[Shorewall-newbies] NAT issue

Sakthivel Subramanian sakthi at altair.com
Fri Jan 23 15:13:42 PST 2004


First of all I would like to thank Tom Eastep for this excellent firewall.

I am using Shorewall 1.4.8 on a 2.4.20-8 linux kernel with the basic 2
interface setup 
eth0 - Connected to a router which provides internet/VPN access
eth1 - Connected to the LAN

net      eth0  blacklist,dropunclean,routefilter
loc      eth1    routefilter

In the current firewall setup, I have a Windows server inside the firewall
with an IP ( I have a one-to-one NAT using the Shorewall/nat
file  eth0:10    No                      No

Machines from our corporate network access the server using the
IP via the router VPN tunnels and the traffic is controlled by
shorewall/rules without any problem.

The problem I am facing is locally when my machine ( tries to
access the server using the server's external IP ( I keep
getting the following message from Shorewall. 
Jan 23 14:11:41 kernel: Shorewall:all2all:REJECT:IN=eth1 OUT=
MAC=00:a0:cc:3f:68:f6:00:0b:db:ca:78:17:08:00 SRC= DST=
LEN=245 TOS=0x00 PREC=0x00 TTL=128 ID=6734 PROTO=UDP SPT=4502 DPT=389

Shorewall is rejecting port 389 (LDAP) access to from my
machine based on all2all policy. Notice the empty output
interface. (OUT= ) If I try pinging from my machine, I get a
respose back.

My default policy is
loc    net    ACCEPT
I explicitly added the following rule but it didn't help.
ACCEPT:info     loc                     net:      tcp     389
ACCEPT:info     loc                     net:      udp     389
I tried creating a new zone with as host list and added
policy to allow all traffic to that zone and it didn't help either.
Any help would be appreciated.


More information about the Shorewall-newbies mailing list