[Shorewall-newbies] DNAT problems

Tom Eastep teastep at shorewall.net
Sun Feb 1 12:01:24 PST 2004

On Sun, 1 Feb 2004, Chris H. wrote:

> first off, here's my rules file:
> ----------------------------------------
> # handle dns queries here on mercury:
> ACCEPT net fw tcp 53
> ACCEPT net fw tcp 53

Two instances of the same rule?

> ACCEPT net all tcp 53
> ACCEPT net all udp 53

> DNAT net loc: tcp 53
> DNAT net loc: udp 53

The last two rules mask all of the preceding rules.

> # handle external ftp queries here locally:
> ACCEPT net fw tcp 21
> # keep ssh here locally for external hosts:
> ACCEPT net fw tcp 22
> # transparent proxy'ing for the lan:
> DROP:warning net fw tcp 3128 3128
> REDIRECT loc 3128 tcp 80 -
> # forward vnc requests to orion:
> DNAT net loc: tcp 5900
> # the forwards for fshost on neptune:
> DNAT net loc: tcp 81
> DNAT net loc: tcp 23456
> DNAT net loc: tcp 47624
> DNAT net loc: tcp 2300:2400
> DNAT net loc: tcp 4600:4799
> DNAT net loc: tcp 8092:8094

I'm suprised that this thing uses TCP -- is that right?

> having a few problems. first off, dns queries are not getting through unless i
> add all that junk AND a dnat entry. this doesnt seem correct to me but its
> the only combination i've found that allows the queries to get through (i run
> dns for my domain on .11 so it needs to be accessed by the world).

I can't explain that -- the other rules are nonsense. If you forward the
output of "shorewall status" as a text attachment, I'll try to understand
what is going on.

> secondly i've tried that "hack" for 23456 and it doesnt work. i run a flight
> sim server (fshost) on .4 as you can see and all those ports need to be
> open...but they are all reporting closed when i nmap from an external box.
> since the hack doesnt work, i havent a clue what else to try to force these
> ports open.

Did you try the port-forwarding troubleshooting information in FAQs 1a and

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net

More information about the Shorewall-newbies mailing list