[Shorewall-newbies] net2all policy blocking "NAT 2 NAT" traffic

Tom Eastep teastep at shorewall.net
Thu Feb 19 08:30:20 PST 2004

On Thursday 19 February 2004 07:58 am, Eugene Ventimiglia wrote:
> I have the following in my zones file:
> srv     Servers         Local servers
> ofc     Office          Office workstations
> net     Net             Internet
> eth1 goes to the "srv" zone, and eth0 to "net" & "ofc" (differentiated in
> hosts)
> Policy:
> #CLIENT         SERVER          POLICY          LOG LEVEL
> $FW             all             ACCEPT
> srv             all             ACCEPT
> ofc             all             ACCEPT
> net             all             DROP            info
> I have the following in my nat file:
>   eth0      yes                     yes
>   eth0      yes                     yes
>   eth0      yes                     yes
>   eth0      yes                     yes
> I have the hostname for the computer at m-kube.com in a round robin DNS
> (using &, and both &
> configured on the same interface (It'll be two computers next week...)
> Everything works smoothly from net or ofc, but when I try to reach
> http://m-kube.com from the machine itself the log shows this:
> Feb 19 06:21:41 mkfrwsrv-nyc001 kernel: Shorewall:net2all::IN=eth1 OUT=eth1
> SRC=
> DST= LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=64104 DF PROTO=TCP
> SPT=1224 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
> And pings work,

They only appear to work.

> but http doesn't connect. 
> Any ideas?

Your problem is exactly the one covered in FAQ 2a.

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net

More information about the Shorewall-newbies mailing list