Using shorewall-4.4.2-2 on two CentOS 5.4 x86_64 firewall boxes, using
kernel 2.6.18-164.el5 and LVS-DR by way of keepalived-1.1.19.
/etc/shorewall/interfaces:
pub eth0 - tcpflags,nosmurfs,maclist,routeback
net eth2 -
tcpflags,routefilter,nosmurfs,logmartians,blacklist,arp_filter
where "pub" is internal network 192.168.0.0/22, and eth2 is the outside
world.
I have several services defined in keepalived, including an SMTP service
(192.168.0.20) that points to three internal servers. From ipvsadm:
TCP 192.168.0.20:25 wrr
-> 192.168.0.11:25 Route 50 0 0
-> 192.168.0.13:25 Route 100 0 0
-> 192.168.0.12:25 Route 100 0 0
where the three internal servers do not respond to ARP requests for
192.168.0.20.
>From /sbin/ipvsadm:
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:14:22:27:99:6a brd ff:ff:ff:ff:ff:ff
inet 192.168.0.5/22 brd 192.168.3.255 scope global eth0
...
inet 192.168.0.20/22 brd 192.168.3.255 scope global secondary eth0
Everything is working fine from the point of view of clients in the pub
zone. I have two problems, and I have been unable to make either of these
work:
(1) I need to be able to make connections from the firewall itself to the
192.168.0.20:25 service.
(2) I need to be able to DNAT incoming clients from the internet to the
192.168.0.20:25 service. Until I can get (1) to work, there's little point
in tackling (2).
On the firewall, I do a "telnet 192.168.0.20 25" and get a connection
refused, with this in the syslog:
Oct 29 16:54:14 fw1 kernel: Shorewall:nat:OUTPUT:IN= OUT=lo SRC=192.168.0.20
DST=192.168.0.20 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=41216 DF PROTO=TCP
SPT=53768 DPT=25 WINDOW=32792 RES=0x00 SYN URGP=0
Oct 29 16:54:14 fw1 kernel: Shorewall:filter:OUTPUT:IN= OUT=lo SRC=192.168.0.20
DST=192.168.0.20 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=41216 DF PROTO=TCP
SPT=53768 DPT=25 WINDOW=32792 RES=0x00 SYN URGP=0
Oct 29 16:54:14 fw1 kernel: Shorewall:mangle:POSTROUTING:IN= OUT=lo
SRC=192.168.0.20 DST=192.168.0.20 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=41216 DF
PROTO=TCP SPT=53768 DPT=25 WINDOW=32792 RES=0x00 SYN URGP=0
Oct 29 16:54:14 fw1 kernel: Shorewall:nat:POSTROUTING:IN= OUT=lo
SRC=192.168.0.20 DST=192.168.0.20 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=41216 DF
PROTO=TCP SPT=53768 DPT=25 WINDOW=32792 RES=0x00 SYN URGP=0
Oct 29 16:54:14 fw1 kernel: Shorewall:mangle:PREROUTING:IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=192.168.0.20 DST=192.168.0.20
LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=41216 DF PROTO=TCP SPT=53768 DPT=25
WINDOW=32792 RES=0x00 SYN URGP=0
Oct 29 16:54:14 fw1 kernel: Shorewall:mangle:INPUT:IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=192.168.0.20 DST=192.168.0.20
LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=41216 DF PROTO=TCP SPT=53768 DPT=25
WINDOW=32792 RES=0x00 SYN URGP=0
Oct 29 16:54:14 fw1 kernel: Shorewall:filter:INPUT:IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=192.168.0.20 DST=192.168.0.20
LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=41216 DF PROTO=TCP SPT=53768 DPT=25
WINDOW=32792 RES=0x00 SYN URGP=0
Rules:
ACCEPT $FW pub tcp smtp
ACCEPT pub $FW tcp smtp
Someone hit me with a clue stick and tell me what rules I am missing.
Steve
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
