[Shorewall-newbies] Port changing incomming DNAT problem

nkjbox at internetgruppen.dk nkjbox at internetgruppen.dk
Thu Jan 8 22:09:10 PST 2004


Hi all,

I have a server on the dmz with IP=192.168.2.112 called pampas.

pampas accepts incomming http and notes traffic to 194.192.161.166 via 
this DNAT rule:

DNAT net dmz:192.168.2.112 tcp http,notes - 194.192.161.166

Another rule should send the ssh port to the notes port of pampas. The 
idea is that this enables people behind a firewall which allows outgoing 
ssh traffic but not notes traffic to use notes on pampas anyway (!)

DNAT:info net dmz:192.168.2.112 tcp ssh notes 194.192.161.166

Finally, pampas is able to contact another notes server on the internet 
when it wants to via this rule

ACCEPT dmz:192.168.2.112 net tcp notes
in conjunction with a SNAT rule in "masq":

eth0:6          192.168.2.112/32        194.192.161.166


Everything works, except the port-redirection.

If I ssh to pampas (from net) I would expect the traffic to be redirected 
to the notes port.


It does not happen. Instead I get a ssh connection to the firewall - I 
wonder why?


The /var/log/messages says nothing - which tells me that the 
port-redirecting rule is not hit at all.

I rewrote the rule to:

DNAT:info net:194.192.161.166 dmz:192.168.2.112 tcp ssh notes

It didn't work either.

I have a rule about ssh at the top of the rules file:

ACCEPT all all ssh

Could that rule mess up the port redirection?
Or is it an example of the corrected SNAT bug of the new 1.4.9 Beta 
shorewall?


I use shorewall 1.4.8 release on a RedHat 9 with 2.4.20-27.9 kernel.

Best regards,
Niels Kristian Jensen
Denmark



More information about the Shorewall-newbies mailing list