[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DNAT problem in Shorewall

Hello!

I came back home (the previous email I was sending from work) and
found that DNAT works!!! :)

I wonder why it works now. But it should also work from LAN, am I right?

And in my iptables -L | more I had everything you asked me.

Now, I'll have to check from work place if it works or not...

Thank you!!!

askar

PS. I don't see "Reply to list", I have only Reply, Reply To ALL,
Forward and Invite someone to Gmail. :-(

 
> I trust that this IP address is the public IP address of your firewall.
> 
> I presume that you have also configured your firewall as described here:
> 
> http://shorewall.net/two-interface.htm
> 
> If these two statements are true, then are you sure that your ISP does not
> block port 80.
> 
> Check this by looking at what is being blocked in your logs. You should be
> able to see your attempts being blocked or dropped by issuing the following
> command on the firewall:
>    # tail -f /var/log/syslog
> 
> If not, then shorewall is not blocking.
> 
> Try issuing the same command on your webserver while trying to browse to it
> and you may see it is blocking or dropping.
> 
> If none of these add any info, then issue the following command on your
> firewall:
> 
>    # iptables -L|more
> 
> This shows what your firewall is actually setup to do with any packets. Look
> for the section labelled "Chain net2loc". This is where the DNAT forwarders
> should be listed.
> 
> The first entry in this section should be:
> 
> ACCEPT     all  --  anywhere             anywhere            state
> RELATED,ESTABLISHED
> 
> This means any connection in-bound that is associated with an already
> established outbound connect should be allowed. (This is for non-passive FTP
> amongst others.)
> 
> The last item should be:
> 
> net2all    all  --  anywhere             anywhere
> 
> This says that anything not already covered in this section gets passed on to
> the chain called "net2all" which usually says "DROP".
> 
> The ones in between are where your specific forwarding/DNAT stuff should go.
> You should see something like:
> 
> ACCEPT     tcp  --  anywhere             webserver.mynetwork.foo     tcp
> dpt:80
> 
> If thats not there, then forwarding is not happening.
> 
> We'll have to look at your config if these lines do not appear.
> >
> > > Finally: Please reply to the list - not to me personally. These lists
> > > offer others the ability to learn and to add input.
> >
> > I didn't know that messages went to you - I was just clicking reply button.
> > Maybe somth wrong with your mail client settings. Please check.
> > To the field "TO" I manually changed email address this time.
> 
> In your client, you have to specify "Reply to List", not just "Reply". I know
> that exists somewhere in GMail.
> 
> Cheers,
> >
> > askar
> 
> 
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
>
Reply to: