Tom Eastep <[EMAIL PROTECTED]> wrote:
| mess-mate wrote:
| > Tom Eastep <[EMAIL PROTECTED]> wrote:
|
| > | Then are you seeing a reject message in your log?
| >
| > Several of this :
| >
| > Mar 27 10:13:46 loc2all:REJECT:IN=eth1 OUT=eth0 SRC=192.168.10.4
| > DST=192.168.1.250 LEN=58 TOS=0x00 PREC=0x00 TTL=
| > 63 ID=0 DF PROTO=UDP SPT=1107 DPT=53 LEN=38
|
| These are curious. Host 192.168.10.4 seems to think that there is a DNS
| server at 192.168.1.250 which is routed out of eth0. But I assume that the
| only thing that you can communicate with via eth0 is your "modem", right?
|
| These messages apparently didn't affect the test because the last of them
| was generated well before the test started.
|
| >
| > Ok, is attached .
| > Thanks
| > mess-mate
| >
| >
| > ------------------------------------------------------------------------
| >
| > Shorewall-3.2.6 Dump at router - Tue Mar 27 10:56:22 CEST 2007
| >
| > Counters reset Tue Mar 27 10:54:37 CEST 2007
| >
| > Chain INPUT (policy DROP 0 packets, 0 bytes)
| > pkts bytes target prot opt in out source
destination
| > 6 300 ACCEPT 0 -- lo * 0.0.0.0/0
0.0.0.0/0
| > 1 131 ppp0_in 0 -- ppp0 * 0.0.0.0/0
0.0.0.0/0
| > 5 720 eth1_in 0 -- eth1 * 0.0.0.0/0 0.0.0.0/0
|
| From the time that you reset the counters until you took the dump, 5
| connection attempts addressed to the router were received.
|
|
| > Chain FORWARD (policy DROP 0 packets, 0 bytes)
| > pkts bytes target prot opt in out source
destination
| > 0 0 TCPMSS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
| > 0 0 ppp0_fwd 0 -- ppp0 * 0.0.0.0/0
0.0.0.0/0
| > 0 0 eth1_fwd 0 -- eth1 * 0.0.0.0/0
0.0.0.0/0
|
| During that same time, no forwarded connection attempts from the 'loc' zone
| was seen.
|
|
| > NAT Table
| >
| > Chain PREROUTING (policy ACCEPT 66 packets, 20745 bytes)
| > pkts bytes target prot opt in out source
destination
| > 0 0 net_dnat 0 -- ppp0 * 0.0.0.0/0
0.0.0.0/0 policy match dir in pol none
| > 66 20745 loc_dnat 0 -- eth1 * 0.0.0.0/0
0.0.0.0/0 policy match dir in pol none
|
|
| 66 new connection attempts were received on eth1.
|
| >
| > Chain net_dnat (1 references)
| > pkts bytes target prot opt in out source
destination
| > 0 0 DNAT tcp -- * * 0.0.0.0/0
86.192.32.248 tcp dpt:80 to:192.168.20.1
|
| But none of them were TCP port 80 connections to 86.192.32.248.
|
| >
| > Mangle Table
| >
| > Chain PREROUTING (policy ACCEPT 77 packets, 21836 bytes)
| > pkts bytes target prot opt in out source
destination
| > 77 21836 tcpre 0 -- * * 0.0.0.0/0
0.0.0.0/0
|
| A total of 77 packets were received on eth1.
|
| So there are two possibilities:
|
| a) No TCP connection attempts from the local zone to 86.192.32.248:80 were
| received during the test period; or
|
| b) Such connection attempts were received but failed to match the (correct)
| DNAT rule in the net_dnat chain.
|
| I guess that the only thing left to do is to reproduce the test while
| running tcpdump:
|
| tcpdump -nei eth1 port 80
|
That command is still there and that's all. There is nothing more
displayed.Even if i go to the net from a machine on the lan or from
the dmz. Or from a machine on the lan to the dmz via 86.192.32.248
But eth1 is connected to the lan so ther must be an output, isn't it ?
mess-mate
--
When one burns one's bridges, what a very nice fire it makes.
-- Dylan Thomas
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
