On 04/22/2016 03:14 AM, Florian Piekert wrote: > Hello Shorewallers, > hello Tom, > > I noticed a funny thing and have difficulties understanding the behaviour. > > I have in my rules file (in NEW section) > DNAT:$LOG net loc:192.168.2.2:9000 tcp 9000 > DNAT:$LOG net loc:192.168.2.2:9000 udp 9000 > DNAT:$LOG net loc:192.168.2.2:9001 tcp 9001 > DNAT:$LOG net loc:192.168.2.2:9001 udp 9001 > > to access some remote CMS video system. I noticed that the connection fails > and I see > > Apr 22 12:01:07 bhaal kernel: [2742007.929822] > Shorewall:mangle:PREROUTING:IN=ppp0 OUT= MAC= SRC=195.37.61.178 > DST=89.182.135.189 LEN=60 TOS=0x00 PREC=0x00 > TTL=52 ID=63109 DF PROTO=TCP SPT=54441 DPT=9000 WINDOW=65535 RES=0x00 SYN > URGP=0 > Apr 22 12:01:07 bhaal kernel: [2742007.929838] > Shorewall:nat:PREROUTING:IN=ppp0 OUT= MAC= SRC=195.37.61.178 > DST=89.182.135.189 LEN=60 TOS=0x00 PREC=0x00 TT > L=52 ID=63109 DF PROTO=TCP SPT=54441 DPT=9000 WINDOW=65535 RES=0x00 SYN URGP=0 > Apr 22 12:01:07 bhaal kernel: [2742007.929861] > Shorewall:mangle:INPUT:IN=ppp0 OUT= MAC= SRC=195.37.61.178 > DST=89.182.135.189 LEN=60 TOS=0x00 PREC=0x00 TTL= > 52 ID=63109 DF PROTO=TCP SPT=54441 DPT=9000 WINDOW=65535 RES=0x00 SYN URGP=0 > Apr 22 12:01:07 bhaal kernel: [2742007.929872] > Shorewall:filter:INPUT:IN=ppp0 OUT= MAC= SRC=195.37.61.178 > DST=89.182.135.189 LEN=60 TOS=0x00 PREC=0x00 TTL= > 52 ID=63109 DF PROTO=TCP SPT=54441 DPT=9000 WINDOW=65535 RES=0x00 SYN URGP=0 > Apr 22 12:01:07 bhaal kernel: [2742007.929896] Shorewall:net2fw:DROP:IN=ppp0 > OUT= MAC= SRC=195.37.61.178 DST=89.182.135.189 LEN=60 TOS=0x00 PREC=0x00 TTL=5 > 2 ID=63109 DF PROTO=TCP SPT=54441 DPT=9000 WINDOW=65535 RES=0x00 SYN URGP=0 > > and wonder why DROP??? > > When I add > > ACCEPT net fw tcp 9000 > ACCEPT net fw tcp 9001 > > before the DNAT lines to the rules file, it works. > > Why? What do I miss? > > Shorewall is version 4.6.13.4 > OS is OpenSuse Linux 13.2 > Kernel is 3.16.7-35 / 64bit > > shorewall dump | grep 9000 delivers > 2 120 ACCEPT tcp -- * * 0.0.0.0/0 > 192.168.2.2 tcp dpt:9000 ctorigdstport 9000 > 0 0 ACCEPT udp -- * * 0.0.0.0/0 > 192.168.2.2 udp dpt:9000 ctorigdstport 9000 > 2 120 ~log0 tcp -- * * 0.0.0.0/0 > 89.182.135.189 [goto] tcp dpt:9000 > 0 0 ~log1 udp -- * * 0.0.0.0/0 > 89.182.135.189 [goto] udp dpt:9000 > 2 120 DNAT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 to:192.168.2.2:9000 > 0 0 DNAT udp -- * * 0.0.0.0/0 > 0.0.0.0/0 to:192.168.2.2:9000 > > Thanks for pointers? >
Looks to me as though 192.168.2.2 is an address on the firewall itself and not in the 'loc' zone. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
