On 05/04/2010 01:32 PM, Christopher Nielsen wrote: > > On elkin, I can browse to ronda (links http://10.177.140.52) and see > ronda's web output. ronda can ping 10.177.157.160, so basic connectivity > works. Also, masquerading from dmz does not work (ronda cannot ping or > browse the net), which might be a clue.
If the server can't access the internet, you can't reasonably expect to access the server from the internet! > If, on ronda, I 'ping 98.137.149.56' (that's yahoo.com), while doing > 'tcpdump -i eth1' on elkin, I see nothing. but if I ping the > gateway address (ping 10.177.157.160) then I do see output on tcpdump on > elkin. Ronda works just fine if using the ISP supplied > gateway, as you'd expect (173.203.204.1). Sounds like the routing on ronda is hosed; the default route doesn't go through elkin. Note that this is prominently mentioned in the DNAT troubleshooting instructions detailed in Shorewall FAQs 1a and 1b. > > One thing I do see on elkin is this message when shorewall is staretd, > but it's not clear if this has anything to do with our problem. > kernel: [81069.656706] ip_tables: connlimit match: invalid size 32 > != 24 It means that your iptables is incompatible with your kernel. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
