Ok I found the culprit,
I changed a rule: from DNAT net dmz:10.10.10.102 tcp 80,443 to
DNAT net dmz:10.10.10.102 tcp 80,443 - 184.108.40.206
And now all is working! Thanks Tom for this wonderful firewall and for the
help you give.
2010/3/23 Selvam Matthys <selvam.matthys@...>
> Thanks you for the solution! I will read this faq!
> I can connect to my machine now :-)) i'm so glad. Butt for some strange
> reason, i can't get on the internet from this machine when Shorewall is on.
> I can do dns lookups, and tracert and ping from that machine to the
> internet, butt can't browse the internet. The worst thing is that there is
> nothing in the log to show me where the problem reside. The only thing I get
> now is this: Thats strange because there is a rule that says accept from net
> to dmz:10.10.10.102 80,443
> Now when I open the browser(on the machine with the second ip 220.127.116.11)
> I always see my webserver default webpage on 10.10.10.102.
> Selvam Matthys
> Shorewall:net2dmz:DROP:IN=vmbr0 OUT=venet0 PHYSIN=eth0 SRC=18.104.22.168 DST=10.10.10.102 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=21435 DF PROTO=TCP SPT=2084 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
> 2010/3/23 Tom Eastep <teastep@...>
>> Selvam Matthys wrote:
>> > Ok, i'm sorry for not answering last mail, butt I changed my hole
>> > So what I did now: two public ip's on my vmbro that is bridged on eth0.
>> > So my fw gets 22.214.171.124 my dmz is 10.10.10.0/24
>> > <http://10.10.10.0/24> and I have one kvm machine connected on vmbr0
>> > with ip 126.96.36.199.
>> > The thing is that when I activate my Shorewall, I cant get on the
>> > internet anymore with this kvm machine. and get this message in the log:
>> > Shorewall:FORWARD:REJECT:IN=vmbr0 OUT=vmbr0 PHYSIN=vmtab101i0
>> PHYSOUT=eth0 SRC=188.8.131.52 DST=184.108.40.206 LEN=64 TOS=0x00 PREC=0x00
>> TTL=64 ID=4338 PROTO=ICMP TYPE=8 CODE=0 ID=34450 SEQ=25345
>> > so when I disable Shorewall, my two public ip's work good, butt when
>> > enabled, my second ip stops working. when I ping to my second ip I get
>> > answer back from my main ip 220.127.116.11 that tell's me destination
>> > host unreachable.
>> > I will answer much faster this time, i'm not changing my config anymore.
>> You have neglected to set the 'routeback' option on vmbr0. See Shorewall
>> FAQ 17.
>> Tom Eastep \ When I die, I want to go like my Grandfather who
>> Shoreline, \ died peacefully in his sleep. Not screaming like
>> Washington, USA \ all of the passengers in his car
>> http://shorewall.net \________________________________________________
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> Shorewall-users mailing list