I've set ACCEPT rules for net to $FW and net to dmz (not sure which applies)
for http and https.
Going through the FAQ here: http://shorewall.net/FAQ.htm#faq1a
- I'm testing from a remote OpenStack VM (Internap) using:
# curl -v http://50.35.109.212
* About to connect() to 50.35.109.212 port 80 (#0)
* Trying 50.35.109.212...
* Connection timed out
* Failed connect to 50.35.109.212:80; Connection timed out
* Closing connection 0
curl: (7) Failed connect to 50.35.109.212:80; Connection timed out
- The gateway on the dmz server is set to 10.15.15.2, which is the dmz inside
interface on the router. And it can access The Internets fine using SNAT.
- I've previously confirmed that 80 can reach through my ISP.
- Running CentOS7.4.
http://shorewall.net/FAQ.htm#faq1b
(On router)
# shorewall reset
Shorewall Counters Reset
# shorewall show nat
pkts bytes target prot opt in out source destination
2 128 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multipo
... note: instantly there is a count of 2 when I haven't done anything.
(On router)
# shorewall reset
# shorewall show nat
2 128 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 80,443 to:10.1.1.30
(On remote)
# curl -v http://50.35.109.212
(On router)
# shorewall show nat
2 128 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 80,443 to:10.1.1.30
... note count remains 2.
- I'd previously set my SSHd server on the router to listen on 80, 443, 587,
etc, and I could always SSH in to the router from the remote machine. So those
ports aren't blocked, unless it's a protocol-sensitive block.
- I can not understand this second possibility: "you are trying to connect to
a secondary IP address on your firewall and your rule is only redirecting the
primary IP address (You need to specify the secondary IP address in the “ORIG.
DEST.” column in your DNAT rule); or"
- (On router - 50.35.109.212)
# tcpdump |grep 72.251.232.105
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
(On remote machine - 72.251.232.105)
# curl -v http://50.35.109.212
(On router, zip, even after curl times out.
- And the last possibility (On router):
# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 50.35.109.212 netmask 255.255.240.0 broadcast 50.35.111.255
I can't see what is wrong.------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
