________________________________ From: Tom Eastep <[email protected]> > > Looks like you are redirecting port 80 to port 62001, but no process > is listening on that port.
How do you know there's no process listening on that port?
I ran this on the shorewall machine:
# ss -tnap | fgrep 62001
LISTEN 0 128 :::62001 :::*
users:(("/usr/sbin/apach",pid=29038,fd=12),("/usr/sbin/apach",pid=29033,fd=12),("/usr/sbin/apach",pid=29032,fd=12),("/usr/sbin/apach",pid=29031,fd=12),("/usr/sbin/apach",pid=28968,fd=12),("/usr/sbin/apach",pid=27512,fd=12),("/usr/sbin/apach",pid=27461,fd=12),("/usr/sbin/apach",pid=22872,fd=12),("/usr/sbin/apach",pid=19472,fd=12),("/usr/sbin/apach",pid=19099,fd=12),("/usr/sbin/apach",pid=19094,fd=12))
ESTAB 0 0 ::ffff:10.215.144.92:62001
::ffff:10.215.246.167:47475
users:(("/usr/sbin/apach",pid=29031,fd=26))
TIME-WAIT 0 0 ::ffff:10.215.144.92:62001
::ffff:10.215.248.193:37020
ESTAB 0 0 ::ffff:10.215.144.92:62001
::ffff:10.215.246.167:57504
users:(("/usr/sbin/apach",pid=27512,fd=26))
TIME-WAIT 0 0 ::ffff:10.215.144.92:62001
::ffff:10.215.248.193:34666
It's an apache/php process and it is serving a page as I can test by directly
connecting a "loc" host with IP address 10.215.144.48 to Shorewall's IP address
10.215.144.92 ($FW).
Also, the redirection was not supposed to match in my previous example because
the destination IP of www.shorewall.net was in an ipset whitelist.
In fact, the rule is:
REDIRECT:info:OUT1 loc:$MY_NETWORKS!$OUT_VIP 62001 tcp 80
- !+OUT_WL,+OUT_MANUAL_WL,$MY_EXTRA_NETWORKS,$MY_WAN
# host www.shorewall.net
www.shorewall.net is an alias for shorewall.mastermindpro.com.
shorewall.mastermindpro.com has address 63.135.54.24
# ipset list OUT_WL | grep 63.135
63.135.48.0/20 timeout 0
Anyway, in order to simplify things even further, I added 10.215.144.48 to
$OUT_VIP in order to explicitly avoid the redirection.
I then tried to access http://www.shorewall.net from 10.215.144.48 but had the
exact same issue (BTW I can open the web page at 10.215.144.92, ie. $FW, on
port 62001 from 10.215.144.48).
I'm attaching another dump in the hope we can shed some light on this (open
port 80 at 63.135.54.24 from 10.215.144.48 via Squid TPROXY).
Thanks,
Vieri
PS.: nothing in Squid log.
dump.gz
Description: application/gzip
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
