search for: net_dnat

...DROP all -- 205.251.246.215 0.0.0.0/0 DROP all -- 205.251.64.69 0.0.0.0/0 DROP all -- 205.251.179.185 0.0.0.0/0 shorewall show log Shorewall-2.0.14 Log at yosemite - Mon Jan 10 11:02:16 NST 2005 Counters reset Sat Jan 8 21:01:36 NST 2005 Jan 10 10:56:25 net_dnat:REDIRECT:IN=eth1 OUT= SRC=205.251.179.185 DST=w.x.y.z LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=2731 DF PROTO=TCP SPT=4128 DPT=2745 WINDOW=16384 RES=0x00 SYN URGP=0 Jan 10 10:56:28 net_dnat:REDIRECT:IN=eth1 OUT= SRC=205.251.179.185 DST=w.x.y.z LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=3714 DF PROTO=TCP SP...

....ussg.iu.edu/hypermail/linux/kernel/0312.0/0268.html http://lists.netfilter.org/pipermail/netfilter/2003-September/046962.html Here is tail from debug message. How I can force to shorewall use POSTROUTING chain for masq and DNAT instead of user defined chains? # tail /tmp/trace + eval exists_nat_net_dnat=Yes + exists_nat_net_dnat=Yes + run_iptables2 -t nat -A net_dnat -p tcp -d 212.24.147.254 --dport http -j DNAT --to-destination 192.168.140.2 + [ x-t nat -A net_dnat -p tcp -d 212.24.147.254 --dport http -j DNAT --to-desti nation 192.168.140.2 = x-t nat -A net_dnat -p tcp -d 212.24.147.254 --dport...

...I downloaded the relevant files from the install page. Masq and such works, but I''m having a problem with my port forwarding. It works for port 22, but it doesn''t seem to work for any other port. I''ve turned on :info, and here are the relevant tests: kernel: Shorewall:net_dnat:DNAT:IN=eth1 OUT= MAC=MAC_ADDRESS SRC=SRC_IP DST=PUBLIC_IP LEN=60 TOS=0x00 PREC=0x20 TTL=40 ID=55181 DF PROTO=TCP SPT=62684 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 kernel: Shorewall:net_dnat:DNAT:IN=eth1 OUT= MAC=MAC_ADDRESS SRC=SRC_IP DST=PUBLIC_IP LEN=60 TOS=0x10 PREC=0x20 TTL=40 ID=21056 DF PROTO...

...- 200.200.200.250 when i list nat rules with iptables i got this Chain eth1_in (1 references) pkts bytes target prot opt in out source destination 0 0 DNAT all -- * * 0.0.0.0/0 200.200.200.250 to:192.168.1.2 Chain net_dnat (1 references) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 200.200.200.250 tcp dpt:25 to:192.168.1.2 well, the correct rule is the one in net_dnat chain!! why shorewall is creating the rule...

...ACCEPT loc $FW ACCEPT # THE FOLLOWING POLICY MUST BE LAST all all REJECT info shorewall.conf IP_FORWARDING=Keep and the kernel also knows : root@mordor:~# cat /proc/sys/net/ipv4/ip_forward 1 The message in syslog... Shorewall:net_dnat:DNAT:IN=eth0 OUT= MAC=00:0c:29:2d:ca:d6:11:23:06:17:f8:40:48:00 SRC=myfriendsip DST=mypubip LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=27043 DF PROTO=TCP SPT=33484 DPT=33890 WINDOW=8192 RES=0x00 SYN URGP=0 Could anyone point me to the right direction/help a bit to make it work? Or do I miss something?...

...l, net : internet zone dmz : DMZ zone Lan : local network zone in 1.4.6c this rule : DNAT all lan:10.0.0.1 tcp http - 192.0.0.1 does generate the following iptables rules in nat table : Chain OUTPOUT DNAT tcp -- 0.0.0.0/0 192.0.0.1 tcp dpt:http to:10.0.0.1 Chain net_dnat DNAT tcp -- 0.0.0.0/0 192.0.0.1 tcp dpt:http to:10.0.0.1 Chain dmz_dnat DNAT tcp -- 0.0.0.0/0 192.0.0.1 tcp dpt:http to:10.0.0.1 Chain lan_dnat DNAT tcp -- 0.0.0.0/0 192.0.0.1 tcp dpt:http to:10.0.0.1 in 2.4.0 the same rule does generate only : Chain OUTP...

...5.63.205:192.168.0.1 output from shorewall show nat Shorewall-2.0.0b NAT at host.bluestonefinancial.com - Tue May 11 10:57:43 EDT 2004 Counters reset Tue May 11 09:54:09 EDT 2004 Chain PREROUTING (policy ACCEPT 102K packets, 4275K bytes) pkts bytes target prot opt in out source destination 73 3585 net_dnat all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 54 9296 masq_dnat all -- eth1 * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 1290 packets, 83016 bytes) pkts bytes target prot opt in out source destination 2 96 masq_snat all -- * eth1 0.0.0.0/0 0.0.0.0/0 9 585 ppp0_masq all -- * ppp0 0.0.0.0/0 0.0.0.0/0 C...

...c:10.0.0.60 tcp 3299 - 191.99.200.50 i follow instruction reported in shorewall faq 1a-b-c. after zeroing the routefilter counter and a new connection trying from a laptop on internet (IP address: 191.99.200.32) i have the following results from command shorewall show nat on chain net_dnat: Chain Pkts bytes target proto opt in out source destination 1 48 LOG tcp -- * * 0.0.0.0/0 191.99.200.50 tcp dpt:3299 LOG flags 0 level 6 prefix ''Shorewall:net_dnat:DNAT:'' 1...

...actly like this one: http://www.lartc.org/howto/lartc.rpdb.multiple-links.html is there some proc magic I can query to check the kernel has all the right bits? Here is the iptables stuff: iptables -L -n -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination net_dnat all -- 0.0.0.0/0 0.0.0.0/0 net_dnat all -- 0.0.0.0/0 0.0.0.0/0 loc_dnat all -- 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT) target prot opt source destination eth1_masq all -- 0.0.0.0/0 0.0.0.0/0 eth2_masq all...

...t seem to work. If i change the rules to log info, i do see it coming in. If i do a netstat on my other linux webserver, i see it coming in with the SYN_RECV state, but nothing after that. Here''s the log entry from my shorewall machine: Jan 2 13:34:05 MachineName kernel: Shorewall:net_dnat:DNAT:IN=eth0 OUT= MAC=00:00:00:00:00... SRC=x.x.x.x DST=192.168.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=45682 PROTO=TCP SPT=54945 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 Mac and src port have been taken out, but were there. The src address actually seems to be the real source address, not my...

...oot@fonroute:~# ip route list table 222 default proto static nexthop via 216.170.136.1 dev eth1 weight 1 nexthop via 24.196.120.29 dev eth2 weight 4 using shorewall to setup rules. iptable -L Chain PREROUTING (policy ACCEPT) target prot opt source destination net_dnat all -- anywhere anywhere net_dnat all -- anywhere anywhere loc_dnat all -- anywhere anywhere Chain POSTROUTING (policy ACCEPT) target prot opt source destination eth1_masq all -- anywhere anywhere eth2_masq all --...

...loc:192.168.10.201 tcp 1723 - 192.168.20.115 Here''s the entry from /etc/shorewall/rules: #ZONE INTERFACE BROADCAST OPTIONS # loc eth0 - net eth2 Here''s the log entry from a VPN attempt: Jan 19 22:02:52 ARCProxy2 kernel: Shorewall:net_dnat:DNAT:IN=eth2 OUT= MAC=00:e0:4c:bb:91:35:00:09:5b:82:09:96:08:00 SRC=63.18.215.195 DST=192.168.20.115 LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=16523 DF PROTO=TCP SPT=1708 DPT=1723 WINDOW=32768 RES=0x00 SYN URGP=0 Obviously I haven''t been able to get this setup to work. I know I''m...

...collisions:0 txqueuelen:1000 RX bytes:261270108 (249.1 Mb) TX bytes:1149310777 (1096.0 Mb) Eth0 Net Zone (two Ip addresses) Eth1 iLocal Zone In Eth1 i have my email server, with the public ip 10.10.10.163, when i do the DNAT i have this: Sep 5 11:13:55 ns kernel: Shorewall:net_dnat:DNAT:IN=eth0 OUT= MAC=00:c0:f0:54:dc:1e:00:04:27:fd:6c:cb:08:00 SRC=205.240.205.176 DST=10.10.10.163 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=50942 DF PROTO=TCP SPT=62382 DPT=25 WINDOW=65148 RES=0x00 SYN URGP=0 IN=eth0=OUT this is my problem, doesnt Out trough eth1 My /etc/shorewall/nat is #ACTION...

....1 Mb) TX bytes:1149310777 (1096.0 Mb) Eth0 Net Zone (two Ip addresses) Eth1 Local Zone OS Fedora 2 Shorewall Version 2.0.7 In Eth1 i have my email server with the private ip 192.168.0.253 and the public ip is 10.10.10.163, when i do the DNAT i have this: Sep 5 11:13:55 ns kernel: Shorewall:net_dnat:DNAT:IN=eth0 OUT= MAC=00:c0:f0:54:dc:1e:00:04:27:fd:6c:cb:08:00 SRC=205.240.205.176 DST=10.10.10.163 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=50942 DF PROTO=TCP SPT=62382 DPT=25 WINDOW=65148 RES=0x00 SYN URGP=0 IN=eth0=OUT ,this is my problem, in and out is same interface. DNAT doesnt works. I follow...

...teway:/etc/shorewall# shorewall show nat Shorewall-2.0.3a NAT at gateway - Wed Sep 29 12:19:43 CDT 2004 Counters reset Wed Sep 29 11:56:40 CDT 2004 Chain PREROUTING (policy ACCEPT 1197 packets, 100K bytes) pkts bytes target prot opt in out source destination 658 54981 net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 24 packets, 1862 bytes) pkts bytes target prot opt in out source destination 21 1682 eth0_masq all -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCE...

...s:0x03/0x03 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:0 flags:0x16/0x02 NAT Table Chain PREROUTING (policy ACCEPT 1999K packets, 163M bytes) pkts bytes target prot opt in out source destination 9 444 net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 1600K packets, 98M bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 12756 packets, 863K bytes) pkts bytes target prot...

...l# shorewall show nat > Shorewall-2.0.3a NAT at gateway - Wed Sep 29 12:19:43 CDT 2004 > > Counters reset Wed Sep 29 11:56:40 CDT 2004 > > Chain PREROUTING (policy ACCEPT 1197 packets, 100K bytes) > pkts bytes target prot opt in out source destination > 658 54981 net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0 > > Chain POSTROUTING (policy ACCEPT 24 packets, 1862 bytes) > pkts bytes target prot opt in out source destination > 21 1682 eth0_masq all -- * eth0 0.0.0.0/0 0.0.0.0/0 > > Chain OUTPUT (policy ACCEPT 24 pa...

...T= SRC=89.174.215.22 DST=195.187.140.1 LEN=28 TOS=0x00 PREC=0x00 TTL=55 ID=49071 PROTO=ICMP TYPE=8 CODE=0 ID=12662 SEQ=260 > TRACE: nat:dnat:rule:1 IN=eth2 OUT= SRC=89.174.215.22 DST=195.187.140.1 LEN=28 TOS=0x00 PREC=0x00 TTL=55 ID=49071 PROTO=ICMP TYPE=8 CODE=0 ID=12662 SEQ=260 > TRACE: nat:net_dnat:return:30 IN=eth2 OUT= SRC=89.174.215.22 DST=195.187.140.1 LEN=28 TOS=0x00 PREC=0x00 TTL=55 ID=49071 PROTO=ICMP TYPE=8 CODE=0 ID=12662 SEQ=260 > TRACE: nat:dnat:return:26 IN=eth2 OUT= SRC=89.174.215.22 DST=195.187.140.1 LEN=28 TOS=0x00 PREC=0x00 TTL=55 ID=49071 PROTO=ICMP TYPE=8 CODE=0 ID=12662...

....0.0.0/0 tcp flags:0x03/0x03 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:0 flags:0x16/0x02 NAT Table Chain PREROUTING (policy ACCEPT 2021 packets, 274K bytes) pkts bytes target prot opt in out source destination 65 8740 net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 202 packets, 16264 bytes) pkts bytes target prot opt in out source destination 7 336 eth0_masq all -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 19...

...et lan:192.168.1.231:22 tcp 2222 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE 5. # cat /proc/sys/net/ipv4/ip_forward 1 6. more /etc/sysconfig/iptables-config IPTABLES_MODULES="ip_conntrack_netbios_ns ip_nat_ftp ip_conntrack_ftp" Chain net_dnat (1 references) pkts bytes target prot opt in out source destination 3 156 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 to:192.168.1.231 0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0...