[Shorewall-users] Port Forwarding to another network

Tom Eastep teastep@shorewall.net
Sun, 21 Apr 2002 19:03:36 -0700 (Pacific Daylight Time)


On Mon, 22 Apr 2002, Renato Tirol wrote:

> Hi Everyone,
>
> Good day!
> I really need your help.  I am trying to portforward (say port 80)to another
> network attached to our local network.
> I used the two-interfaced template. It seems that the packets just got lost
> somewhere.
>
> Below is the diagram of the network.
> +-----------+     +----+     +--------------+
> | ISP's Rtr +-----+ FW +-----+ LAN A        |
> +-----------+     +----+     |192.168.1.0/24|
>                              +------+-------+
>                                     |
>                                     |
>                              +------+------+
>                              | Router A    |
>                              | 192.168.1.1 |
> 				     +------+------+
>                                     |
>                                     | T1 leased line
>
>                                     |
>                              +-------------+
>                              | Router B    |
>       			     | 192.168.2.1 |
>                              +------+------+
>                                     |
>                                     |
>                              +------+-------+
>                              | LAN B        |
>                              |192.168.2.0/24|
>                              +------+-------+
>                                     |
>                              +-------------+
>                              |   Server    |
>                              | 192.168.2.4 |
>                              +-------------+
>
> This one is taken from the rules (real ips are substituted):
> ACCEPT          net       loc:$SERVER1  tcp     $LOC_TCP_PORTS1 - 10.1.1.2
> ACCEPT          loc       loc:$SERVER1  tcp     $LOC_TCP_PORTS1 - 10.1.1.2
> ACCEPT          net       loc:$SERVER1  udp     $LOC_UDP_PORTS1 -      all
>
>
> Also the policy:
> fw              net             ACCEPT
> fw              loc             ACCEPT
> net             all             DROP            info
> all             all             REJECT          info
>
>
> From the params:
> LOCAL_OPTIONS=routestopped,multi
> LOCAL_NET=192.168.0.0/16
> LOC_TCP_PORTS1=80
> SERVER1=192.168.2.4
>
> Here's the routing table of the firewall (valid ip is substitured by
> 10.1.1.0):
> Kernel IP routing table
>
> Destination     Gateway         Genmask         Flags   MSS Window  irtt
> Iface
> 10.1.1.0        *               255.0.0.0       U        40 0          0
> eth0
> 192.168.1.0     *               255.255.255.0   U        40 0          0
> eth1
> 192.168.2.0     *               255.255.255.0   U        40 0          0
> eth1

The above route needs to specify the gateway 192.168.1.1!!!

> 127.0.0.0       *               255.0.0.0       U        40 0          0 lo
>
> default         10.1.1.1        0.0.0.0         UG       40 0          0
> eth0
>
> On the server, I added a route to the LAN interface of the firewall.  I'm
> not if I did was right.

You did NOT - see above.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net