Re: [Shorewall-users] WG: Suddenly DMZ can't access to internet

[Michael Weickel - iQom Business Services GmbH]

If x.x.214.101 is part of your provider aggregated space I do not believe that 
it’s a provider issue. You can easily check this by tracing from a foreign host 
to your ip and see if your provider routes it to your shorewall. 

Further I am a bit confuses that you have now two local subnets 192.168.0.x and 
172.16.1.x. Are both subnets on the Shorewall´s phy dmz interface?

 

  _____  

Von: Wilson Kwok [mailto:leiw...@yahoo.com.hk] 
Gesendet: Mittwoch, 3. Februar 2010 12:01
An: Shorewall Users
Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can't access to internet

 


Do you think is ISP problem ?

--- 2010年2月3日 星期三，Michael Weickel - iQom Business Services GmbH <m...@iqom.de> 
寫道﹕


寄件人: Michael Weickel - iQom Business Services GmbH <m...@iqom.de>
主題: Re: [Shorewall-users] WG: Suddenly DMZ can't access to internet
收件人: "'Shorewall Users'" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月3日,星期三,下午6:45

This really sounds like routing issues. Maybe subnet mask or sth. like that. I 
think its time to follow Tom´s offer to give a Shorewall dump as described in 
the troubleshooting phase on  <http://www.shorewall.net/> www.shorewall.net 

 

  _____  

Von: Wilson Kwok [mailto:leiw...@yahoo.com.hk] 
Gesendet: Mittwoch, 3. Februar 2010 11:17
An: Shorewall Users
Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can't access to internet

 


If I change the NAT x.x.214.101  to another local lan IP 172.16.1.249 client 
computer , this computer can't access to internet .....

 

Thanks 

 

 



--- 2010年2月3日 星期三，Michael Weickel - iQom Business Services GmbH <m...@iqom.de> 
寫道﹕


寄件人: Michael Weickel - iQom Business Services GmbH <m...@iqom.de>
主題: Re: [Shorewall-users] WG: Suddenly DMZ can't access to internet
收件人: "'Shorewall Users'" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月3日,星期三,下午3:37

Does x.x.214.101 represent your new ‚original destination’ in rules file?

 

If yes, this sounds like a hierarchy problem in your rules file where another 
rule may applied before the one you want.

 

For example.

 

DNAT   net       dmz:192.168.0.7           tcp       80        -           
x.x.214.101

DNAT   net       dmz:192.168.0.6           tcp       80        -           
x.x.214.101

 

This would mean, that a http request to your original destination will always 
apply the NAT to 192.168.0.7 because its more near to the top of the file. 

 

Go to /etc/shorewall and do a ‘cat rules | grep 214.100’ if you see more than 
one tcp 80 rule this could be your problem. If you do the same with 214.101 and 
see only one tcp 80 rule you have your answer. 

 

 

 

  _____  

Von: Wilson Kwok [mailto:leiw...@yahoo.com.hk] 
Gesendet: Mittwoch, 3. Februar 2010 07:54
An: Shorewall Users
Betreff: Re: [Shorewall-users] WG: Suddenly DMZ can't access to internet

 


I just changed NAT IP to another NAT IP:

original: x.x.214.100    192.168.0.6

changed: x.x.214.101  192.168.0.6

Internet can access to web by x.x.214.101

What's this problem?

Thanks !

--- 2010年2月3日 星期三，Tom Eastep <teas...@shorewall.net> 寫道﹕


寄件人: Tom Eastep <teas...@shorewall.net>
主題: Re: [Shorewall-users] WG: Suddenly DMZ can't access to internet
收件人: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
日期: 2010年2月3日,星期三,上午12:57

Michael Weickel - iQom Business Services GmbH wrote:
> net       dmz:192.168.0.1                       tcp       80
> 
>  
> 
> I forgot to mention that this should be put to rules file, sorry.

And you probably wanted

DNAT    net    dmz:192.168.0.1    tcp    80

But randomly changing the rules without understanding what the real
problem is seems unwise. Wilson doesn't even know if the problem has
anything to do with Shorewall.

I repeat my offer to look at the output of 'shorewall dump' but I must
do it in the next 30 minutes because the rest of my day is full with
meetings.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net <http://shorewall.net/>  
\________________________________________________


-----內含下列附件-----

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com


-----內含下列附件-----

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

 

  _____  

Yahoo!香港提供網上安全攻略，教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多


-----內含下列附件-----

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com


-----內含下列附件-----

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net 
<http://hk.mc191.mail.yahoo.com/mc/compose?to=shorewall-us...@lists.sourceforge.net>
 
https://lists.sourceforge.net/lists/listinfo/shorewall-users

 

  _____  

Yahoo!香港提供網上安全攻略，教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多


-----內含下列附件-----

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com


-----內含下列附件-----

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net 
<http://hk.mc191.mail.yahoo.com/mc/compose?to=shorewall-us...@lists.sourceforge.net>
 
https://lists.sourceforge.net/lists/listinfo/shorewall-users

 

  _____  

Yahoo!香港提供網上安全攻略，教你如何防範黑客! <http://hk.promo.yahoo.com/security/> 了解更多


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users