[Shorewall-newbies] Probelm with DNAT (Portforwarding)

Roger Zueger rz.privat at gmx.ch
Mon Jan 5 01:21:50 PST 2004


First: Happy New Year to all members of this list...

Second: I'm totally confused, because of my little problem and I hope
someone can help me...

I'm using shorewall an a pc with two nic's (eth0 => internet zone [net] and
eth1 => internal zone [loc]) and all works fine, but I've a little problem
with port forwarding. I define the following rule:

DNAT:info       net     loc:10.0.0.200  tcp     80      -

If I try to connect (from the internet [net]) my internal www-server the
firewall write the following line in  syslog:

Jan  5 00:42:30 net_dnat:DNAT:IN=eth0 OUT= SRC=81.62.184.216
DST=217.162.228.222 LEN=60 TOS=0x10 PREC=0x00 TTL=53 ID=47877 DF PROTO=TCP
SPT=10459 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0

But no connection will be etablished. I don't know why, because if I try to
connect my webserver from the firewall [fw] it works perfekt! I'm using
shorewall 1.4.8 on a debian 3.0 (woody) system with kernel 2.4.18.

With the command shorewall show nat the following lines are displayed:

Counters reset Mon Jan  5 00:42:21 CET 2004

Chain PREROUTING (policy ACCEPT 126 packets, 19234 bytes)
 pkts bytes target     prot opt in     out     source
destination
   63 10218 net_dnat   all  --  eth0   *       0.0.0.0/0
0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 85 packets, 3972 bytes)
 pkts bytes target     prot opt in     out     source
destination
   36  1758 eth0_masq  all  --  *      eth0    0.0.0.0/0
0.0.0.0/0

Chain OUTPUT (policy ACCEPT 8 packets, 732 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain eth0_masq (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 MASQUERADE  all  --  *      *       10.0.0.0/24
0.0.0.0/0
    0     0 MASQUERADE  all  --  *      *       10.0.0.0/24
0.0.0.0/0

Chain net_dnat (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:25 LOG flags 0 level 6 prefix
`Shorewall:net_dnat:DNAT:'
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:25 to:10.0.0.200
    1    60 LOG        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:80 LOG flags 0 level 6 prefix
`Shorewall:net_dnat:DNAT:'
    1    60 DNAT       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:80 to:10.0.0.200

Any ideas?

Thanks for any little idea!

best regards

roger



More information about the Shorewall-newbies mailing list