On 1/12/19 2:08 PM, C. Cook wrote: > > On 1/12/19 1:24 PM, C. Cook wrote: >> >> >> On 1/12/19 1:10 PM, C. Cook wrote: >>> >>> >>> On 1/12/19 12:45 PM, C. Cook wrote: >>>> >>>> >>>> On 1/12/19 12:37 PM, Roberto C. Sánchez wrote: >>>>> On Sat, Jan 12, 2019 at 12:33:48PM -0800, C. Cook wrote: >>>>>> ... and can't get up! >>>>>> >>>>>> [Sat Jan 12 11:56:22 2019] FORWARD REJECT IN=eth0 OUT=eth0 >>>>> ^^^^^^^^^^^^^^^^ >>>>> >>>>> Have you specified routeback for eth0 in interfaces? >>>>> >>>>> Regards, >>>>> >>>>> -Roberto >>>> >>>> No, but never have in the past. Suddenly it stopped working. >>>> >>>> Now I've changed the line to: >>>> >>>> net eth0 >>>> tcpflags,dhcp,nosmurfs,sourceroute=0,routefilter,routeback >>>> >>>> ... and I'm no longer getting the forwarding or any other error in >>>> my router or server, but I still can't pull up delphi-real-estate.com >>>> >>> Ok, the router's interface looking toward the DMZ has no IP! >>> >>> It thinks another system has its IP, but I don't have one set >>> anywhere. Maybe 10.1.1.1 is no-mans-land? >>> >> Fixed the IP and I can ping the DMZ Apache server VM from the router >> now, but curl to it and access from the outside still doesn't work. >> > I've confirmed that thr router is -not- passing along the ports to the > DMS, even though this is set: > > Web(DNAT) net dmz:10.1.1.30 - - - > - 3/sec:10 > Web(DNAT) local dmz:10.1.1.30 - - - > ð0 > > ... and forwarding is on in all quarters. > > I don't have anything in snat. Is there supposed to be? > >
What you are trying to do *will never work*. You are accepting web connections on the public IP address on the Shorewall router, port forwarding them to the web server who is trying to reply out of the WG server. There are two problems with this idea: a) The WG server can't reverse the effect of the DNAT in the router, so the responses are going out with the wrong source IP. b) Even if DNAT were not involved, you would likely be sending packets out through one ISP with source addresses assigned to another ISP. Those are subject to being dropped. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
