Hi all.Sorry to be a bother, but I have the feeling I'm overlooking something incredibly simple.
Background: I have a KVM Linux host with a guest LAMP server. I simply want to forward all web traffic that arrives at the host to the guest.
The guest works fine, I can connect to the webpage from within my net. If I temporary hack the DNAT rules to a source of "all", I can web from the host to the guess just fine as well.
Shorewall on the host is starting just fine. Shorewall is filtering a few things I asked it to just fine. Shorewall dump attached.
I can see port 80 request coming into the guest via tcpdump: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes01:13:55.404486 IP 66.87.97.186.60004 > 66.128.118.35.http: Flags [S], seq 2539820123, win 32850, options [mss 1360,nop,nop,TS val 629582802 ecr 0,nop,wscale 2,nop,nop,sackOK], length 0 01:13:56.530815 IP 66.87.97.186.60004 > 66.128.118.35.http: Flags [S], seq 2539820123, win 32850, options [mss 1360,nop,nop,TS val 629582915 ecr 0,nop,wscale 2,nop,nop,sackOK], length 0 01:13:58.797613 IP 66.87.97.186.60004 > 66.128.118.35.http: Flags [S], seq 2539820123, win 32850, options [mss 1360,nop,nop,TS val 629583141 ecr 0,nop,wscale 2,nop,nop,sackOK], length 0 01:14:03.298603 IP 66.87.97.186.60004 > 66.128.118.35.http: Flags [S], seq 2539820123, win 32850, options [mss 1360,nop,nop,TS val 629583592 ecr 0,nop,wscale 2,nop,nop,sackOK], length 0 01:14:05.105427 IP 66.87.97.186.60004 > 66.128.118.35.http: Flags [R], seq 2539820124, win 32850, length 0
When I do web over to the host, nothing happens. No client error (other than an eventual timeout), no host DMESG output, nothing beyond the above tcpdump type output. This is also reflected via running a "tcpdump 'tcp port 80'" command on the guest which sees no activity.
Critical files: [Masq] eth0 br0 66.128.118.35 [Interfaces] net eth0 detect loc br0 detect bridge [Rules] DNAT net loc:10.184.155.34:80 tcp 80 DNAT net loc:10.184.155.34:443 tcp 443 ACCEPT loc fw tcp 52 ACCEPT fw net udp domain ACCEPT fw net tcp domain ACCEPT all all udp ntp ACCEPT all all icmp 8Can somebody point out what I'm missing? I suspect its something quite obvious, but I'm just not seeing it. Please let me know if you need any more information. I thought this would be quick and easy about 6 hours ago... lol.
Thanks in advance. Kevin
status.txt.gz
Description: application/gzip
------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
