On 9/5/2014 3:29 AM, Paolo Nesti Poggi wrote: > Hi > We use a shorewall 4.4.11.6, with a 3 NIC setup (net - dmz - localnet) > that has been working flawlessly for years. > Now we have changed broadband provider and with it we've got new IP > addresses. > I've reconfigured shorewall with the new addresses and since then we no > longer have functioning DNAT for boxes that are forwarded from IP > different from the main IP address. > > As far as I could see, for doing the provider change we only needed to > edit the params (params for main IP and ekstra IPs)and masq file (main > IP), apart from of course /etc/network/interfaces and /etc/dhcp/dhcpd.conf > > Having done those changes everything works OK, even DNAT from the main > IP to boxes on DMZ or localnet, whilst the DNAT rules for boxes > forwarded to from other IPs in the address range are not working at all > (ssh: connect to host 89.233.14.37 port 22: Connection timed out) > > I hope you can help me find a way to further troubleshoot this. > > I've re-read the section regarding the 3-interface setup: > http://shorewall.net/three-interface.htm > and the > DNAT troubleshooting http://shorewall.net/FAQ.htm#faq1a and #faq1b > > The routes I'm troubleshooting all show 0 packets in the output of > 'shorewall show nat', however the ISP ensures me that they are not > dropping anything (this is a 200Mb/sec symmetric connection). > > The output of 'shorewal show nat' for one of the hosts in question is: > 0 0 DNAT tcp -- * * 0.0.0.0/0 89.233.14.37 > multiport dports 22,80,443,3690,8000,5001,3306 to:192.168.37.37 > 0 0 DNAT udp -- * * 0.0.0.0/0 89.233.14.37 > multiport dports 5001,22,3306 to:192.168.37.37 > > where doing 'ssh 89.233.14.37' from a host outside of this network > should connect me to my box on 192.168.37.37 in the local network. > If I set up a Windows PC with static address 89.233.14.37 and connect it > to the switch of my provider I can ping it from outside, but if I try > and connect to my box on 192.168.37.37 I only get "Connection timed out" > > Do you have any idea of what might be going wrong and/or how I can move > forward in troubleshooting this issue? >
Have you confirmed with tcpdump that the tcp port22 are even reaching the firewall and that they have the correct L2 destination address? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
