Just got the root of problem. Somebody plays with IPTABLES manually on client side. I just flush it and it can connect now. Hopefully it's OK now. Many thanks for your replies MW.
sangprabv [email protected] On Feb 6, 2010, at 7:01 PM, Michael Weickel - iQom Business Services GmbH wrote: > > I think if you send a dump, shorewall developers can help you with this. > > My last idea would be to put the config lines at the top of each file to > ensure that you you don’t have conflicts in your file hierarchy. > > Since we don’t know too much about your routing, it could be located there > as well. > > > Cheers > Mike > > -----Ursprüngliche Nachricht----- > Von: sangprabv [mailto:[email protected]] > Gesendet: Samstag, 6. Februar 2010 12:57 > An: Shorewall Users > Betreff: Re: [Shorewall-users] DNAT Problem > > Yes sure I did it, I think there is something else causing this problem. I > will look over it and let you updated. Many thanks MW :) > > > > sangprabv > [email protected] > > > On Feb 6, 2010, at 6:11 PM, Michael Weickel - iQom Business Services GmbH > wrote: > >> >> Did you do >> >> telnet -b 192.168.8.37 5.4.3.2 55000 >> >> or >> >> telnet 5.4.3.2 55000 (what of course wont do what you want!) >> >> from your local client P? >> >> >> -----Ursprüngliche Nachricht----- >> Von: sangprabv [mailto:[email protected]] >> Gesendet: Samstag, 6. Februar 2010 11:50 >> An: Shorewall Users >> Betreff: Re: [Shorewall-users] DNAT Problem >> >> I have tried your suggestion but now if I do tcpdump, the connection from >> 192.168.8.37 to 5.4.3.2:55000 is read from 192.168.8.1 (the firewall IP) >> >> >> >> sangprabv >> [email protected] >> >> >> On Feb 6, 2010, at 5:03 PM, Michael Weickel - iQom Business Services GmbH >> wrote: >> >>> >>> Again, you dont need the nat for make your target working. >>> >>> Throw away your config as outlined and do it like this. >>> >>> /etc/shorewall/masq (order of lines is quite important) >>> >>> eth0 192.168.8.35 1.2.3.4 tcp 11008 >>> eth0 192.168.8.37 1.2.3.5 tcp 55000 >>> eth0 eth1 >>> >>> or >>> >>> eth0:9.8.7.6 192.168.8.35 1.2.3.4 tcp 11008 >>> eth0:5.4.3.2 192.168.8.37 1.2.3.5 tcp 55000 >>> eth0 eth1 >>> >>> Both masq will work, it depends what you want to have. First example will >>> always map telnet to 1.2.3.4 or 1.2.3.5 if you telnet to the given ports >>> where second example will only do if you telnet to 9.8.7.6 or 5.4.3.2 >>> >>> /etc/shorewall/rules >>> >>> ACCEPT loc:192.168.8.35 net:9.8.7.6 >>> ACCEPT loc:192.168.8.37 net:5.4.3.2 >>> >>> Your client routing should be kept. >>> >>>> route add 9.8.7.6. gw 192.168.8.1 >>>> route add 5.4.3.2 gw 192.168.8.1 >>> >>> You don’t need your outlined nat entry, you don’t need your outlined > rules >>> entry. Take mine. >>> >>> >>> >>> -----Ursprüngliche Nachricht----- >>> Von: sangprabv [mailto:[email protected]] >>> Gesendet: Samstag, 6. Februar 2010 10:49 >>> An: Shorewall Users >>> Betreff: Re: [Shorewall-users] DNAT Problem >>> >>> net:.5.4.3.2 just an illustration, it's not the real IP and it's just a >>> typo. >>> If I disable the nat entry in nat file 192.168.8.35 can not telnet to >>> 9.8.7.6:11008 >>> >>> >>> >>> >>> sangprabv >>> [email protected] >>> >>> >>> On Feb 6, 2010, at 3:18 PM, Michael Weickel - iQom Business Services GmbH >>> wrote: >>> >>>> >>>> What is this? net:.5.4.3.2 >>>> I guess you copy pasted it? The leading "." should be removed >>>> Else config looks fine but I think you dont need that nat rules for the >>>> things you plan to do. Your entries in masq, rules and interfaces will >>>> manage to do what you want >>>> >>>> -----Ursprüngliche Nachricht----- >>>> Von: sangprabv [mailto:[email protected]] >>>> Gesendet: Samstag, 6. Februar 2010 02:11 >>>> An: Shorewall Users >>>> Betreff: Re: [Shorewall-users] DNAT Problem >>>> >>>> 9.8.7.6 is my partner A IP >>>> 5.4.3.2 is my partner B IP >>>> >>>> 192.168.8.35 is my local server P IP behind firewall >>>> 192.168.8.37 is my local server P virtual IP behind firewall >>>> >>>> 192.168.8.1 is my firewall eth1 IP >>>> >>>> 1.2.3.1 is my firewall eth0 IP >>>> 1.2.3.4 is my firewall eth0:4 virtual IP >>>> 1.2.3.5 is my firewall eth0:5 virtual IP >>>> >>>> >>>> I want connection to 9.8.7.6 port 11008 from server P IP 192.168.8.35 > use >>>> 1.2.3.4 so I have rules: >>>> ACCEPT loc:192.168.8.35 net:9.8.7.6 tcp >>> 11008 - >>>> 1.2.3.4 >>>> And nat: >>>> 1.2.3.4 eth0 192.168.8.35 >>>> >>>> I want connection to 5.4.3.2 port 55000 from server P virtual IP >>>> 192.168.8.37 use 1.2.3.5 so I have rules: >>>> ACCEPT loc:192.168.8.37 net:.5.4.3.2 tcp >>> 55000 - >>>> 1.2.3.5 >>>> And nat: >>>> 1.2.3.5 eth0 192.168.8.37 >>>> >>>> I have masq value: >>>> eth0 eth1 >>>> >>>> On server P I have added route >>>> route add 9.8.7.6. gw 192.168.8.1 >>>> route add 5.4.3.2 gw 192.168.8.1 >>>> >>>> Connection to partner A 9.8.7.6:11008 is OK , I checked TCPDUMP it shows >>> the >>>> connection to 9.8.7.6 uses 1.2.3.4 >>>> Connection to partner B 5.4.3.2:55000 is FAILED, I checked TCPDUMP it >>> shows >>>> the connection to 5.4.3.2 uses 1.2.3.4 instead of 1.2.3.5 >>>> >>>> >>>> sangprabv >>>> [email protected] >>>> >>>> >>>> On Feb 6, 2010, at 1:50 AM, Michael Weickel - iQom Business Services > GmbH >>>> wrote: >>>> >>>>> >>>>> Please be a bit more precise. >>>>> >>>>> You telnet 5.4.3.2 from local client and you see a telnet to 9.8.7.6 in >>>>> tcpdump instead of 5.4.3.2? You did it on eth1, right? >>>>> >>>>> If this is true this sounds like you have some wrong DNAT entry similar >>> to >>>>> >>>>> DNAT loc:192.168.8.37 net:9.8.7.6 tcp 55000 - >>>>> 5.4.3.2 >>>>> >>>>> This rule would make that all requests sent from loc:192.168.8.37 which >>>>> requests a connection to tcp 55000 on ip 5.4.3.2 are send to 9.8.7.6 >>>>> >>>>> >>>>> -----Ursprüngliche Nachricht----- >>>>> Von: sangprabv [mailto:[email protected]] >>>>> Gesendet: Freitag, 5. Februar 2010 19:14 >>>>> An: Shorewall Users >>>>> Betreff: Re: [Shorewall-users] DNAT Problem >>>>> >>>>> I think I found the reason why connection is always failed. I tried to >>>>> tcpdump and found that telnet to 5.4.3.2 is using 9.8.7.6. I don't > know >>>> why >>>>> this happen? >>>>> >>>>> >>>>> sangprabv >>>>> [email protected] >>>>> >>>>> >>>>> On Feb 6, 2010, at 12:48 AM, Michael Weickel - iQom Business Services >>> GmbH >>>>> wrote: >>>>> >>>>>> >>>>>> Maybe nothing runs on the requested port on the other side? >>>>>> I think without a dump it would be hard to manage your problem by the >>>>> list. >>>>>> >>>>>> >>>>>> -----Ursprüngliche Nachricht----- >>>>>> Von: sangprabv [mailto:[email protected]] >>>>>> Gesendet: Freitag, 5. Februar 2010 18:42 >>>>>> An: Shorewall Users >>>>>> Betreff: Re: [Shorewall-users] DNAT Problem >>>>>> >>>>>> I use Ubuntu and I don't think mask is mandatory because if it is >>>>> mandatory >>>>>> then why telnet to 9.8.7.6 always success and not with 5.4.3.2. It >>> makes >>>>> me >>>>>> crazy :( >>>>>> >>>>>> >>>>>> >>>>>> sangprabv >>>>>> [email protected] >>>>>> >>>>>> >>>>>> On Feb 5, 2010, at 11:35 PM, Michael Weickel - iQom Business Services >>>> GmbH >>>>>> wrote: >>>>>> >>>>>>> >>>>>>> This looks ok. >>>>>>> >>>>>>> I suggest you make a quick try with >>>>>>> >>>>>>> (policy file) >>>>>>> >>>>>>> loc net ACCEPT >>>>>>> >>>>>>> If you still cannot access to the internet by telnet something with >>> your >>>>>>> routing is wrong or you have conflicts in your policy or rules file. >>>>>>> To check this I think a shorewall dump is needed. But if this would > be >>>>>> true >>>>>>> you should maybe see something in your messages. A tcpdump output >> could >>>>>> help >>>>>>> as well. >>>>>>> >>>>>>> Routing seems to be ok if you still have >>>>>>> >>>>>>> But if this is kernel route command I miss the netmask parameter. I >>>> don’t >>>>>>> know anything about your distribution but to add routes there should >> be >>>>>>> always a netmask parameter. Try to trace the internet ip >>>>>>> >>>>>>>> route add 9.8.7.6 gw 192.168.8.1 >>>>>>>> route add 5.4.3.2 gw 192.168.8.1 >>>>>>> >>>>>>> >>>>>>> >>>>>>> Cheers >>>>>>> Mike >>>>>>> >>>>>>> >>>>>>> >>>>>>> -----Ursprüngliche Nachricht----- >>>>>>> Von: sangprabv [mailto:[email protected]] >>>>>>> Gesendet: Freitag, 5. Februar 2010 17:23 >>>>>>> An: Shorewall Users >>>>>>> Betreff: Re: [Shorewall-users] DNAT Problem >>>>>>> >>>>>>> Thanks for the reply, I have this setting in >>>>>>> /etc/shorewall/masq: >>>>>>> eth0 eth1 >>>>>>> >>>>>>> eth0 is the public IP, while eth1 is the private network >>>>>>> >>>>>>> I have tried your solution but it doesn't work as well. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> sangprabv >>>>>>> [email protected] >>>>>>> >>>>>>> >>>>>>> On Feb 5, 2010, at 3:51 PM, Michael Weickel - iQom Business Services >>>> GmbH >>>>>>> wrote: >>>>>>> >>>>>>>> >>>>>>>> If you want to let your local machines access the internet by telnet >>>>> than >>>>>>>> DNAT is the wrong choice. DNAT is for access from internet to local >>>>>>>> machines. >>>>>>>> >>>>>>>> You should try something like (rules file) >>>>>>>> >>>>>>>> ACCEPT loc:192.168.8.37 net:5.4.3.2 tcp >>>>>>>> 55000 >>>>>>>> >>>>>>>> If you have policy >>>>>>>> >>>>>>>> ACCEPT loc net >>>>>>>> >>>>>>>> The rule will be useless. >>>>>>>> >>>>>>>> If your first client can but your sencond cant access, I guess you >>>>>> already >>>>>>>> have some rules or policies allowing this. >>>>>>>> >>>>>>>> In this case I suggest to doublecheck your masq file whether you > only >>>>>> masq >>>>>>>> 192.168.8.35 or the whole network e.g. 192.168.8.0/24? >>>>>>>> >>>>>>>> >>>>>>>> Cheers >>>>>>>> Mike >>>>>>>> >>>>>>>> -----Ursprüngliche Nachricht----- >>>>>>>> Von: sangprabv [mailto:[email protected]] >>>>>>>> Gesendet: Freitag, 5. Februar 2010 09:28 >>>>>>>> An: Shorewall Users >>>>>>>> Betreff: [Shorewall-users] DNAT Problem >>>>>>>> >>>>>>>> Hi, >>>>>>>> I have a client behind shorewall which has 2 IP: >>>>>>>> 192.168.8.35 is the real IP and 192.168.8.37 is the virtual IP. >>>>>>>> I have added DNAT rules into shorewall: >>>>>>>> DNAT net loc:192.168.8.35 >>>>>>> tcp >>>>>>>> 11008 - 1.2.3.4 >>>>>>>> DNAT net loc:192.168.8.37 >>>>>>> tcp >>>>>>>> 55000 - 1.2.3.5 >>>>>>>> >>>>>>>> 1.2.3.4 and 1.2.3.5 is virtual IP on firewall side >>>>>>>> >>>>>>>> I want 192.168.8.35 able to telnet to my partner IP 9.8.7.6:11008 > and >>>> it >>>>>>> can >>>>>>>> connect OK. >>>>>>>> And I want also 192.168.8.37 able to my partner IP 5.4.3.2:55000 and >>>>> this >>>>>>>> one FAIL. >>>>>>>> If i try telnet my.partner.ip.add:55000 -b 1.2.3.5 at firewall it is >>>> OK. >>>>>>>> >>>>>>>> I have manually added >>>>>>>> route add 9.8.7.6 gw 192.168.8.1 >>>>>>>> route add 5.4.3.2 gw 192.168.8.1 >>>>>>>> Both added to the client routing table. What's wrong with my >>>>>>> configuration? >>>>>>>> Many thanks for help. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> sangprabv >>>>>>>> [email protected] >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>>>>>> -- >>>>>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>>>>> Stay online with enterprise data centers and the best network in the >>>>>>>> business >>>>>>>> Choose flexible plans and management services without long-term >>>>> contracts >>>>>>>> Personal 24x7 support from experience hosting pros just a phone call >>>>>> away. >>>>>>>> http://p.sf.net/sfu/theplanet-com >>>>>>>> _______________________________________________ >>>>>>>> Shorewall-users mailing list >>>>>>>> [email protected] >>>>>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>>>>> -- >>>>>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>>>>> Stay online with enterprise data centers and the best network in the >>>>>>> business >>>>>>>> Choose flexible plans and management services without long-term >>>>> contracts >>>>>>>> Personal 24x7 support from experience hosting pros just a phone call >>>>>> away. >>>>>>>> http://p.sf.net/sfu/theplanet-com >>>>>>>> _______________________________________________ >>>>>>>> Shorewall-users mailing list >>>>>>>> [email protected] >>>>>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>>>>> -- >>>>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>>>> Stay online with enterprise data centers and the best network in the >>>>>>> business >>>>>>> Choose flexible plans and management services without long-term >>>> contracts >>>>>>> Personal 24x7 support from experience hosting pros just a phone call >>>>> away. >>>>>>> http://p.sf.net/sfu/theplanet-com >>>>>>> _______________________________________________ >>>>>>> Shorewall-users mailing list >>>>>>> [email protected] >>>>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>>>> -- >>>>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>>>> Stay online with enterprise data centers and the best network in the >>>>>> business >>>>>>> Choose flexible plans and management services without long-term >>>> contracts >>>>>>> Personal 24x7 support from experience hosting pros just a phone call >>>>> away. >>>>>>> http://p.sf.net/sfu/theplanet-com >>>>>>> _______________________________________________ >>>>>>> Shorewall-users mailing list >>>>>>> [email protected] >>>>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>>>> -- >>>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>>> Stay online with enterprise data centers and the best network in the >>>>>> business >>>>>> Choose flexible plans and management services without long-term >>> contracts >>>>>> Personal 24x7 support from experience hosting pros just a phone call >>>> away. >>>>>> http://p.sf.net/sfu/theplanet-com >>>>>> _______________________________________________ >>>>>> Shorewall-users mailing list >>>>>> [email protected] >>>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>>> -- >>>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>>> Stay online with enterprise data centers and the best network in the >>>>> business >>>>>> Choose flexible plans and management services without long-term >>> contracts >>>>>> Personal 24x7 support from experience hosting pros just a phone call >>>> away. >>>>>> http://p.sf.net/sfu/theplanet-com >>>>>> _______________________________________________ >>>>>> Shorewall-users mailing list >>>>>> [email protected] >>>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>>> >>>>> >>>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>>> -- >>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>> Stay online with enterprise data centers and the best network in the >>>>> business >>>>> Choose flexible plans and management services without long-term >> contracts >>>>> Personal 24x7 support from experience hosting pros just a phone call >>> away. >>>>> http://p.sf.net/sfu/theplanet-com >>>>> _______________________________________________ >>>>> Shorewall-users mailing list >>>>> [email protected] >>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>>> >>>>> >>>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>> -- >>>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>>> Stay online with enterprise data centers and the best network in the >>>> business >>>>> Choose flexible plans and management services without long-term >> contracts >>>>> Personal 24x7 support from experience hosting pros just a phone call >>> away. >>>>> http://p.sf.net/sfu/theplanet-com >>>>> _______________________________________________ >>>>> Shorewall-users mailing list >>>>> [email protected] >>>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>> >>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>>> -- >>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>> Stay online with enterprise data centers and the best network in the >>>> business >>>> Choose flexible plans and management services without long-term > contracts >>>> Personal 24x7 support from experience hosting pros just a phone call >> away. >>>> http://p.sf.net/sfu/theplanet-com >>>> _______________________________________________ >>>> Shorewall-users mailing list >>>> [email protected] >>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>> >>>> >>>> >>> >> > ---------------------------------------------------------------------------- >>> -- >>>> The Planet: dedicated and managed hosting, cloud storage, colocation >>>> Stay online with enterprise data centers and the best network in the >>> business >>>> Choose flexible plans and management services without long-term > contracts >>>> Personal 24x7 support from experience hosting pros just a phone call >> away. >>>> http://p.sf.net/sfu/theplanet-com >>>> _______________________________________________ >>>> Shorewall-users mailing list >>>> [email protected] >>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >>> >> > ---------------------------------------------------------------------------- >>> -- >>> The Planet: dedicated and managed hosting, cloud storage, colocation >>> Stay online with enterprise data centers and the best network in the >>> business >>> Choose flexible plans and management services without long-term contracts >>> Personal 24x7 support from experience hosting pros just a phone call > away. >>> http://p.sf.net/sfu/theplanet-com >>> _______________________________________________ >>> Shorewall-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >>> >> > ---------------------------------------------------------------------------- >> -- >>> The Planet: dedicated and managed hosting, cloud storage, colocation >>> Stay online with enterprise data centers and the best network in the >> business >>> Choose flexible plans and management services without long-term contracts >>> Personal 24x7 support from experience hosting pros just a phone call > away. >>> http://p.sf.net/sfu/theplanet-com >>> _______________________________________________ >>> Shorewall-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> > ---------------------------------------------------------------------------- >> -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the >> business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone call away. >> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> > ---------------------------------------------------------------------------- > -- >> The Planet: dedicated and managed hosting, cloud storage, colocation >> Stay online with enterprise data centers and the best network in the > business >> Choose flexible plans and management services without long-term contracts >> Personal 24x7 support from experience hosting pros just a phone call away. >> http://p.sf.net/sfu/theplanet-com >> _______________________________________________ >> Shorewall-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ---------------------------------------------------------------------------- > -- > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the > business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ------------------------------------------------------------------------------ > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
