[Shorewall-newbies] DNAT problems
nas at nasland.nu
Sun Feb 1 14:06:16 PST 2004
first off, here's my rules file:
# handle dns queries here on mercury:
ACCEPT net fw tcp 53
ACCEPT net fw tcp 53
ACCEPT net all tcp 53
ACCEPT net all udp 53
DNAT net loc:192.168.1.11 tcp 53
DNAT net loc:192.168.1.11 udp 53
# handle external ftp queries here locally:
ACCEPT net fw tcp 21
# keep ssh here locally for external hosts:
ACCEPT net fw tcp 22
# transparent proxy'ing for the lan:
DROP:warning net fw tcp 3128 3128
REDIRECT loc 3128 tcp 80 -
# forward vnc requests to orion:
DNAT net loc:192.168.1.1 tcp 5900
# the forwards for fshost on neptune:
DNAT net loc:192.168.1.4 tcp 81
DNAT net loc:192.168.1.4 tcp 23456
DNAT net loc:192.168.1.4 tcp 47624
DNAT net loc:192.168.1.4 tcp 2300:2400
DNAT net loc:192.168.1.4 tcp 4600:4799
DNAT net loc:192.168.1.4 tcp 8092:8094
# accept icmp pings
ACCEPT all fw icmp
secondly, here's my policy file:
loc loc ACCEPT
loc net ACCEPT
loc fw ACCEPT
fw net ACCEPT
net all DROP
all all REJECT info
masq file simply contains "eth0 eth1".
any other files that need to be posted let me know.
shorewall version is 1.4.7c
...and nat and forwarding is enabled in shorewall.conf
having a few problems. first off, dns queries are not getting through unless i
add all that junk AND a dnat entry. this doesnt seem correct to me but its
the only combination i've found that allows the queries to get through (i run
dns for my domain on .11 so it needs to be accessed by the world).
secondly i've tried that "hack" for 23456 and it doesnt work. i run a flight
sim server (fshost) on .4 as you can see and all those ports need to be
open...but they are all reporting closed when i nmap from an external box.
since the hack doesnt work, i havent a clue what else to try to force these
all the other ports work as they should, using simple accept net fw tcp 21 and
ftp from external hosts work as they should. the dnat net loc:192.168.1.1 tcp
5900 works flawlessly as well.
am i missing something? why cant dns be handled as simple as accept net fw
tcp/udp 53 and why no matter what i try cant i get 23456 open? 23456, however
isnt the only one that needs to be open but its the one im working on right
now. all the ones pointing to .4 need to be open.
.11 btw is the machine handling the routing. also, the .4 pointing to port 81
is also working flawlessly. so it seems all the other .4's are "broken".
im really lost here as i've gone through the manual, and im out of ideas.
everything looks like it should work, but doesnt. and that stupid hack for
dns, while it does work, it irritates me and i'd rather condense it into one
line if possible.
i've also added .1 and .4 into the proxyarp file just incase that would help,
but it seems to have no effect.
i'd appreciate any help. thanks.
More information about the Shorewall-newbies