Re: [Shorewall-users] DNAT Not Working

Mon, 20 Nov 2017 10:42:17 -0800 

> On 11/20/2017 09:27 AM, Colony.three via Shorewall-users wrote:
>
>>> Are you sure this isn't working. I can connect to the firewall's
>>> external IP on port 80 and I get the Quantum Equities web site.
>>>
>>> -Tom
>>>
>>> _______________________________________________
>>
>> Hm, that's odd.  My remote OpenStack instance is CentOS Minimal so no
>> GUI.  I have to use curl to test, and it times out.  nc also times out.
>> This is from a VM at Internap, which I ssh in to from my LAN.  No dmesg
>> errors anywhere.  The shorewall counter increments to 2 immediately on
>> clear, but never increments on curl nor nc from Internap.
>>
>> Well -- I can browse quantum-equities.com from my local LAN just fine.
>> And from inside my LAN I can't pull up quantum-equities.com. (LAN
>> laptop==>routerSNAT==>internet/50.35.109.212
>> http://50.35.109.212==>routerNATxxx)
>> You mention several times in the docs that accessing it from inside
>> doesn't work, but I don't understand the dynamics.  I should be able to
>> pull up this domain name from inside the LAN through the router's
>> external interface, as a regular website shouldn't I?
>>
>> From inside the LAN connected to the Shorewall system, you must also use
>> DNAT if you want to access DMZ servers via the firewall external IP:
>>
>> DNAT loc dmz tcp 80 - 50.35.109.212
>>
>> or
>>
>> Web(DNAT) loc dmz - - - 50.35.109.212
>>
>> The latter also DNATs port 443 which apparently isn't being used on the
>> Quantum website.
>>
>> -Tom

By the mighty Hammer Of Thor, it works.  I don't understand why my remote curl 
or nc attempts didn't work.

When using:  Web(DNAT)    loc   dmz   -     -     -       50.35.109.212
... is that last 50.35.109.212 necessary? (It may change periodically)  If 
necessary, can I somehow enter it here as a system variable?

I haven't been able to get SSL running as certbot (LetsEncrypt) couldn't verify 
my domain.  But now it should be able to.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to