Hello Shorewallers,
hello Tom,
I noticed a funny thing and have difficulties understanding the behaviour.
I have in my rules file (in NEW section)
DNAT:$LOG net loc:192.168.2.2:9000 tcp 9000
DNAT:$LOG net loc:192.168.2.2:9000 udp 9000
DNAT:$LOG net loc:192.168.2.2:9001 tcp 9001
DNAT:$LOG net loc:192.168.2.2:9001 udp 9001
to access some remote CMS video system. I noticed that the connection fails
and I see
Apr 22 12:01:07 bhaal kernel: [2742007.929822]
Shorewall:mangle:PREROUTING:IN=ppp0 OUT= MAC= SRC=195.37.61.178
DST=89.182.135.189 LEN=60 TOS=0x00 PREC=0x00
TTL=52 ID=63109 DF PROTO=TCP SPT=54441 DPT=9000 WINDOW=65535 RES=0x00 SYN
URGP=0
Apr 22 12:01:07 bhaal kernel: [2742007.929838]
Shorewall:nat:PREROUTING:IN=ppp0 OUT= MAC= SRC=195.37.61.178
DST=89.182.135.189 LEN=60 TOS=0x00 PREC=0x00 TT
L=52 ID=63109 DF PROTO=TCP SPT=54441 DPT=9000 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 22 12:01:07 bhaal kernel: [2742007.929861]
Shorewall:mangle:INPUT:IN=ppp0 OUT= MAC= SRC=195.37.61.178
DST=89.182.135.189 LEN=60 TOS=0x00 PREC=0x00 TTL=
52 ID=63109 DF PROTO=TCP SPT=54441 DPT=9000 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 22 12:01:07 bhaal kernel: [2742007.929872]
Shorewall:filter:INPUT:IN=ppp0 OUT= MAC= SRC=195.37.61.178
DST=89.182.135.189 LEN=60 TOS=0x00 PREC=0x00 TTL=
52 ID=63109 DF PROTO=TCP SPT=54441 DPT=9000 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 22 12:01:07 bhaal kernel: [2742007.929896] Shorewall:net2fw:DROP:IN=ppp0
OUT= MAC= SRC=195.37.61.178 DST=89.182.135.189 LEN=60 TOS=0x00 PREC=0x00 TTL=5
2 ID=63109 DF PROTO=TCP SPT=54441 DPT=9000 WINDOW=65535 RES=0x00 SYN URGP=0
and wonder why DROP???
When I add
ACCEPT net fw tcp 9000
ACCEPT net fw tcp 9001
before the DNAT lines to the rules file, it works.
Why? What do I miss?
Shorewall is version 4.6.13.4
OS is OpenSuse Linux 13.2
Kernel is 3.16.7-35 / 64bit
shorewall dump | grep 9000 delivers
2 120 ACCEPT tcp -- * * 0.0.0.0/0
192.168.2.2 tcp dpt:9000 ctorigdstport 9000
0 0 ACCEPT udp -- * * 0.0.0.0/0
192.168.2.2 udp dpt:9000 ctorigdstport 9000
2 120 ~log0 tcp -- * * 0.0.0.0/0
89.182.135.189 [goto] tcp dpt:9000
0 0 ~log1 udp -- * * 0.0.0.0/0
89.182.135.189 [goto] udp dpt:9000
2 120 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 to:192.168.2.2:9000
0 0 DNAT udp -- * * 0.0.0.0/0
0.0.0.0/0 to:192.168.2.2:9000
Thanks for pointers?
--
Florian Piekert, PMP flo...@floppy.org
Spargelweg 5 Telephone+Fax: +49-179- 3928582
38179 Schwülper-Walle/Germany
===========================================================================
Note: this message was send by me *only* if the eMail message contains a
correct pgp signature corresponding to my address at flo...@floppy.org. Do
you need my PGP public key? Check out http://www.floppy.org or send me an
email with the subject "send pgp public key" to this address of mine.Thx!
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
