On 9/7/2014 4:24 PM, Tom Eastep wrote: > On 9/5/2014 3:29 AM, Paolo Nesti Poggi wrote: >> Hi >> We use a shorewall 4.4.11.6, with a 3 NIC setup (net - dmz - localnet) >> that has been working flawlessly for years. >> Now we have changed broadband provider and with it we've got new IP >> addresses. >> I've reconfigured shorewall with the new addresses and since then we no >> longer have functioning DNAT for boxes that are forwarded from IP >> different from the main IP address. >> >> As far as I could see, for doing the provider change we only needed to >> edit the params (params for main IP and ekstra IPs)and masq file (main >> IP), apart from of course /etc/network/interfaces and /etc/dhcp/dhcpd.conf >> >> Having done those changes everything works OK, even DNAT from the main >> IP to boxes on DMZ or localnet, whilst the DNAT rules for boxes >> forwarded to from other IPs in the address range are not working at all >> (ssh: connect to host 89.233.14.37 port 22: Connection timed out) >> >> I hope you can help me find a way to further troubleshoot this. >> >> I've re-read the section regarding the 3-interface setup: >> http://shorewall.net/three-interface.htm >> and the >> DNAT troubleshooting http://shorewall.net/FAQ.htm#faq1a and #faq1b >> >> The routes I'm troubleshooting all show 0 packets in the output of >> 'shorewall show nat', however the ISP ensures me that they are not >> dropping anything (this is a 200Mb/sec symmetric connection). >> >> The output of 'shorewal show nat' for one of the hosts in question is: >> 0 0 DNAT tcp -- * * 0.0.0.0/0 89.233.14.37 >> multiport dports 22,80,443,3690,8000,5001,3306 to:192.168.37.37 >> 0 0 DNAT udp -- * * 0.0.0.0/0 89.233.14.37 >> multiport dports 5001,22,3306 to:192.168.37.37 >> >> where doing 'ssh 89.233.14.37' from a host outside of this network >> should connect me to my box on 192.168.37.37 in the local network. >> If I set up a Windows PC with static address 89.233.14.37 and connect it >> to the switch of my provider I can ping it from outside, but if I try >> and connect to my box on 192.168.37.37 I only get "Connection timed out" >> >> Do you have any idea of what might be going wrong and/or how I can move >> forward in troubleshooting this issue? >> > > Have you confirmed with tcpdump that the tcp port22 are even reaching > the firewall and that they have the correct L2 destination address?
Nevermind -- look here:
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
inet 89.233.14.34/28 brd 89.233.14.47 scope global eth0
The only IP address you have configured on eth0 is 89.233.14.34 -- So
the connections that use 89.233.14.37, 89.233.14.40 and 89.233.14.41
aren't going to work until those ip addresses are added. What is your
setting for ADD_DNAT_IPADDRS?
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
