[Shorewall-users] Port forwarding to network zone and tunneling advice

Tom Eastep
Mon Dec 15 16:16:17 PST 2003

On Monday 15 December 2003 03:54 pm, Dark Ryder wrote:
> (I believe I've included the pertinent information from my Shorewall
> configuration in this message, but if I've left something out, you can find
> a tarball of the contents of my /etc/shorewall folder, the output of all
> the "shorewall show *" commands and "ip (route|addr) show" at
> http://hofserver.dyndns.org/shorewall-conf.tar.gz)


> My first question is about port forwarding: as I have but a single public
> IP address (DHCP, to boot) for my home network, so I employ DNAT rules to
> push a number of services to a server in my DMZ.  One of those services was
> NNTP, but I have decided that running an NNTP server off my own hardware,
> even for the few discussion groups it hosted, was too much of a hassle. 
> Now, I'd like to change that port forward to point to a publicly available
> NNTP server rather than my own.  But when I just change the DNAT line, it
> fails to actually redirect connections; instead the client just gets a
> "connection denied" message.
> Here's the DNAT rule I'm using, from /etc/shorewall/rules:
> DNAT:info	net		net:$IP_NNTP	tcp	nntp
> $IP_NNTP comes from /etc/shorewall/params:
> (I can successfully connect to this IP directly.)
> And this is the only line that shows up in my log (even though I use
> DNAT:info): Dec 15 16:25:56 [kernel] fp=net_dnat:1 a=DNAT IN=eth0 OUT=
> SRC= DST= LEN=60 TOS=0x10 PREC=0x00 TTL=47 ID=26687
> DF PROTO=TCP SPT=2303 DPT=119 WINDOW=57344 RES=0x00 SYN URGP=0
> I'd appreciate any help you can give.

You need to set the 'routeback' option for eth0 in /etc/shorewall/interfaces 
and your rule needs to be:

DNAT   net     net:$IP_NNTP    tcp    nntp    -   $EXT_IP:$EXT_IP

where $EXT_IP is your external IP. The FAQ shows you how to set EXT_IP in 
/etc/shorewall/params (don't recall which FAQ off-hand).

