Shorewall users - Oct 2006 - Saprouter forwarding from shorewall firewall to an internal saprouter server

Hi guys,

i have a 2-interfaces nic cards Shorewall 3.0.x Firewall. I need to 
allow access to an internal saprouter server from internet.

When i try a connection from the sapgui from a workstation on Internet i 
get a connection time-out on port 3299 by the saprouter

My shorewall interfaces configuration is:

ZONE   INTERFACE   BROADCAST   OPTIONS
loc          eth3                   detect                 routeback
net          eth0                   detect                 
routefilter,tcpflags,logmartians,nosmurfs

where eth0 is world zone (i.e: 191.99.200.0/24) and firewall public IP 
address is: 191.99.200.50
and eth3 is local zone (i.e. 10.0.0.1) with firewall internal IP address 
is: 10.0.0.200 and saprouter internal server is: 10.0.0.60.

in rules file i have a dnat row like the following:
ACTION SOURCE   DEST      PROTO      DEST PORT      SOURCE PORT      
ORIGINAL DEST
dnat:info    net    loc:10.0.0.60    tcp    3299    -    191.99.200.50

i follow instruction reported in shorewall faq 1a-b-c.

after zeroing the routefilter counter and a new connection trying from a 
laptop on internet  (IP address: 191.99.200.32)

i have the following results from command shorewall show nat on chain 
net_dnat:

Chain Pkts    bytes     target    proto    opt    in    out    source 
       destination
1                    48        LOG    tcp        --      *       *    
0.0.0.0/0    191.99.200.50    tcp dpt:3299    LOG flags 0 level 6 prefix 
''Shorewall:net_dnat:DNAT:''

1                    48        DNAT    tcp        --      *       *    
0.0.0.0/0    191.99.200.50    tcp dpt:3299 to:10.0.0.60

The shorewall log results in no reject or drop messages.

Is there anyone who can help me?

I need an urgent solution for at  most tomorrow. Our SAP consultants 
need saprouter access for next saturday.

Regards and thanks in advance for the help.

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Gianni Socionovo wrote:
> 
> Is there anyone who can help me?
I suggest that you use a packet sniffer (tcpdump, Ethereal, Wireshark) to look
at traffic to/from 10.0.0.60 on the firewall''s internal interface. Be
sure to
look at the link level addresses to be sure that requests and responses are
going to the correct box.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642