Hi, hello I'm new to iptables and firewalls. I began to use shorewall because its logic makes it easy for beginners, and I learn allot about iptables true the shorewall logs. Ok here is my problem: I have a Debian Lenny with Proxmox and one physical interface eth0. I also have two public ip's: 94.23.2xx.2xx and one eth0:0 94.23.1xx.xx What I want is that all traffic pass true eth0, because my isp only accept the mac address of eth0. So I split both ip's and with this config i have 94.23.2xx.2xx to all machines on vmbr0 except 10.10.10.200 has 94.23.1xx.xx. Now i can do port forwarding from both public ip's. Butt for a reason that I don't understand, I'm not able to DNAT a machine anymore from my primary public ip 94.23.2xx.2xx to any machine on my DMZ. I can however make a ACCEPT rule to my firewall (proxmox host) I tought that if there was no rule, the default policy apply. So here it is I have a rule that DNAT from net to dmz:10.10.10.230:8433 butt still can't connect. I get this in my log:
Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=00:30:48:be:33:a0:00:24:c3:84:04:00:08:00 SRC=115.67.30.81 DST=94.23.2xx.2xx LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=23540 DF PROTO=TCP SPT=65059 DPT=8443 WINDOW=8192 RES=0x00 SYN URGP=0 Why and how can i resolve this? I don't think i should make a policy to accept instead to drop from net to fw. And is this the right solution to split my two public ip's? I have a feeling this is not how i should do it. I hope my writing is more or less comprehensible, Sincerely and happy new year, Selvam Matthys * My situation:* eth0 = 94.23.2xx.2xx eth0:0 = 94.23.1xx.xx vmbr0 = 10.10.10.254 vmbr1 = 192.168.1.0/24 (no ip, its just a switch) *My zones:* fw firewall net ipv4 dmz ipv4 local ipv4 *My interfaces:* net eth0 detect blacklist,nosmurfs dmz venet0 detect routeback dmz vmbr0 detect routeback,bridge local vmbr1 detect routeback *My Policy:* # From Firewall Policy fw fw ACCEPT fw net ACCEPT fw dmz ACCEPT fw local ACCEPT # From DMZ Policy dmz dmz ACCEPT dmz net ACCEPT dmz fw DROP info 1/sec:2 # From Net Policy net fw DROP info 1/sec:2 net dmz DROP info 8/sec:30 # From local Policy local local ACCEPT # THE FOLLOWING POLICY MUST BE LAST # all all REJECT info *My Rules:* ################################################################## # Permit access to SSH & ping SSH/ACCEPT net fw - - - - 6/min:5 Ping/ACCEPT all all # Permit access to Proxmox Manager and Console ACCEPT net fw tcp 443,943,5900:5999,10000 ################################################################## ################################################################### ## OpenVz rules #DNAT net dmz:10.10.10.201:22 tcp 22201 # ################################################################### ## Qemu KVM rules # # DNAT net dmz:10.10.10.230 tcp 8022 DNAT net dmz:10.10.10.230:8443 tcp 8433 ################################################################### ## virtual interface eth0:0 # DNAT net dmz:10.10.10.200 all - - 94.23.1xx.xxx ################################################################### # LAST LINE -- DO NOT REMOVE #SECTION ESTABLISHED #SECTION RELATED #SECTION NEW *My masquerading*: eth0 10.10.10.0/24 *My static NAT:* 94.23.1xx.xxx eth0 10.10.10.200 no no
------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
