Den 08-09-2014 01:24, Tom Eastep skrev:
On 9/5/2014 3:29 AM, Paolo Nesti Poggi wrote:
Hi
We use a shorewall 4.4.11.6, with a 3 NIC setup (net - dmz - localnet)
that has been working flawlessly for years.
Now we have changed broadband provider and with it we've got new IP
addresses.
I've reconfigured shorewall with the new addresses and since then we no
longer have functioning DNAT for boxes that are forwarded from IP
different from the main IP address.
As far as I could see, for doing the provider change we only needed to
edit the params (params for main IP and ekstra IPs)and masq file (main
IP), apart from of course /etc/network/interfaces and /etc/dhcp/dhcpd.conf
Having done those changes everything works OK, even DNAT from the main
IP to boxes on DMZ or localnet, whilst the DNAT rules for boxes
forwarded to from other IPs in the address range are not working at all
(ssh: connect to host 89.233.14.37 port 22: Connection timed out)
I hope you can help me find a way to further troubleshoot this.
I've re-read the section regarding the 3-interface setup:
http://shorewall.net/three-interface.htm
and the
DNAT troubleshooting http://shorewall.net/FAQ.htm#faq1a and #faq1b
The routes I'm troubleshooting all show 0 packets in the output of
'shorewall show nat', however the ISP ensures me that they are not
dropping anything (this is a 200Mb/sec symmetric connection).
The output of 'shorewal show nat' for one of the hosts in question is:
0 0 DNAT tcp -- * * 0.0.0.0/0 89.233.14.37
multiport dports 22,80,443,3690,8000,5001,3306 to:192.168.37.37
0 0 DNAT udp -- * * 0.0.0.0/0 89.233.14.37
multiport dports 5001,22,3306 to:192.168.37.37
where doing 'ssh 89.233.14.37' from a host outside of this network
should connect me to my box on 192.168.37.37 in the local network.
If I set up a Windows PC with static address 89.233.14.37 and connect it
to the switch of my provider I can ping it from outside, but if I try
and connect to my box on 192.168.37.37 I only get "Connection timed out"
Do you have any idea of what might be going wrong and/or how I can move
forward in troubleshooting this issue?
Have you confirmed with tcpdump that the tcp port22 are even reaching
the firewall and that they have the correct L2 destination address?
The only thing I have from tcpdump reg. these addresses when I try and
ssh to them are ARP messages like this:
14:29:55.386918 ARP, Request who-has 89.233.14.37 tell 89.233.14.33,
length 46
About the gateway (89.233.14.33), I was reading about
http://shorewall.net/shorewall_setup_guide.htm#Options and I get now
that probably the decisive difference between the old set up and the new
one (apart from the single addresses) is that previously we had a
non-routed setup, because the addresses were in two different segments,
while we now have a whole subnet (89.233.14.32/28), therefore we need to
change /etc/network/interfaces accordingly.
If this is correct am I right in understanding that the section:
"*Routed* - Traffic to any of your addresses will be routed through a
single gateway address. This will generally only be done if your ISP has
assigned you a complete subnet (/29 or larger). In this case, you will
assign the gateway address as the IP address of your firewall/router's
external interface."
Means that '/etc/network/interfaces' should be:
address 89.233.14.33
network 89.233.14.32/28
broadcast 89.233.14.47
netmask 255.255.255.240
gateway 89.233.14.33
and not
address 89.233.14.34
network 89.233.14.32/28
broadcast 89.233.14.47
netmask 255.255.255.240
gateway 89.233.14.33
as we have now?
/Paolo
------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
