[Shorewall-users] Portforwarding didn't work

stefan.buchwald@twt-gmbh.de stefan.buchwald@twt-gmbh.de
Fri, 25 Jan 2002 11:03:23 +0100

Hallo Kristopher,
thank you for your mail. Yes it is the Oracle TNS listener and in the
default settings it works as you described. But you can configer the
listener to use only one port. This worked with our "old Seawall"
fine. So I think I have to look at the traffic to see what's going wron=

|                        |   "Kristopher Lalletti"|                    =
|                        |   <kris@eclipseci.com> |   =A0 =A0 =A0 =A0 T=
o:          |
|                        |                        |   "'Tom Eastep'"   =
|                        |   24.01.2002 15:32     |   <teastep@shorewal=
|                        |                        |   t>,              =
|                        |                        |   <stefan.buchwald@=
|                        |                        |   gmbh.de>,        =
|                        |                        |   <shorewall-users@=
|                        |                        |   ewall.net>       =
|                        |                        |   =A0 =A0 =A0 =A0 c=
c:          |
|                        |                        |   =A0 =A0 =A0 =A0 S=
ubject:     |
|                        |                        |   RE: [Shorewall-us=
|                        |                        |   Portforwarding di=
|                        |                        |   work             =

1521 Hmm.. That's the TNS listener 8.x on Oracle.

It won't work.

The way that Oracle works with the TNS listener, is a bit like a 2 tier=


When SQL*NET establishes a connection to the remote host at port 1521,
the TNS listener will dispatch an oracle process on a random port, and
then returns a string to your SQL*NET that looks something in the line
of (HOST=3D<the ip of the oracle host and not the firewall> PORT=3D<the=
of the oracle host>).

So, if you're on the public network (say, the internet) and your SQL*NE=
received the message to connect to a non-routable IP. Well, unless you
have a VPN connection, you're going nowhere.

My suggestion, make a vpn connection, or use Oracle connection manager
for Linux (I never tried oracle connection manager, but I know it exist=
to bypass firewalls).

-----Original Message-----
From: shorewall-users-admin@shorewall.net
[mailto:shorewall-users-admin@shorewall.net] On Behalf Of Tom Eastep
Sent: January 24, 2002 9:23 AM
To: stefan.buchwald@twt-gmbh.de; shorewall-users@shorewall.net
Subject: Re: [Shorewall-users] Portforwarding didn't work

On Thursday 24 January 2002 02:20 am, stefan.buchwald@twt-gmbh.de wrote=
> Hallo Tom
> sorry =A0the line in the masq file is eth0 =A0 =A0
> and not eth1 as send in the email before.
> In the nat file nothing is configured

Then your Shorewall setup appears correct, assuming that you want to
TCP ports 1521 and 1526 to system I suggest that you
look at
the traffic on both sides of the firewall with tcpdump or ethereal to
try to
see what is going wrong.

Do you know for sure that the DB application works through NAT?

Tom Eastep =A0 =A0\ A Firewall for Linux 2.4.*
AIM: tmeastep =A0\ http://www.shorewall.net
ICQ: #60745924 =A0\ teastep@shorewall.net
Shorewall-users mailing list