[Shorewall-newbies] Port changing incomming DNAT problem

nkjbox at internetgruppen.dk nkjbox at internetgruppen.dk
Thu Jan 8 22:09:10 PST 2004

Hi all,

I have a server on the dmz with IP= called pampas.

pampas accepts incomming http and notes traffic to via 
this DNAT rule:

DNAT net dmz: tcp http,notes -

Another rule should send the ssh port to the notes port of pampas. The 
idea is that this enables people behind a firewall which allows outgoing 
ssh traffic but not notes traffic to use notes on pampas anyway (!)

DNAT:info net dmz: tcp ssh notes

Finally, pampas is able to contact another notes server on the internet 
when it wants to via this rule

ACCEPT dmz: net tcp notes
in conjunction with a SNAT rule in "masq":


Everything works, except the port-redirection.

If I ssh to pampas (from net) I would expect the traffic to be redirected 
to the notes port.

It does not happen. Instead I get a ssh connection to the firewall - I 
wonder why?

The /var/log/messages says nothing - which tells me that the 
port-redirecting rule is not hit at all.

I rewrote the rule to:

DNAT:info net: dmz: tcp ssh notes

It didn't work either.

I have a rule about ssh at the top of the rules file:

ACCEPT all all ssh

Could that rule mess up the port redirection?
Or is it an example of the corrected SNAT bug of the new 1.4.9 Beta 

I use shorewall 1.4.8 release on a RedHat 9 with 2.4.20-27.9 kernel.

Best regards,
Niels Kristian Jensen

More information about the Shorewall-newbies mailing list