9.8.7.6 is my partner A IP 5.4.3.2 is my partner B IP 192.168.8.35 is my local server P IP behind firewall 192.168.8.37 is my local server P virtual IP behind firewall
192.168.8.1 is my firewall eth1 IP 1.2.3.1 is my firewall eth0 IP 1.2.3.4 is my firewall eth0:4 virtual IP 1.2.3.5 is my firewall eth0:5 virtual IP I want connection to 9.8.7.6 port 11008 from server P IP 192.168.8.35 use 1.2.3.4 so I have rules: ACCEPT loc:192.168.8.35 net:9.8.7.6 tcp 11008 - 1.2.3.4 And nat: 1.2.3.4 eth0 192.168.8.35 I want connection to 5.4.3.2 port 55000 from server P virtual IP 192.168.8.37 use 1.2.3.5 so I have rules: ACCEPT loc:192.168.8.37 net:.5.4.3.2 tcp 55000 - 1.2.3.5 And nat: 1.2.3.5 eth0 192.168.8.37 I have masq value: eth0 eth1 On server P I have added route route add 9.8.7.6. gw 192.168.8.1 route add 5.4.3.2 gw 192.168.8.1 Connection to partner A 9.8.7.6:11008 is OK , I checked TCPDUMP it shows the connection to 9.8.7.6 uses 1.2.3.4 Connection to partner B 5.4.3.2:55000 is FAILED, I checked TCPDUMP it shows the connection to 5.4.3.2 uses 1.2.3.4 instead of 1.2.3.5 sangprabv [email protected] On Feb 6, 2010, at 1:50 AM, Michael Weickel - iQom Business Services GmbH wrote: > > Please be a bit more precise. > > You telnet 5.4.3.2 from local client and you see a telnet to 9.8.7.6 in > tcpdump instead of 5.4.3.2? You did it on eth1, right? > > If this is true this sounds like you have some wrong DNAT entry similar to > > DNAT loc:192.168.8.37 net:9.8.7.6 tcp 55000 - > 5.4.3.2 > > This rule would make that all requests sent from loc:192.168.8.37 which > requests a connection to tcp 55000 on ip 5.4.3.2 are send to 9.8.7.6 > > > -----Ursprüngliche Nachricht----- > Von: sangprabv [mailto:[email protected]] > Gesendet: Freitag, 5. Februar 2010 19:14 > An: Shorewall Users > Betreff: Re: [Shorewall-users] DNAT Problem > > I think I found the reason why connection is always failed. I tried to > tcpdump and found that telnet to 5.4.3.2 is using 9.8.7.6. I don't know why > this happen? > > > sangprabv > [email protected] > > > On Feb 6, 2010, at 12:48 AM, Michael Weickel - iQom Business Services GmbH > wrote: > >> >> Maybe nothing runs on the requested port on the other side? >> I think without a dump it would be hard to manage your problem by the > list. >> >> >> -----Ursprüngliche Nachricht----- >> Von: sangprabv [mailto:[email protected]] >> Gesendet: Freitag, 5. Februar 2010 18:42 >> An: Shorewall Users >> Betreff: Re: [Shorewall-users] DNAT Problem >> >> I use Ubuntu and I don't think mask is mandatory because if it is > mandatory >> then why telnet to 9.8.7.6 always success and not with 5.4.3.2. It makes > me >> crazy :( >> >> >> >> sangprabv >> [email protected] >> >> >> On Feb 5, 2010, at 11:35 PM, Michael Weickel - iQom Business Services GmbH >> wrote: >> >>> >>> This looks ok. >>> >>> I suggest you make a quick try with >>> >>> (policy file) >>> >>> loc net ACCEPT >>> >>> If you still cannot access to the internet by telnet something with your >>> routing is wrong or you have conflicts in your policy or rules file. >>> To check this I think a shorewall dump is needed. But if this would be >> true >>> you should maybe see something in your messages. A tcpdump output could >> help >>> as well. >>> >>> Routing seems to be ok if you still have >>> >>> But if this is kernel route command I miss the netmask parameter. I don’t >>> know anything about your distribution but to add routes there should be >>> always a netmask parameter. Try to trace the internet ip >>> >>>> route add 9.8.7.6 gw 192.168.8.1 >>>> route add 5.4.3.2 gw 192.168.8.1 >>> >>> >>> >>> Cheers >>> Mike >>> >>> >>> >>> -----Ursprüngliche Nachricht----- >>> Von: sangprabv [mailto:[email protected]] >>> Gesendet: Freitag, 5. Februar 2010 17:23 >>> An: Shorewall Users >>> Betreff: Re: [Shorewall-users] DNAT Problem >>> >>> Thanks for the reply, I have this setting in >>> /etc/shorewall/masq: >>> eth0 eth1 >>> >>> eth0 is the public IP, while eth1 is the private network >>> >>> I have tried your solution but it doesn't work as well. >>> >>> >>> >>> >>> sangprabv >>> [email protected] >>> >>> >>> On Feb 5, 2010, at 3:51 PM, Michael Weickel - iQom Business Services GmbH >>> wrote: >>> >>>> >>>> If you want to let your local machines access the internet by telnet > than >>>> DNAT is the wrong choice. DNAT is for access from internet to local >>>> machines. >>>> >>>> You should try something like (rules file) >>>> >>>> ACCEPT loc:192.168.8.37 net:5.4.3.2 tcp >>>> 55000 >>>> >>>> If you have policy >>>> >>>> ACCEPT loc net >>>> >>>> The rule will be useless. >>>> >>>> If your first client can but your sencond cant access, I guess you >> already >>>> have some rules or policies allowing this. >>>> >>>> In this case I suggest to doublecheck your masq file whether you only >> masq >>>> 192.168.8.35 or the whole network e.g. 192.168.8.0/24? >>>> >>>> >>>> Cheers >>>> Mike >>>> >>>> -----Ursprüngliche Nachricht----- >>>> Von: sangprabv [mailto:[email protected]] >>>> Gesendet: Freitag, 5. Februar 2010 09:28 >>>> An: Shorewall Users >>>> Betreff: [Shorewall-users] DNAT Problem >>>> >>>> Hi, >>>> I have a client behind shorewall which has 2 IP: >>>> 192.168.8.35 is the real IP and 192.168.8.37 is the virtual IP. >>>> I have added DNAT rules into shorewall: >>>> DNAT net loc:192.168.8.35 >>> tcp >>>> 11008 - 1.2.3.4 >>>> DNAT net loc:192.168.8.37 >>> tcp >>>> 55000 - 1.2.3.5 >>>> >>>> 1.2.3.4 and 1.2.3.5 is virtual IP on firewall side >>>> >>>> I want 192.168.8.35 able to telnet to my partner IP 9.8.7.6:11008 and it >>> can >>>> connect OK. >>>> And I want also 192.168.8.37 able to my partner IP 5.4.3.2:55000 and > this >>>> one FAIL. >>>> If i try telnet my.partner.ip.add:55000 -b 1.2.3.5 at firewall it is OK. >>>> >>>> I have manually added >>>> route add 9.8.7.6 gw 192.168.8.1 >>>> route add 5.4.3.2 gw 192.168.8.1 >>>> Both added to the client routing table. What's wrong with my >>> configuration? >>>> Many thanks for help. >>>> >>>> >>>> >>>> sangprabv >>>> [email protected] >>>> >>>> >>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>> -- >>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>> Stay online with enterprise data centers and the best network in the >>>> business >>>> Choose flexible plans and management services without long-term > contracts >>>> Personal 24x7 support from experience hosting pros just a phone call >> away. >>>> http://p.sf.net/sfu/theplanet-com >>>> _______________________________________________ >>>> Shorewall-users mailing list >>>> [email protected] >>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>> >>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>> -- >>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>> Stay online with enterprise data centers and the best network in the >>> business >>>> Choose flexible plans and management services without long-term > contracts >>>> Personal 24x7 support from experience hosting pros just a phone call >> away. >>>> http://p.sf.net/sfu/theplanet-com >>>> _______________________________________________ >>>> Shorewall-users mailing list >>>> [email protected] >>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >>> >> > ---------------------------------------------------------------------------- >>> -- >>> The Planet: dedicated and managed hosting, cloud storage, colocation >>> Stay online with enterprise data centers and the best network in the >>> business >>> Choose flexible plans and management services without long-term contracts >>> Personal 24x7 support from experience hosting pros just a phone call > away. >>> http://p.sf.net/sfu/theplanet-com >>> _______________________________________________ >>> Shorewall-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >>> >> > ---------------------------------------------------------------------------- >> -- >>> The Planet: dedicated and managed hosting, cloud storage, colocation >>> Stay online with enterprise data centers and the best network in the >> business >>> Choose flexible plans and management services without long-term contracts >>> Personal 24x7 support from experience hosting pros just a phone call > away. >>> http://p.sf.net/sfu/theplanet-com >>> _______________________________________________ >>> Shorewall-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> > ---------------------------------------------------------------------------- >> -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the >> business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone call away. >> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> > ---------------------------------------------------------------------------- > -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the > business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone call away. >> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ---------------------------------------------------------------------------- > -- > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the > business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ------------------------------------------------------------------------------ > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
