[Shorewall-newbies] DNAT problems

Tom Eastep teastep at shorewall.net
Tue Feb 10 13:12:11 PST 2004

On Tuesday 10 February 2004 12:55 pm, Dan Harding wrote:
> I have been working with Tim Meadows on the problems we have been having
> getting Shorewall to do what we want.
> Our configuration is different that what I have been able to find in any
> of the documentation.  Let me attempt to describe it. (Tim may have
> already described this in a previous email, but I will do it again for
> clarity)
> We have a T1 connection to an ISP supplied router.  The router sends
> traffic for mail.techteam.org to one internal machine ( and
> traffic for www.techteam.org to another internal machine (
> Our goal is to redirect certain ports sent to www.techteam.org to yet
> another internal machine.
> Currently our need is for clients to connect to us using VNC and have
> that redirected to Tim's PC.
> We have configured Shorewall so it accepts only ports we want. (i.e.
> Ftp, http, ssh, etc.)  So in that way Shorewall is working for us.  We
> have not been able to get DNAT to work at all.
> Is this something that Shorewall can do, or is that the wrong tool for
> this, given the above configuration.
> I have a development system that I have upgraded to the latest Shorewall
> (1.4.10a) but it does not have an external IP routed to it, so I'm not
> sure if it's something we can use for testing.  However, if it is, I can
> totally overwrite any shorewall configuration files and completely start
> from scratch if that would be easiest.
> Thanks for your help and patience with us.


The usual problem with DNAT in this environment is as follows:

a) Client sends connection request (SYN) to TCP port 5500 on Shorewall box.
b) Shorewall box rewrites the header to change the source address to the VNC 
c) The VNC system accepts the connection are returns a reply (SYN ACK) to the 
d) The client simply discards the (SYN ACK) because it came from the "wrong" 

This problem is avoided by applying SNAT on the connection. FAQ 2 shows how to 
do that from loc->loc; net->net is done in a similar way. I don't recall if 
the version of Shorewall being used (1.3.7 IIRC) supports that technique or 

I say, that's the "Usual" problem. Tim's problem seemed like it had to do with 
the definition of his zones or he was missing an interface option; IIRC, the 
original SYN was being rejected out of either the INPUT or FORWARD chains. 
With the version of Shorewall being 1.3.7 this probably means that the 
missing interface option (/etc/shorewall/interfaces) is 'multi' but I would 
have to drag out the 1.3.7 source code and read a while to be sure.


More information about the Shorewall-newbies mailing list