Please be a bit more precise. You telnet 5.4.3.2 from local client and you see a telnet to 9.8.7.6 in tcpdump instead of 5.4.3.2? You did it on eth1, right?
If this is true this sounds like you have some wrong DNAT entry similar to DNAT loc:192.168.8.37 net:9.8.7.6 tcp 55000 - 5.4.3.2 This rule would make that all requests sent from loc:192.168.8.37 which requests a connection to tcp 55000 on ip 5.4.3.2 are send to 9.8.7.6 -----Ursprüngliche Nachricht----- Von: sangprabv [mailto:[email protected]] Gesendet: Freitag, 5. Februar 2010 19:14 An: Shorewall Users Betreff: Re: [Shorewall-users] DNAT Problem I think I found the reason why connection is always failed. I tried to tcpdump and found that telnet to 5.4.3.2 is using 9.8.7.6. I don't know why this happen? sangprabv [email protected] On Feb 6, 2010, at 12:48 AM, Michael Weickel - iQom Business Services GmbH wrote: > > Maybe nothing runs on the requested port on the other side? > I think without a dump it would be hard to manage your problem by the list. > > > -----Ursprüngliche Nachricht----- > Von: sangprabv [mailto:[email protected]] > Gesendet: Freitag, 5. Februar 2010 18:42 > An: Shorewall Users > Betreff: Re: [Shorewall-users] DNAT Problem > > I use Ubuntu and I don't think mask is mandatory because if it is mandatory > then why telnet to 9.8.7.6 always success and not with 5.4.3.2. It makes me > crazy :( > > > > sangprabv > [email protected] > > > On Feb 5, 2010, at 11:35 PM, Michael Weickel - iQom Business Services GmbH > wrote: > >> >> This looks ok. >> >> I suggest you make a quick try with >> >> (policy file) >> >> loc net ACCEPT >> >> If you still cannot access to the internet by telnet something with your >> routing is wrong or you have conflicts in your policy or rules file. >> To check this I think a shorewall dump is needed. But if this would be > true >> you should maybe see something in your messages. A tcpdump output could > help >> as well. >> >> Routing seems to be ok if you still have >> >> But if this is kernel route command I miss the netmask parameter. I dont >> know anything about your distribution but to add routes there should be >> always a netmask parameter. Try to trace the internet ip >> >>> route add 9.8.7.6 gw 192.168.8.1 >>> route add 5.4.3.2 gw 192.168.8.1 >> >> >> >> Cheers >> Mike >> >> >> >> -----Ursprüngliche Nachricht----- >> Von: sangprabv [mailto:[email protected]] >> Gesendet: Freitag, 5. Februar 2010 17:23 >> An: Shorewall Users >> Betreff: Re: [Shorewall-users] DNAT Problem >> >> Thanks for the reply, I have this setting in >> /etc/shorewall/masq: >> eth0 eth1 >> >> eth0 is the public IP, while eth1 is the private network >> >> I have tried your solution but it doesn't work as well. >> >> >> >> >> sangprabv >> [email protected] >> >> >> On Feb 5, 2010, at 3:51 PM, Michael Weickel - iQom Business Services GmbH >> wrote: >> >>> >>> If you want to let your local machines access the internet by telnet than >>> DNAT is the wrong choice. DNAT is for access from internet to local >>> machines. >>> >>> You should try something like (rules file) >>> >>> ACCEPT loc:192.168.8.37 net:5.4.3.2 tcp >>> 55000 >>> >>> If you have policy >>> >>> ACCEPT loc net >>> >>> The rule will be useless. >>> >>> If your first client can but your sencond cant access, I guess you > already >>> have some rules or policies allowing this. >>> >>> In this case I suggest to doublecheck your masq file whether you only > masq >>> 192.168.8.35 or the whole network e.g. 192.168.8.0/24? >>> >>> >>> Cheers >>> Mike >>> >>> -----Ursprüngliche Nachricht----- >>> Von: sangprabv [mailto:[email protected]] >>> Gesendet: Freitag, 5. Februar 2010 09:28 >>> An: Shorewall Users >>> Betreff: [Shorewall-users] DNAT Problem >>> >>> Hi, >>> I have a client behind shorewall which has 2 IP: >>> 192.168.8.35 is the real IP and 192.168.8.37 is the virtual IP. >>> I have added DNAT rules into shorewall: >>> DNAT net loc:192.168.8.35 >> tcp >>> 11008 - 1.2.3.4 >>> DNAT net loc:192.168.8.37 >> tcp >>> 55000 - 1.2.3.5 >>> >>> 1.2.3.4 and 1.2.3.5 is virtual IP on firewall side >>> >>> I want 192.168.8.35 able to telnet to my partner IP 9.8.7.6:11008 and it >> can >>> connect OK. >>> And I want also 192.168.8.37 able to my partner IP 5.4.3.2:55000 and this >>> one FAIL. >>> If i try telnet my.partner.ip.add:55000 -b 1.2.3.5 at firewall it is OK. >>> >>> I have manually added >>> route add 9.8.7.6 gw 192.168.8.1 >>> route add 5.4.3.2 gw 192.168.8.1 >>> Both added to the client routing table. What's wrong with my >> configuration? >>> Many thanks for help. >>> >>> >>> >>> sangprabv >>> [email protected] >>> >>> >>> >>> >> > ---------------------------------------------------------------------------- >>> -- >>> The Planet: dedicated and managed hosting, cloud storage, colocation >>> Stay online with enterprise data centers and the best network in the >>> business >>> Choose flexible plans and management services without long-term contracts >>> Personal 24x7 support from experience hosting pros just a phone call > away. >>> http://p.sf.net/sfu/theplanet-com >>> _______________________________________________ >>> Shorewall-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >>> >> > ---------------------------------------------------------------------------- >> -- >>> The Planet: dedicated and managed hosting, cloud storage, colocation >>> Stay online with enterprise data centers and the best network in the >> business >>> Choose flexible plans and management services without long-term contracts >>> Personal 24x7 support from experience hosting pros just a phone call > away. >>> http://p.sf.net/sfu/theplanet-com >>> _______________________________________________ >>> Shorewall-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> > ---------------------------------------------------------------------------- >> -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the >> business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone call away. >> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> > ---------------------------------------------------------------------------- > -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the > business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone call away. >> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ---------------------------------------------------------------------------- > -- > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the > business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ---------------------------------------------------------------------------- -- > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users ---------------------------------------------------------------------------- -- The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
