On Mon, 2011-08-29 at 21:04 +1000, Dave Kempe wrote: > Hi, > > I am having trouble getting a DNAT to work like so: > > in rules: > DNAT net:+cust_eth2 colo:PPP.PPP.P.PPP:22 tcp 2222 > - XXX.XXX.XX.XX > > snipped config files: > > zones: > net ipv4 > cust:net ipv4 > > interfaces: > net eth2 detect > > hosts: > cust eth2:+cust_eth2 > > # ipset -L > Name: cust_eth2 > Type: iphash > References: 9 > Header: hashsize: 1024 probes: 8 resize: 50 > Members: > XXX.XXX.87.173 > > > When I connect from the the ip .87.173 as listed in the ipset, it > doesn't work as per this log message: > Shorewall:cust2fw:REJECT:IN=eth2 OUT= MAC=0000000000 > SRC=XXX.XX.87.173 DST=XXX.XXX.XXX.XX LEN=48 TOS=0x00 PREC=0x00 TTL=120 > ID=5116 DF PROTO=TCP SPT=52521 DPT=2222 WINDOW=8192 RES=0x00 SYN > URGP=0 > > > I also tried in hosts: > cust eth2:dynamic
Because the > > Weird thing is, if I remove the ipset restriction on the DNAT, it > still blocks me, until I remove my ip from the ipset. I don't understand what that means. > > Any pointers? have I missed something obvious. I know the logmsg says > cust2fw, but I assume thats because the DNAT is failing to add and > accompanying ACCEPT rule for the ipset. No idea why though. We won't know until we see the output of 'shorewall dump' collected as described at http://www.shorewall.net/support.htm#Guidelines. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ EMC VNX: the world's simplest storage, starting under $10K The only unified storage solution that offers unified management Up to 160% more powerful than alternatives and 25% more efficient. Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
