On 9/9/2014 12:50 PM, Tom Eastep wrote: > On 9/7/2014 7:45 PM, Grant Pasley wrote: >> good day all >> >> i have shorewall-4.6.3.2 running on centos 2.6.32-431.23.3.el6.x86_64. i >> have 2 ethernet interfaces, eth0 and eth1. eth0 is lan 192.168.65.0/24 >> and eth1 is only used for a pppoe adsl account with dynamic ip address >> from isp. >> i am trying to forward incoming remote desktop connections to a windows >> server, the connections are hitting the firewall but not getting as far >> as the windows server. i have the following info: >> >> vim /etc/shorewall/rules >> >> DNAT net loc:192.168.65.2 tcp 3389 >> >> shorewall show nat: >> >> Chain net_dnat (1 references) >> pkts bytes target prot opt in out source destination >> 0 0 DNAT tcp -- * * 0.0.0.0/0 >> 0.0.0.0/0 tcp dpt:3389 to:192.168.65.2 >> >> tail -f /var/log/messages: >> >> Sep 7 22:41:33 sentinel kernel: Shorewall:xis-fw:ACCEPT:IN=ppp0 OUT= >> MAC= SRC=120.146.190.53 DST=197.87.29.171 LEN=52 TOS=0x18 PREC=0x00 >> TTL=99 ID=6044 DF PROTO=TCP SPT=56452 DPT=3389 WINDOW=8192 RES=0x00 SYN >> URGP=0 >> >> so as per above, connection hits firewall, is accepted, knows to forward >> to windows server, but no traffic being passed on to windows server if >> you look at the packets and bytes in the dnat chain. >> can anyone enlighten me on what i am missing perhaps? i have been going >> over and over the config for days and cannot seem to find anything? > > May we see the output of 'shorewall dump' collected as described at > http://www.shorewall.net/support.htm#Guidelines?
Nevermind -- look at the above log message -- the source zone is 'xis', not 'net' which is what your DNAT rule has as the source. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce. Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
