On Mon, 8 Apr 2002, [EMAIL PROTECTED] wrote: > As a kinda-newbie to Linux I've started using the Bering Firewall and I'm > having some difficulty getting port forwarding working. Outgoing connections > work fine - I can browse the net, send and receive my pop3 mail, etc. I just > can't get Shorewall to allow traffic inwards to a webserver and Win2k terminal > server. > > I'm using 2 Ethernet cards: Eth0 is a 3Com 509, Eth1 is a Realtek PCI card > using ne2k-pci. Eth0 has a staticIP. dhcpd and dnscache are both working. > > /etc/shorewall/policy has been left as default > /etc/shorewall/rules has been left as default - it's getting the values for the > port forwarding from the variables set up in /params > > /etc/Shorewall/params contains mostly the default options, except: > Loc_tcp_ports1=80,3389 (=www and Win2k Terminal Services) > server1=192.168.1.2 (=my webserver's internal address) > > When Shorewall starts, the Rule outputs are: > > Accept fw net tcp 53 > Accept fw net udp 53 > Accept net fw tcp 22 > Reject net fw tcp 113 > Accept loc fw tcp 22,80 > Accept loc fw udp 53 > Accept net loc:192.168.1.2 tcp 80,3389 - all > Accept fw loc icmp 8 > Accept loc fw icmp 8 > > I can access the Weblet (and ssh if I put sshd on) internally, as I'd expect. > If I do a port scan from grc.com, AUTH shows up as closed rather than > stealthed, which I'd also expect. However, HTTP shows up as stealthed, which I > don't understand. >
Your Shorewall setup looks correct -- a) When you attempt the port scan, does Shorewall report anything about TCP port 80 in /var/log/messages? b) After the port scan, if you do "shorewall show nat", does the packet count for the port 80 DNAT rule show a non-zero packet count? How about the port 80 rule in "shorewall show net2loc"? If neither of these packet counts is non-zero, your ISP is most likely dropping SYN TCP packets with destination port 80. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user