[Shorewall-newbies] DNAT problems

Tom Eastep teastep at shorewall.net
Thu Feb 5 14:33:28 PST 2004

On Thursday 05 February 2004 02:17 pm, Tim Meadows wrote:
> Tom,
> >And it didn't occur to you to try the "Quick Search" in the top Website
> >frame?
> I did try the "Quick Search" and everything I tried to search based on
> either says to do exactly like I have or came up with nothing.
> >The VNC port number is 5900+<display number>. So
> >
> >Display 0 = 5900
> >Display 1 = 5901
> That is fine but RealVNC by default seems to use 5500.  While using it on
> the internal network I did it with the ":5900" at the end of the "Add
> Client" - to make the connection - and it failed.  I tried 5800 and it
> failed.  I tried 5500 and it worked fine.  So I assume that to get it to
> work from outside I should try the same thing "5500"  - Which must mean
> that my display is 0 (does that mean that it is the first (or only) VNC
> "device" listening?

I have no idea -- I've clearly never used "RealVNC" so I certainly can't 
predict what effect that adding :5900 (or anything else for that matter) to 
"Add client" might have on the state of the universe.

> I did a SHOREWALL SHOW NAT on the server and it shows the following:
> =============
> Shorewall-1.3.7b NAT at WebServer - Thu Feb  5 16:12:26 CST 2004
> Counters reset Thu Feb  5 15:00:17 CST 2004
> Chain PREROUTING (policy ACCEPT 333K packets, 34M bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>   841 91573 net_dnat   all  --  eth0   *
> Chain POSTROUTING (policy ACCEPT 7987 packets, 1077K bytes)
>  pkts bytes target     prot opt in     out     source
> destination
> Chain OUTPUT (policy ACCEPT 8627 packets, 1118K bytes)
>  pkts bytes target     prot opt in     out     source
> destination
> Chain net_dnat (1 references)
>  pkts bytes target     prot opt in     out     source
> destination
>    20   960 DNAT       tcp  --  *      *
>          tcp dpt:5500 to:
> [root at WebServer shorewall]#
> =============
> Does that help at all?

It says that you are receiving requests from the net on TCP port 5500 and that 
they are being forwarded to It doesn't say:

a) If is getting them.
b) If has any clue how to reply to them (is the default gateway 
on that system configured to be the IP address of the firewall interface to 
which that system connects?).
c) If there is other traffic being sent by the client that the firewall is 
logging and discarding (have you looked at your log?).
d) If is sending traffic to the client which is being logged and 
discarded by the firewall.

I also note that the version of Shorewall that you are running is 18 months 
old -- that puts it back in the stone age of Shorewall development (although 
DNAT did work back then :-)

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net

More information about the Shorewall-newbies mailing list