On Tue, 4 Apr 2023 22:07:36 +0200 Olivier Sannier <obo...@gmail.com> wrote:
> Le 02/04/2023 à 00꞉48, Justin Pryzby a écrit : > > On Sat, Apr 01, 2023 at 11:00:17PM +0200, Olivier Sannier wrote: > >> However, when I connect from the loc zone to the address of enp4s0 > >> (10.10.10.254 for that matter) on port 1883, I get a "connection > >> error" message from telnet. > >> Using Wireshark on the client computer, I see the SYN packet going > >> out and a few RST, ACK replies. > > You should run wireshark/tcpdump on the shorewall device, and > > specify "-i lo" to see what's happening on that interface. > > I have run it on enp4s0 and I see the RST,ACK replies > I have run it on lo and I see nothing coming through > > > It'd be useful to log the request, like REDIRECT:INFO:mqtt > > That'll at least indicate whether the rule is being hit. > Indeed, that's useful and here is what I get in the system log: > > server kernel: loc_dnat REDIRECT mqtt IN=enp4s0 OUT= > MAC=50:3e:aa:0a:e2:0e:70:85:c2:75:2d:71:08:00 SRC=10.10.10.140 > DST=10.10.10.254 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=4850 DF > PROTO=TCP SPT=51232 DPT=1883 WINDOW=64240 RES=0x00 SYN URGP=0 REDIRECT does not change destination ip - you need to change your software to listen all ip addresses for redirect to work. DNAT is the way if you need to change destination ip. -- Tuomo Soini <t...@foobar.fi> Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
