I use Ubuntu and I don't think mask is mandatory because if it is mandatory then why telnet to 9.8.7.6 always success and not with 5.4.3.2. It makes me crazy :(
sangprabv [email protected] On Feb 5, 2010, at 11:35 PM, Michael Weickel - iQom Business Services GmbH wrote: > > This looks ok. > > I suggest you make a quick try with > > (policy file) > > loc net ACCEPT > > If you still cannot access to the internet by telnet something with your > routing is wrong or you have conflicts in your policy or rules file. > To check this I think a shorewall dump is needed. But if this would be true > you should maybe see something in your messages. A tcpdump output could help > as well. > > Routing seems to be ok if you still have > > But if this is kernel route command I miss the netmask parameter. I don’t > know anything about your distribution but to add routes there should be > always a netmask parameter. Try to trace the internet ip > >> route add 9.8.7.6 gw 192.168.8.1 >> route add 5.4.3.2 gw 192.168.8.1 > > > > Cheers > Mike > > > > -----Ursprüngliche Nachricht----- > Von: sangprabv [mailto:[email protected]] > Gesendet: Freitag, 5. Februar 2010 17:23 > An: Shorewall Users > Betreff: Re: [Shorewall-users] DNAT Problem > > Thanks for the reply, I have this setting in > /etc/shorewall/masq: > eth0 eth1 > > eth0 is the public IP, while eth1 is the private network > > I have tried your solution but it doesn't work as well. > > > > > sangprabv > [email protected] > > > On Feb 5, 2010, at 3:51 PM, Michael Weickel - iQom Business Services GmbH > wrote: > >> >> If you want to let your local machines access the internet by telnet than >> DNAT is the wrong choice. DNAT is for access from internet to local >> machines. >> >> You should try something like (rules file) >> >> ACCEPT loc:192.168.8.37 net:5.4.3.2 tcp >> 55000 >> >> If you have policy >> >> ACCEPT loc net >> >> The rule will be useless. >> >> If your first client can but your sencond cant access, I guess you already >> have some rules or policies allowing this. >> >> In this case I suggest to doublecheck your masq file whether you only masq >> 192.168.8.35 or the whole network e.g. 192.168.8.0/24? >> >> >> Cheers >> Mike >> >> -----Ursprüngliche Nachricht----- >> Von: sangprabv [mailto:[email protected]] >> Gesendet: Freitag, 5. Februar 2010 09:28 >> An: Shorewall Users >> Betreff: [Shorewall-users] DNAT Problem >> >> Hi, >> I have a client behind shorewall which has 2 IP: >> 192.168.8.35 is the real IP and 192.168.8.37 is the virtual IP. >> I have added DNAT rules into shorewall: >> DNAT net loc:192.168.8.35 > tcp >> 11008 - 1.2.3.4 >> DNAT net loc:192.168.8.37 > tcp >> 55000 - 1.2.3.5 >> >> 1.2.3.4 and 1.2.3.5 is virtual IP on firewall side >> >> I want 192.168.8.35 able to telnet to my partner IP 9.8.7.6:11008 and it > can >> connect OK. >> And I want also 192.168.8.37 able to my partner IP 5.4.3.2:55000 and this >> one FAIL. >> If i try telnet my.partner.ip.add:55000 -b 1.2.3.5 at firewall it is OK. >> >> I have manually added >> route add 9.8.7.6 gw 192.168.8.1 >> route add 5.4.3.2 gw 192.168.8.1 >> Both added to the client routing table. What's wrong with my > configuration? >> Many thanks for help. >> >> >> >> sangprabv >> [email protected] >> >> >> >> > ---------------------------------------------------------------------------- >> -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the >> business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone call away. >> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> > ---------------------------------------------------------------------------- > -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the > business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone call away. >> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ---------------------------------------------------------------------------- > -- > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the > business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ------------------------------------------------------------------------------ > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
