[Shorewall-newbies] DNAT not working at all

Tom Eastep teastep at shorewall.net
Wed Jan 7 12:59:30 PST 2004


On Wednesday 07 January 2004 12:48 pm, Simon Cooper wrote:
> I'm trying to route connections to 9192 on the firewall to internal machine
> 192.168.0.9:9192 as a streaming webcam server
>
> shorewall version:
> 1.4.7c
>
> /etc/shorewall/rules:
> # Webcam
> DNAT    net             loc:192.168.0.9:9192    tcp     9192

That rule is correct.

> DNAT    loc             loc:192.168.0.9:9192    tcp     9192

That rule will never work -- please see FAQ 2.

>
> /etc/shorewall/policy:
> #SOURCE         DEST            POLICY          LOG             LIMIT:BURST
> #                                               LEVEL
> fw              all             ACCEPT          info
> loc             net             ACCEPT
> loc             fw              ACCEPT
> net             all             DROP            info
> all             all             REJECT          info
>
> ip addr show:
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
> 2: eth0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc pfifo_fast qlen
> 100 link/ether 00:02:44:07:89:a0 brd ff:ff:ff:ff:ff:ff
>     inet 82.39.120.35/21 brd 255.255.255.255 scope global eth0
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:50:04:31:ea:17 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.0.10/24 brd 192.168.0.255 scope global eth1
> 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:0a:79:15:1b:b4 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.1.1/24 brd 192.168.1.255 scope global eth2
>
> ip route show:
> 192.168.1.0/24 dev eth2  proto kernel  scope link  src 192.168.1.1
> 192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.10
> 82.39.120.0/21 dev eth0  proto kernel  scope link  src 82.39.120.35
> 127.0.0.0/8 via 127.0.0.1 dev lo  scope link
> default via 82.39.120.1 dev eth0
>
> /sbin/shorewall status:
> http://thecoop.dyndns.org/status.txt
>
> But it doesnt connect from outside or inside, and just times out. telneting
> to 192.168.0.9:9192 from the firewall works fine, and the local machine can
> connect ok

The steps for troubleshooting port forwarding problems are given in FAQs 1a 
and 1b. According to your "shorewall status" output, at least one connection 
request was received from the internet and forwarded to your server at 
192.168.0.9. Is the default gateway on 192.168.0.9 set to 192.168.0.10? 

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net




More information about the Shorewall-newbies mailing list