Re: [Shorewall-users] Can connect to http via lan but not https

Wed, 09 Oct 2024 07:56:29 -0700 

Thanks for helping out!
The tcpdump command shows that the gw/server (10.10.10.20) connects to the webserver when I'm connecting via port 80: 


    15:30:07.801326 IP 10.10.10.20.60822 > 10.10.10.90.80: Flags [.], 
ack 2, win 2058, options [nop,nop,TS val 838783045 ecr 1816721615], length 0


But when I'm connecting via port 443 then it tries to connect directly:


    15:30:24.221936 IP 10.10.10.238.60823 > 10.10.10.90.443: Flags [S], 
seq 3132427274, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 
2777840162 ecr 0,sackOK,eol], length 0



Which is kind of strange (to me) since both ports/networks share the 
same rules.


Commenting out the ACCEPT rules doesn't seem to make any difference.

Any ideas?

Thanks again, your input is invaluable!
(I'm no expert as you might notice.)

/Peter

On 2024-10-09 14:45, Justin Pryzby wrote:

On Wed, Oct 09, 2024 at 12:30:00PM +0200, Peter Andersson wrote:

Hi!

I'm having a problem that I can't get my head around.
We have a webserver that runs both http and https. I have no problems
connecting to it from external networks. But when I try to connect to it
locally via https I get the following kernel error:

IPv4: host 10.10.10.238/if3 ignores redirects for 10.10.10.90 to 10.10.10.90

That says that the gateway thinks that the .238 host (the
client browser) should have connected directly to the .90 host, rather
than expecting the gateway to forward the packet.  Maybe because the
client thinks its subnet is smaller(/32) than the gateway (?).

Anyway I think means that the gateway sent an ICMP redirect to the
client, but the client continued to send more packets to the gateway to
be forwarded.  That's not surprising, I don't think it's an 'error', and
may not be the cause of your problem.

You should probably add logging to be sure the rules are hit as you
expect:

DNAT:info:http [...]
DNAT:info:https [...]

I'd also suggest to run tcpdump on the .90 host, to see whether the
packets are being received, and with what source address, and whether
they're being replied to.

And: are you sure these ACCEPT rules aren't being hit *instead* of the
DNAT rules to the .90 host (from net and not from loc).


#Web
ACCEPT  net                     fw      tcp     80
ACCEPT  net                     fw      tcp     443
#Web(DNAT) net                lan:10.10.10.90
DNAT       net             lan:10.10.10.90:80    tcp     80    -
DNAT       net             lan:10.10.10.90:443    tcp     443    -
DNAT       net             lan:10.10.10.55:8081    tcp     8081 -

#Allow local web
DNAT    lan        lan:10.10.10.90    tcp    80    -    1.1.1.1
DNAT    gw        lan:10.10.10.90    tcp    80    -    1.1.1.1

#Web local SSL
DNAT    lan        lan:10.10.10.90    tcp    443    -    1.1.1.1
DNAT    gw        lan:10.10.10.90    tcp    443    -    1.1.1.1


--
Turbin  –  Creative production agency

Peter Andersson
Turbin AB, Klevgränd 2, 116 46 Stockholm
Tel +46 8 545 286 47 | Mob +46 70 226 09 21 | Web turbin.se



_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to