Re: [Shorewall-users] outgoing connection problem: Xen Routed configuration

[Bruce Bannerman]

Hi Tom, I have some partial improvement that may help. I have: reset my nameserver to point each of my ‘servers’ to the IP address of the external interface of my external router/modem.  on the external router/modem, I configured WAN Port Forwarding to point to several of the same /28 subnet external addresses as per my previous emails: http, https                   203.214.66.103 smtp                           203.214.66.100 smtps, msa, imaps     203.214.66.104 made no changes to my shorewall configuration. made no changes to the network addresses or routing configuration of my servers. made no changes to my web server, or reverse proxy server configuration. When testing externally I can now access the website at www.foss4climate.org. However, access is considerably slower than normal. NB: These tests were conducted soon after I made my nameserver changes. While my laptop’s nameserver could get the correct URL for the website. it had not picked up the correct URL for my mail servers. So ignore the mail related connections. Also note that my shorewall configuration does not take account of the router/modem's external interface, or IP address. It just accounts for the modem’s internal IP Address. Shorewall Dump for test 3 is attached. IP Addresses in test 3: 203.214.66.97 external router/modem gateway (internal interface) 203.214.66.103 Reverse Proxy Server 172.16.4.203 Web Server 49.199.104.114 Laptop’s updated IP address Kind regards, Bruce

shorewall_dump-3.tar.gz
Description: GNU Zip compressed data

On 21 Feb 2020, at 14:40, Bruce Bannerman <bruban...@gmail.com> wrote: I double checked my DMZ config and found that I had not added the Web Server vif-www2 to the proxyarp file. I did this using its private IP address, but it did not make any difference to the external tests that I re-ran. It also made no difference to my internal connectivity, which remained OK. A new shorewall dump file is attached. IP Addresses in test: 203.214.66.103 Reverse Proxy Server 172.16.4.203 Web Server 49.199.143.136 Laptop’s updated IP address Also note that I am not able to get an external response back from my mail config: smtp                           203.214.66.100 smtps, msa, imaps     203.214.66.104, 203.214.66.105, 203.214.66.106 This may not have been clear in my previous emails. Kind regards, Bruce <shorewall_dump-2.tar.gz> On 21 Feb 2020, at 10:35, Bruce Bannerman <bruban...@gmail.com> wrote: Tom, I’m only getting a redirect message in the Reverse Proxy server’s log: ===== www.foss4climate.org:80 49.199.143.136 - - [21/Feb/2020:10:15:14 +1100] "GET / HTTP/1.1" 302 553 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0" www.foss4climate.org:80 34.229.157.237 - - [21/Feb/2020:10:15:57 +1100] "GET / HTTP/1.1" 302 497 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36" ===== I was testing from IP: 49.199.143.136 There was no entry in the Web Server’s log, so the connection wasn’t made. I’m redirecting http traffic to https on the Proxy Server. The (Firefox) browser shows the message ‘Performing TLS handshake to www.foss4climate.org…’, then times out. One other aspect that I didn’t mention earlier is that my Firewall’s ‘messages’ and 'kern.log' log files are getting many records such as: ===== Feb 21 10:16:06 fw kernel: [173036.380121] IPv4: martian destination 0.0.0.0 from 49.199.143.136, dev eth0 ===== shorewall.conf has the following log file configuration: LOGFILE=/var/log/messages I understand that the TLS connection should be covered by the http port rules. Kind regards, Bruce   On 21 Feb 2020, at 10:01, Tom Eastep <teas...@shorewall.net> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2/20/20 2:22 PM, Bruce Bannerman wrote: I did a few tests yesterday with DNAT, SNAT and the current rules. I stopped and started the shorewall service using 'systemctl restart shorewall’ prior to running the tests to create the dump file. I then did a shorewall reload. I just replaced the ACCEPT with DNAT during the previous tests. The relevant params and rules that I have in place are: ===== /etc/shorewall/params # E_FW=203.214.66.98 E_DNS=203.214.66.100 E_SMTP=203.214.66.100 E_WWW=203.214.66.103 E_SMTPS_B=203.214.66.104 E_SMTPS_G=203.214.66.105 E_SMTPS_F=203.214.66.106 # /etc/shorewall/rules # # ===== net - Internet ===== # <snip> # #ACTION                 SOURCE          DEST PROTO DPORT                           SPORT   ORIGDEST # ACCEPT:$LOG             net             dmz:$E_DNS udp domain ACCEPT:$LOG             net             dmz:$E_DNS tcp domain # ACCEPT:$LOG             net             dmz:$E_WWW tcp http,https ACCEPT:$LOG             net             dmz:$E_SMTP tcp    smtp # ACCEPT:$LOG             net             dmz:$E_SMTPS_B tcp imaps,submissions,submission ACCEPT:$LOG             net dmz:$E_SMTPS_G          tcp imaps,submissions,submission ACCEPT:$LOG             net             dmz:$E_SMTPS_F tcp imaps,submissions,submission # <snip> # ===== DMZ ===== # #ACTION                 SOURCE          DEST PROTO DPORT                           SPORT   ORIGDEST # ACCEPT:$LOG             dmz              net udp domain                          -       - ACCEPT:$LOG dmz              net                    tcp domain -       - # ACCEPT:$LOG             dmz              net tcp http,https                      -       - # ACCEPT:$LOG dmz              net                    tcp smtp -       - # ACCEPT:$LOG             dmz              net tcp imaps,submissions,submission    -       - # <snip> ===== Okay -- well, it looks to me as though the reverse proxy is not initiating the second connection to the web server or that it is attempting to initiate the connection and is getting an error. Does its log give you any clue? - -Tom - --  Tom Eastep        \ Q: What do you get when you cross a mobster Shoreline,         \    with an international standard? Washington, USA     \ A: Someone who makes you an offer you http://shorewall.org \    can't understand                      \________________________________________ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIzBAEBCgAdFiEEFNMNR63CLO6yqbL8luaz8kI6TRAFAl5PD9QACgkQluaz8kI6 TRDYqxAAmundK8kU+NUVnIlOi61o+7VhswXvdr1spIoSBkGF0knxd5NfGx1xENcP W1b0dvoBDsO3hKYBDbKcpGcVwMPC6QcHI0hSqG0NXi3QLIf/1hU+cuETmTqqyXLj Y2samDrp0AdGCEJvt+42kUl/ahNHIAvTpeinoFH/Bpnez8BEHsOZ0H1x/gGM+P/E X2P7PXrfL+fjUMoVJWfoUz95ZSNW3erK2kbl3Ipv5uyAdwsjUKrQJq6Q/VC+VDZx 60QSrpXndq/6YfrVVWj+AJhUjGf1YffRTjdAsFrX3uoHlpHyRm+Ixw87fG+b5Qqc HoXgpP1OT9I79q+JGwEkz7zhkeg5zwYwv/wQgnIj0u/iGZyIXYcxjUKFFFZjujS6 tnojP2c+vL5l3zYCzWT/pBUHSv1gjertxz6LfIqd0/HwkAgvjRYyq61TaHqz/Gti D6UqpL4RvgKvKz59VbIxf/3NP0vjoA0zBYDX9fQwHMsNMQrB2k/R/PcK41ZOIEf6 CpYuLrGhCLOJxTbSFqafyMYf+uM06x7DcXuHV3DlXoHa2gi0UkCaXMVknBSsotl7 56I7GU1yr7VyO96Pq8tBsQDmJZG15+ijm2ijU//Y/Fs6ruofC2nX2Xfff7/IcvHb sW0GFSLm5qC75gbKIV62Hoa0eVkaPJSfWK8ztPLknwHdtFLBwtQ= =Lt9f -----END PGP SIGNATURE----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users