Re: DNAT problem in Shorewall

To: debian-user@lists.debian.org
Subject: Re: DNAT problem in Shorewall
From: Peter Simpson <peter@petethetree.com>
Date: Fri, 15 Jul 2005 14:24:06 +0100
Message-id: <[🔎] 200507151424.06408.peter@petethetree.com>
In-reply-to: <[🔎] e00dcf6a050715054022b9ea89@mail.gmail.com>
References: <[🔎] e00dcf6a050715010120e52361@mail.gmail.com> <[🔎] 200507151328.22072.debian-user@petethetree.co.uk> <[🔎] e00dcf6a050715054022b9ea89@mail.gmail.com>

On Friday 15 Jul 2005 13:40, askar k wrote:
> On 7/15/05, TreeBoy <debian-user@petethetree.co.uk> wrote:
> > I am now getting really confused.
> >
> > You have three machines in the subnet 192.168.0.0/24
> >
> > They are:
> >
> > IP    FQDN                  Description
> > 1     ???                   Linux Firewall/Gateway
> > 100   www.mydomain.com      Linux webserver running apache
> > ?     ???                   XP box
> >
> > You are trying to browse http on www.mydomain.com.
> >
> > You have DNS working on all machines. i.e. running "host
> > www.mydomain.com" (or ping on XP) on each computer gives the correct IP
> > address of 192.168.0.100.
>
> No, when I do "host www.mydomain.com" it gives me static ip address
> 213.xxx.xxx.xxx

Right.

I trust that this IP address is the public IP address of your firewall.

I presume that you have also configured your firewall as described here:

http://shorewall.net/two-interface.htm

If these two statements are true, then are you sure that your ISP does not 
block port 80.

Check this by looking at what is being blocked in your logs. You should be 
able to see your attempts being blocked or dropped by issuing the following 
command on the firewall:
   # tail -f /var/log/syslog

If not, then shorewall is not blocking. 

Try issuing the same command on your webserver while trying to browse to it 
and you may see it is blocking or dropping.

If none of these add any info, then issue the following command on your 
firewall:

   # iptables -L|more

This shows what your firewall is actually setup to do with any packets. Look 
for the section labelled "Chain net2loc". This is where the DNAT forwarders 
should be listed. 

The first entry in this section should be:

ACCEPT     all  --  anywhere             anywhere            state 
RELATED,ESTABLISHED

This means any connection in-bound that is associated with an already 
established outbound connect should be allowed. (This is for non-passive FTP 
amongst others.)

The last item should be:

net2all    all  --  anywhere             anywhere

This says that anything not already covered in this section gets passed on to 
the chain called "net2all" which usually says "DROP".

The ones in between are where your specific forwarding/DNAT stuff should go. 
You should see something like:

ACCEPT     tcp  --  anywhere             webserver.mynetwork.foo     tcp 
dpt:80

If thats not there, then forwarding is not happening.

We'll have to look at your config if these lines do not appear.
>
> > Finally: Please reply to the list - not to me personally. These lists
> > offer others the ability to learn and to add input.
>
> I didn't know that messages went to you - I was just clicking reply button.
> Maybe somth wrong with your mail client settings. Please check.
> To the field "TO" I manually changed email address this time.

In your client, you have to specify "Reply to List", not just "Reply". I know 
that exists somewhere in GMail.

Cheers,
>
> askar

Reply to:

Follow-Ups:
- Re: DNAT problem in Shorewall
  - From: askar k <askar.debian@gmail.com>

References:
- DNAT problem in Shorewall
  - From: askar k <askar.debian@gmail.com>
- Re: DNAT problem in Shorewall
  - From: TreeBoy <debian-user@petethetree.co.uk>
- Re: DNAT problem in Shorewall
  - From: askar k <askar.debian@gmail.com>

Prev by Date: Re: gnome config [was: metacity?]
Next by Date: Re: 2.6.11 and udev
Previous by thread: Re: DNAT problem in Shorewall
Next by thread: Re: DNAT problem in Shorewall
Index(es):
- Date
- Thread