Christophe Zwecker wrote: > Tom Eastep wrote: >> Christophe Zwecker wrote: >>> Hi, >>> >>> attached is my shorewall dump. >>> when connecting from outside to my ip from 2nd isp (87.139.112.239) I >>> see this in the log: >>> >>> Sep 25 15:44:02 gate kernel: Shorewall:net_dnat:DNAT:IN=eth0.5 OUT= >>> MAC=00:0e:0c:84:16:42:00:0b:3b:0e:7d:bb:08:00 SRC=134.100.58.143 >>> DST=192.168.5.254 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=207 DF PROTO=TCP >>> SPT=44706 DPT=1970 WINDOW=5840 RES=0x00 SYN URGP=0 >> Do you set TC_EXPERT=Yes in shorewall.conf? > > before i didnt (used older shorewall.conf) but now i do, doesn change > anything > >
So long as you have TC_EXPERT=Yes and your current set of tcrules, it will never
work because you are overwriting the 'track' mark on all traffic from your
server.
Chain tcpre (3 references)
pkts bytes target prot opt in out source destination
...
415K 97M MARK all -- * * 85.183.131.11 0.0.0.0/0
MARK set 0x1
I can't stress enough that TC_EXPERT=Yes is for *experts* -- an expert is
someone who can look at the output of "shorewall dump" themselves and see this
type of problem.
-Tom
-
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
