[Shorewall-users] Portforwarding didn't work

Tom Eastep teastep@shorewall.net
Wed, 23 Jan 2002 13:31:32 -0800

On Wednesday 23 January 2002 10:09 am, stefan.buchwald@twt-gmbh.de wrote:
> Hi
> we still configure the shorewall and it is nearly done. but there is a
> problem.
> we try to connect from a computer in the internet to a database in our
> local net. we used the example with SAM from the documentation. and
> configured the computer as DMZ.
> Here is the configuration
> zones:
> dmz =A0 =A0 DMZ =A0 =A0 =A0 =A0 =A0 =A0 Demilitarized zone
> net =A0 =A0 Net =A0 =A0 =A0 =A0 =A0 =A0 Internet
> loc =A0 =A0 Local =A0 =A0 =A0 =A0 =A0 Local networks
> interfaces:
> loc =A0 =A0 eth1 =A0 =A0 =A0 =A0 =A0 =A0193.100.201.255
> - =A0 =A0 =A0 eth0 =A0 =A0 =A0 =A0 =A0 =A062.159.230.95 =A0 noping
> hosts
> dmz =A0 =A0 =A0 =A0 =A0 =A0 eth0:
> net =A0 =A0 =A0 =A0 =A0 =A0 eth0:
> policy:
> #CLIENT =A0 =A0 =A0 =A0 SERVER =A0 =A0 =A0 =A0 =A0POLICY =A0 =A0 =A0 =A0=
> loc =A0 =A0 =A0 =A0 =A0 =A0 net =A0 =A0 =A0 =A0 =A0 =A0 ACCEPT
> loc =A0 =A0 =A0 =A0 =A0 =A0 dmz =A0 =A0 =A0 =A0 =A0 =A0 ACCEPT
> dmz =A0 =A0 =A0 =A0 =A0 =A0 all =A0 =A0 =A0 =A0 =A0 =A0 CONTINUE
> net =A0 =A0 =A0 =A0 =A0 =A0 all =A0 =A0 =A0 =A0 =A0 =A0 DROP =A0 =A0 =A0=
 =A0 =A0 =A0info
> all =A0 =A0 =A0 =A0 =A0 =A0 all =A0 =A0 =A0 =A0 =A0 =A0 REJECT =A0 =A0 =
=A0 =A0 =A0info
> rules:
> #Squid
> ACCEPT =A0 =A0 =A0 =A0 =A0loc =A0 =A0 =A0 fw =A0 =A0 =A0 =A0 =A0 =A0tcp=
 =A0 =A0 8080 =A0 =A0- =A0 =A0 =A0 all
> ACCEPT =A0 =A0 =A0 =A0 =A0fw =A0 =A0 =A0 =A0net =A0 =A0 =A0 =A0 =A0 tcp=
 =A0 =A0 www,443
> ACCEPT =A0 =A0 =A0 =A0 =A0fw =A0 =A0 =A0 =A0dmz =A0 =A0 =A0 =A0 =A0 tcp=
 =A0 =A0 www,443
> ACCEPT =A0 =A0 =A0 =A0 =A0fw =A0 =A0 =A0 =A0loc: udp =A0=
 =A0 53 =A0 =A0 =A0- =A0 =A0 =A0 all
> #Sendmail
> ACCEPT =A0 =A0 =A0 =A0 =A0net =A0 =A0 =A0 fw =A0 =A0 =A0 =A0 =A0 =A0tcp=
 =A0 =A0 smtp
> ACCEPT =A0 =A0 =A0 =A0 =A0fw =A0 =A0 =A0 =A0loc: =A0 tcp s=
> #DB
> ACCEPT =A0 =A0 =A0 =A0 dmz =A0 =A0 =A0loc: tcp 1521,1526=
 - all
> #ACCEPT =A0 =A0 =A0 =A0 =A0dmz =A0 =A0 =A0loc: tcp ssh =A0=
 =A0 - all
> on the firewall runs a squid and an sendmail und it works.
> But with the rules for DB =A0there is no way for a connect to the DB.
> Whithout the rule for the DB is an error in the logfile (all2all:REJECT=
> and thats ok. But whith the rule activated there is nothing in the log.
> Is this a problem of the configuration of the =A0firewall or is this a =
> problem?????

Are you using NAT or Masquerading in this setup?

Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net