[Shorewall-users] Port forwarding to network zone and tunneling advice

Dark Ryder dark-shorewall at tentacle.net
Mon Dec 15 15:54:37 PST 2003

(I believe I've included the pertinent information from my Shorewall
configuration in this message, but if I've left something out, you can find a
tarball of the contents of my /etc/shorewall folder, the output of all the
"shorewall show *" commands and "ip (route|addr) show" at

My first question is about port forwarding: as I have but a single public IP
address (DHCP, to boot) for my home network, so I employ DNAT rules to push a
number of services to a server in my DMZ.  One of those services was NNTP, but I
have decided that running an NNTP server off my own hardware, even for the few
discussion groups it hosted, was too much of a hassle.  Now, I'd like to change
that port forward to point to a publicly available NNTP server rather than my
own.  But when I just change the DNAT line, it fails to actually redirect
connections; instead the client just gets a "connection denied" message.

Here's the DNAT rule I'm using, from /etc/shorewall/rules:
DNAT:info	net		net:$IP_NNTP	tcp	nntp

$IP_NNTP comes from /etc/shorewall/params:

(I can successfully connect to this IP directly.)

And this is the only line that shows up in my log (even though I use DNAT:info):
Dec 15 16:25:56 [kernel] fp=net_dnat:1 a=DNAT IN=eth0 OUT= SRC=
DST= LEN=60 TOS=0x10 PREC=0x00 TTL=47 ID=26687 DF PROTO=TCP SPT=2303
DPT=119 WINDOW=57344 RES=0x00 SYN URGP=0

I'd appreciate any help you can give.


I'm also looking for advice on tunneling options.  I intent to tunnel my own
home network with that of a friend (who is running an almost identical Shorewall
setup).  However, while he has a static IP for his network, I'm stuck with DHCP
for mine.  Looking at the Shorewall docs, it appears that PPTP is the only
tunneling option for which Shorewall does not require a fixed IP on both ends? 
If so, my concerns regarding using PPTP are that A) I have not found (or perhaps
found but not recognized) documentation that says PPTP is bi-directional; it
appears it is most commonly used for a single host connecting to a remote
network rather than connection two networks together, and B) there appears to be
some concert about the security of PPTP; what I'm trying to do is create a
secure, encrypted tunnel so that we don't have to worry about using "weak"
services like SMB, FTP, and the like.

Again, any advice is very welcome.

Dark "the shortest distance between two jokes is a straight line" R.
"Science is like sex: sometimes something useful comes out,
but that is not the reason we are doing it."                 --Richard Feynman

More information about the Shorewall-users mailing list