etc/shorewall/policy
(default if you follow the documentation is to log DROP and REJECT at
info level), then nothing is being blocked by your system. From the
looks of the other parts of the dump, you have diabled logging for DROP
and REJECT, which is making it difficult to get a complete picture.
I recommend:
- turn on info logging in your policy (perhaps even for *all*
connections, at least for troubleshooting, then return to just info
logging for REJECT and DROP connections)
- Fix your eth1's configuration (you almost certainly can get by with
something smaller than an address from 10/8, perhaps a 192.168.x/24
address, or at least pick a smaller range from 10/8.
- Please follow the additional guidelines from above.
Regards,
-Roberto
--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
signature.asc
Description: Digital signature
------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
