[Shorewall-users] eth1 to eth1

ian iguy@ionsphere.org
Wed, 3 Apr 2002 22:10:00 -0700


I've run into a problem with 1.2.10 and would like to request a more
experienced person's advice.  

My setup.. 

I'm Static NAT my boxes behind the firewall.  

12.98.39.218 -> 10.10.10.10
12.98.39.219 -> 10.10.10.20

I've got two domain names that are setup here.  
Domain1.com - ip 218
Domain2.com - ip 219

When I try to send mail from Domain1.com to Domain2.com the firewall
stops me with a loc2loc:REJECT log message.

So I go into the policy file and set loc loc ACCEPT

That doesn't work so I try making a rule

ACCEPT loc loc tcp smtp

That doesn't work either.. 

I find a work around by making a common entry like so:
run_iptables -A FORWARD -i eth1 -o eth1 -p tcp --dport 25 -j ACCEPT

Now for obvious reason this isn't ideal.  I'd like to work with 
shorewall system for easier usage and maintance as I like the setup
and how its done right now.

What I see is the problem/bug/feature is that loc2loc is not used 
in either the INPUT, OUTPUT or FORWARD chains.  It should be in 
the FORWARD chain though.  Am I correct or did I miss some configuration
somewhere?

Thank you for any help you can give.

ian