[Shorewall-newbies] Pings and connects work, but connection dropped immediately

Tom Eastep teastep at shorewall.net
Sat Jan 31 09:27:31 PST 2004


On Saturday 31 January 2004 09:14 am, Eugene Ventimiglia wrote:
> Some background (some names have been changed to protect the innocent):

And to mislead those of us who are trying to help you :-(

>
> eth0 (XXX.YYY.ZZZ.250) is external, connected to zone 'net'
> eth1 (192.168.100.1) is internal, connected to zone 'loc'
>
> 3 servers connected on eth1 and mapped to public addresses (251-253)
> in /etc/shorewall/net (below)

I presume that's /etc/shorewall/nat.

>
> When I try to connect into port 25 or 110 of my mail server(253), it
> connects, but immediately breaks the connection. Nothing in the logs to
> indicate that it's caused by a rule or policy (it would be logged, right?)

If it connects then 

>
> When I use nmap from outside it shows the ports open, and telnetting to 110
> (or 25) yields:
> Trying XXX.YYY.ZZZ.253...
> Connected to XXX.YYY.ZZZ.253.
> Escape character is '^]'.
> Connection closed by foreign host.
>
> Here are all the files I modified:

This doesn't look like a Shorewall problem.

>
> ###########################################################################
># ##
> #
> # Shorewall 1.2  -- Network Address Translation Table
> # /etc/shorewall/nat
> #
> #EXTERNAL        INTERFACE   INTERNAL          ALL INTERFACES     LOCAL
> XXX.YYY.ZZZ.251    eth0        192.168.100.11    yes                yes
> XXX.YYY.ZZZ.252    eth0        192.168.100.12    yes                yes
> XXX.YYY.ZZZ.253    eth0        192.168.100.13    yes                yes
> ###########################################################################
># ##

I seriously doubt that you want "yes" in the last two columns. And why are you 
running Shorewall 1.2? That version hasn't been supported for some time now.

> #
> # Shorewall 1.2 -- Proxy ARP
> #
> # /etc/shorewall/proxyarp
> #
> #ADDRESS             INTERFACE    EXTERNAL    HAVEROUTE
> XXX.YYY.ZZZ.251        eth1        eth0        Yes
> XXX.YYY.ZZZ.252        eth1        eth0        Yes
> XXX.YYY.ZZZ.253        eth1        eth0        Yes
> ###########################################################################


Why in the world are you using both Proxy ARP *and* one-to-one NAT? If you 
have entries in /etc/shorewall.nat then you don't need these ARP entries. 
What you rather want is to define 251,252 and 253 as IP addresses on eth0. 
More modern versions of Shorewall can do that for you.

># ##
> #
> # Shorewall 1.2 -- Policy File
> #
> # /etc/shorewall/policy
> #
> #CLIENT    SERVER     POLICY      LOG LEVEL
> $FW        net        ACCEPT
> $FW        loc        ACCEPT
> loc        net        ACCEPT
> loc        loc        ACCEPT
> loc        $FW        ACCEPT
> net        all        DROP        info
> ###########################################################################
># ##
> #
> # Shorewall version 1.2 - Rules File
> #
> # /etc/shorewall/rules
> #
> #RESULT       CLIENT(S)      SERVER(S)      PROTO   PORT(S)     CLIENT
> PORT(S) ADDRESS
> ACCEPT        loc            $FW            tcp     ssh
> ACCEPT        net            $FW            tcp
> ssh,auth,nameserver,domain
> ACCEPT        net            $FW            udp     domain
> ACCEPT        net            loc            tcp     smtp,pop3,1935,10001
> ACCEPT        net            loc            icmp    echo-request

Summary:

a) This doesn't look like a Shorewall problem. I suggest that you see what the 
server itself is logging.

b) Configure your one-to-one correctly.

b) No support is available for Shorewall 1.2 so I recommend installing a 
supported version.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net




More information about the Shorewall-newbies mailing list