Guillermo Cediel Blanco
2016-07-22 11:32:44 UTC
Hi,
I have installed shore wall 5.0.8 on a CentOS 7 server, and Iâm having a weird issue with DNAT.
The server running shorewall has three network interfaces:
real eno16777984
dmz eno33557248
wan eno50336512 routefilter,blacklist,tcpflags,logmartians,nosmurfs
real is our internal network, wan is internet and dmv is a network where I have installed a https server that must have accesible from internet. The following are my zones:
fw firewall
wan ipv4
real ipv4
dmz ipv4
dev ipv4
I have defined the masq file as (the public ip address has been masked):
eno50336512 10.58.80.0/24,\
10.210.54.0/24 xx.xx.xx.xx
10.58.80.0/24 is the real subnet, and 10.201.54.0 is the dmz subnet. The DNAT rules created in the rules file are:
DNAT wan dmz:10.210.54.10 tcp 443 - xx.xx.xx.xx
ACCEPT all dmz:10.210.54.10 tcp 443
Well, DNAT is usually working from internet; I can access the server without problems, but Iâve found that from time to time, server is not accesible from internet. If I try to test the connection with the command:
telnet xx.xx.xx.xx 443
I donât get any response from the server. However, while thereâs no connection from internet, I can connect to the server from the ârealâ network (accessing to the IP address 10.210.54.10). I think this means that itâs a problem related to the DNAT rules.
This situation lasts for some minutes, and then it works again. I have tried the solution stated here: http://documents.made-it.com/iptables-timeout.html <http://documents.made-it.com/iptables-timeout.html> in case it was a problem related with the TCP keep alive settings, but with no luck.
Any suggestions?
If you need some additional information, please ask for it.
Thanks in advance.
Guillermo
I have installed shore wall 5.0.8 on a CentOS 7 server, and Iâm having a weird issue with DNAT.
The server running shorewall has three network interfaces:
real eno16777984
dmz eno33557248
wan eno50336512 routefilter,blacklist,tcpflags,logmartians,nosmurfs
real is our internal network, wan is internet and dmv is a network where I have installed a https server that must have accesible from internet. The following are my zones:
fw firewall
wan ipv4
real ipv4
dmz ipv4
dev ipv4
I have defined the masq file as (the public ip address has been masked):
eno50336512 10.58.80.0/24,\
10.210.54.0/24 xx.xx.xx.xx
10.58.80.0/24 is the real subnet, and 10.201.54.0 is the dmz subnet. The DNAT rules created in the rules file are:
DNAT wan dmz:10.210.54.10 tcp 443 - xx.xx.xx.xx
ACCEPT all dmz:10.210.54.10 tcp 443
Well, DNAT is usually working from internet; I can access the server without problems, but Iâve found that from time to time, server is not accesible from internet. If I try to test the connection with the command:
telnet xx.xx.xx.xx 443
I donât get any response from the server. However, while thereâs no connection from internet, I can connect to the server from the ârealâ network (accessing to the IP address 10.210.54.10). I think this means that itâs a problem related to the DNAT rules.
This situation lasts for some minutes, and then it works again. I have tried the solution stated here: http://documents.made-it.com/iptables-timeout.html <http://documents.made-it.com/iptables-timeout.html> in case it was a problem related with the TCP keep alive settings, but with no luck.
Any suggestions?
If you need some additional information, please ask for it.
Thanks in advance.
Guillermo