Re: [Shorewall-users] SSH allowed but not HTTP

Sun, 20 Dec 2009 20:06:34 -0800 

Hi Tom,

Thank you for looking into this. This is what tcpdump outputs when I 
launch a http request:

04:20:08.292735 IP es01.tela-web.com.35200 > ks309069.kimsufi.com.www: S 
3758580123:3758580123(0) win 5840 <mss 1460,sackOK,timestamp 40378785 
0,nop,wscale 5>
04:20:08.293384 IP ks309069.kimsufi.com > es01.tela-web.com: ICMP host 
ks309069.kimsufi.com unreachable - admin prohibited, length 68

And this when I ssh:

04:31:26.138508 IP es01.tela-web.com.35007 > ks309069.kimsufi.com.ssh: . 
ack 958 win 281 <nop,nop,timestamp 41056616 122428939>
04:31:26.141516 IP es01.tela-web.com.35007 > ks309069.kimsufi.com.ssh: P 
838:982(144) ack 958 win 281 <nop,nop,timestamp 41056619 122428939>
04:31:26.146252 IP ks309069.kimsufi.com.ssh > es01.tela-web.com.35007: P 
958:1678(720) ack 982 win 70 <nop,nop,timestamp 122429100 41056619>

Thank you,
Eric.


On 12/21/2009 12:43 AM, Tom Eastep wrote:
> On Sun, 20 Dec 2009 23:40:54 +0530
> ericdes<[email protected]>  wrote:
>
>> Hello,
>>
>> I'm facing this strange situation when I apply these rules:
>>
>> ACCEPT   net     fw              tcp 22,80 -
>> DNAT     net     dmz:10.0.0.4    tcp 22,80 -  94.23.242.44
>> ACCEPT   net     fw              tcp 1022  -  -               6/min:5
>>
>> My set up is a demilitarized zone where I put some KVM guests.
>>
>> I can ssh from the world to 94.23.242.44 (or from the host to
>> 10.0.0.4), but I'm getting these responses when trying to connect to
>> port 80:
>>
>> telnet 94.23.242.44 80
>> Trying 94.23.242.44...
>> telnet: connect to address 94.23.242.44: No route to host
>>
>> telnet 10.0.0.4 80
>> Trying 10.0.0.4...
>> telnet: Unable to connect to remote host: No route to host
>>
>> I also tried some other ports like ftp but I can only make ssh work.
>
> Try running tcpdump on the DMZ interface (bridge) while you try to
> connect. What do you see?
>
> -Tom


------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev 
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to