Discussion:
[Shorewall-users] Weird NAT issue
Kade W. Hampson
2017-03-28 15:16:16 UTC
Permalink
Well, it turns out that Shorewall had just decided to reject the HyperV
Server's IP.
Which is pretty funny because looking through the original dump that I
posted there is no mention of the Drop/Reject?
Is this just Admin error? Or a bug.....
It's on the same switch, but I have double checked the VLANs and they
are correct
Sent from my SAMSUNG Galaxy S7 on the Telstra Mobile Network
-------- Original message --------
Date: 22/3/17 3:27 am (GMT+10:00)
Subject: Re: [Shorewall-users] Weird NAT issue
If my server was bypassing it's VLAN configuration it wouldn't be
able
to ping any other devices on the 192.168.0/24 subnet.
So this leads me to the only device that could be causing the issue,
my
firewall.
Could it be some bug to do with the MAC address of my server? I have
a
cron job to update the OS every night, so possibly a rouge update?
-------- Original message --------
Date: 22/3/17 1:59 am (GMT+10:00)
Subject: Re: [Shorewall-users] Weird NAT issue
What does your eth0 connect to? Is it on the same switch but supposed
to be on a different VLAN?
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Tom Eastep
2017-03-30 17:07:07 UTC
Permalink
Post by Kade W. Hampson
Well, it turns out that Shorewall had just decided to reject the
HyperV Server's IP. Which is pretty funny because looking through
the original dump that I posted there is no mention of the
Drop/Reject? Is this just Admin error? Or a bug.....
You were getting 'Martian' messages -- any packet that is declared a
martian is dropped.

- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.net \________________________________________________
Kade W. Hampson
2017-03-31 09:44:04 UTC
Permalink
Ok, this is now an ongoing issue, I am constantly having to type "shorewall
allow 192.168.0.3"

-----Original Message-----
From: Kade W. Hampson [mailto:***@extinction-gaming.com]
Sent: Wednesday, 29 March 2017 1:16 AM
To: Shorewall Users <shorewall-***@lists.sourceforge.net>
Subject: Re: [Shorewall-users] Weird NAT issue

Well, it turns out that Shorewall had just decided to reject the HyperV
Server's IP.
Which is pretty funny because looking through the original dump that I
posted there is no mention of the Drop/Reject?
Is this just Admin error? Or a bug.....
It's on the same switch, but I have double checked the VLANs and they
are correct
Sent from my SAMSUNG Galaxy S7 on the Telstra Mobile Network
-------- Original message --------
Date: 22/3/17 3:27 am (GMT+10:00)
Subject: Re: [Shorewall-users] Weird NAT issue
If my server was bypassing it's VLAN configuration it wouldn't be
able
to ping any other devices on the 192.168.0/24 subnet.
So this leads me to the only device that could be causing the issue,
my
firewall.
Could it be some bug to do with the MAC address of my server? I have
a
cron job to update the OS every night, so possibly a rouge update?
-------- Original message --------
Date: 22/3/17 1:59 am (GMT+10:00)
Subject: Re: [Shorewall-users] Weird NAT issue
What does your eth0 connect to? Is it on the same switch but supposed
to be on a different VLAN?
----------------------------------------------------------------------
-------- Check out the vibrant tech community on one of the world's
most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
----------------------------------------------------------------------
-------- Check out the vibrant tech community on one of the world's
most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
----------------------------------------------------------------------------
--
Check out the vibrant tech community on one of the world's most engaging
tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Tom Eastep
2017-03-31 14:02:45 UTC
Permalink
Post by Kade W. Hampson
Ok, this is now an ongoing issue, I am constantly having to type
"shorewall allow 192.168.0.3"
Are you using BLACKLIST policies?

- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.net \________________________________________________
Tom Eastep
2017-03-31 22:43:08 UTC
Permalink
Post by Tom Eastep
Post by Kade W. Hampson
Ok, this is now an ongoing issue, I am constantly having to type
"shorewall allow 192.168.0.3"
Are you using BLACKLIST policies?
Or, alternatively, are you using an IPS line Fail2ban? If the 'allow'
command is temporarily correcting the problem, then the server IP
address is getting dynamically blacklisted. Which doesn't surprise me
if its transmitted packets are arriving on the wrong interface.

- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.net \________________________________________________
Loading...