On 04/11/2012 08:17 AM, Alessandro Faglia wrote: > On Wed, Apr 11, 2012 at 4:38 PM, Tom Eastep <[email protected] > <mailto:[email protected]>> wrote: > > On 04/11/2012 12:57 AM, Alessandro Faglia wrote: > > > My two internet uplinks (eth4 and ppp0) belongs to the same "net" > zone. > > Everything is working fine but I have a problem with natting. > > > > The problematic rule is this: > > DNAT net lan1:<internal IP of my mail server> tcp 25 > > > > Have you followed the DNAT troubleshooting procedure described in > Shorewall FAQs 1a and 1b? > > > I did :-( > > I created a LOG rule to track 25/tcp packets and in the syslog I see > Apr 11 17:06:56 <sw-box> kernel: Shorewall:net2lan1:LOG:IN=ppp0 OUT=eth1 > SRC=<src-ip> DST=192.168.1.9 LEN=44 TOS=0x00 PREC=0x00 TTL=42 I > D=36272 PROTO=TCP SPT=47814 DPT=25 WINDOW=2048 RES=0x00 SYN URGP=0 > Apr 11 17:06:56 <sw-box> kernel: Shorewall:net2lan1:LOG:IN=ppp0 > OUT=eth1 SRC=<src-ip> DST=192.168.1.9 LEN=44 TOS=0x00 PREC=0x00 TTL=39 I > D=51095 PROTO=TCP SPT=47815 DPT=25 WINDOW=3072 RES=0x00 SYN URGP=0 > > Here <sw-box> is the hostname of the box where shorewall is running > (local IP is 192.168.1.1) and <src-ip> is the public IP of the other box > I'm running nmap to test. > > In the target box the gateway is poiting to the shorewall box: > # route -n > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 > bond0 > 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 > bond0 > > Maybe the bond interface on the target server is involved in the issue? > but in this case it won't work even when scanning the other IP, at least > I think so... > > > I don't have a clue...
Have you looked at eth1 with tcpdump when doing this test? If you use the -e option (e.g., tcpdump -nei eth1 port 25 and host <nmap-host-ip>) you can see if the mail server is responding and with what destination MAC. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
