[Shorewall-newbies] NAT issue
sakthi at altair.com
Fri Jan 23 15:13:42 PST 2004
First of all I would like to thank Tom Eastep for this excellent firewall.
I am using Shorewall 1.4.8 on a 2.4.20-8 linux kernel with the basic 2
eth0 - Connected to a router which provides internet/VPN access
eth1 - Connected to the LAN
net eth0 192.168.1.255 blacklist,dropunclean,routefilter
loc eth1 10.10.1.255 routefilter
In the current firewall setup, I have a Windows server inside the firewall
with an IP (10.10.1.10). I have a one-to-one NAT using the Shorewall/nat
192.168.1.10 eth0:10 10.10.1.10 No No
Machines from our corporate network access the server using the 192.168.1.10
IP via the router VPN tunnels and the traffic is controlled by
shorewall/rules without any problem.
The problem I am facing is locally when my machine (10.10.1.4) tries to
access the server using the server's external IP (192.168.1.10). I keep
getting the following message from Shorewall.
Jan 23 14:11:41 10.10.1.1 kernel: Shorewall:all2all:REJECT:IN=eth1 OUT=
MAC=00:a0:cc:3f:68:f6:00:0b:db:ca:78:17:08:00 SRC=10.10.1.4 DST=192.168.1.10
LEN=245 TOS=0x00 PREC=0x00 TTL=128 ID=6734 PROTO=UDP SPT=4502 DPT=389
Shorewall is rejecting port 389 (LDAP) access to 192.168.1.10 from my
machine 10.10.1.4 based on all2all policy. Notice the empty output
interface. (OUT= ) If I try pinging 192.168.1.10 from my machine, I get a
My default policy is
loc net ACCEPT
I explicitly added the following rule but it didn't help.
ACCEPT:info loc net:192.168.1.10 tcp 389
ACCEPT:info loc net:192.168.1.10 udp 389
I tried creating a new zone with 192.168.1.0/24 as host list and added
policy to allow all traffic to that zone and it didn't help either.
Any help would be appreciated.
More information about the Shorewall-newbies