[Shorewall-newbies] DNAT problems

Chris H. nas at nasland.nu
Sun Feb 1 14:06:16 PST 2004

first off, here's my rules file:
# handle dns queries here on mercury:
ACCEPT net fw tcp 53
ACCEPT net fw tcp 53
ACCEPT net all tcp 53
ACCEPT net all udp 53
DNAT net loc: tcp 53
DNAT net loc: udp 53

# handle external ftp queries here locally:
ACCEPT net fw tcp 21

# keep ssh here locally for external hosts:
ACCEPT net fw tcp 22

# transparent proxy'ing for the lan:
DROP:warning net fw tcp 3128 3128
REDIRECT loc 3128 tcp 80 -

# forward vnc requests to orion:
DNAT net loc: tcp 5900

# the forwards for fshost on neptune:
DNAT net loc: tcp 81
DNAT net loc: tcp 23456
DNAT net loc: tcp 47624
DNAT net loc: tcp 2300:2400
DNAT net loc: tcp 4600:4799
DNAT net loc: tcp 8092:8094

# accept icmp pings
ACCEPT all fw icmp

secondly, here's my policy file:
loc   loc   ACCEPT
loc   net   ACCEPT
loc   fw    ACCEPT
fw    net   ACCEPT
net   all   DROP
all   all   REJECT    info

masq file simply contains "eth0 eth1".

any other files that need to be posted let me know.

shorewall version is 1.4.7c

...and nat and forwarding is enabled in shorewall.conf

having a few problems. first off, dns queries are not getting through unless i 
add all that junk AND a dnat entry. this doesnt seem correct to me but its 
the only combination i've found that allows the queries to get through (i run 
dns for my domain on .11 so it needs to be accessed by the world).

secondly i've tried that "hack" for 23456 and it doesnt work. i run a flight 
sim server (fshost) on .4 as you can see and all those ports need to be 
open...but they are all reporting closed when i nmap from an external box. 
since the hack doesnt work, i havent a clue what else to try to force these 
ports open.

all the other ports work as they should, using simple accept net fw tcp 21 and 
ftp from external hosts work as they should. the dnat net loc: tcp 
5900 works flawlessly as well.

am i missing something? why cant dns be handled as simple as accept net fw 
tcp/udp 53 and why no matter what i try cant i get 23456 open? 23456, however 
isnt the only one that needs to be open but its the one im working on right 
now. all the ones pointing to .4 need to be open.

.11 btw is the machine handling the routing. also, the .4 pointing to port 81 
is also working flawlessly. so it seems all the other .4's are "broken".

im really lost here as i've gone through the manual, and im out of ideas. 
everything looks like it should work, but doesnt. and that stupid hack for 
dns, while it does work, it irritates me and i'd rather condense it into one 
line if possible.

i've also added .1 and .4 into the proxyarp file just incase that would help, 
but it seems to have no effect.

i'd appreciate any help. thanks.

-Chris H.

More information about the Shorewall-newbies mailing list