Shorewall users - Feb 2002 - Basic Port Forwarding?

OK, I give up. I have RTFM but apparently I am not understanding what I
am reading. 

I have a web server setup on 192.168.168.2:85 (homenet1) that displays,
and allows me to control, my X-10 Home Automation network. I want to
forward requests that come in from the net on port 85 to port 85 on
homenet1 inside my network. 

I have been trying variations of the following to no avail:
ACCEPT  net  loc:192.168.168.2  tcp  85  www


#CLIENT		SERVER		POLICY		LOG LEVEL
loc			all			ACCEPT
$FW			all			ACCEPT
net			all			DROP
info
all			all			REJECT		info

#ZONE	 INTERFACE	BROADCAST	OPTIONS
net			eth0		detect		noping, dhcp,
logunclean, blacklist
loc			eth1		detect		routestopped

The resulting chain I am getting is:
Chain net2loc (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             homenet1           state NEW
tcp spt:http dpt:85 
net2all    all  --  anywhere             anywhere

I used to use this before installing Shorewall and it worked:
iptables -t nat -A PREROUTING -p tcp --dport 85 -i eth0 -j DNAT --to
192.168.168.2:85

Please excuse my ignorance,

Mike Petro
mike@mikepetro.org

> -----Original Message-----
> From: Mike Petro [mailto:mike@mikepetro.org]
> Sent: Saturday, February 09, 2002 1:18 PM
> To: shorewall-users@shorewall.net
> Subject: [Shorewall-users] Basic Port Forwarding?
> 
> 
> I have been trying variations of the following to no avail:
> ACCEPT  net  loc:192.168.168.2  tcp  85  www
> 
I do something similar, but I need external port 81 to be redirected to
another web server (running at port 80) on my local LAN. So... I have the
following in my rules file.

ACCEPT  net  loc:192.168.9.2:80  tcp   81 -  all

Based on my understanding of your post, i would think the following would
work. Note: I have not tested this though.

ACCEPT  net  loc:192.168.168.2:85  tcp  85 - all

Steve Cowles

Thanks Steve,

Tried it but still no joy.  Seems like homenet1 does not get the port 85
specified in the chain.

I used:   
ACCEPT  net  loc:192.168.168.2:85  tcp  85  -  all

Here is the resulting chain.

Chain net2loc (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             homenet1           state NEW
tcp dpt:85 
net2all    all  --  anywhere             anywhere

The rule that Steve gave you is correct (your original question is FAQ
#1 -- http://www.shorewall.net/FAQ.htm). The port forwarding is actually
done in the nat table which you can look at with "shorewall show nat".

-Tom
> -----Original Message-----
> From: shorewall-users-admin@shorewall.net 
> [mailto:shorewall-users-admin@shorewall.net] On Behalf Of Mike Petro
> Sent: Saturday, February 09, 2002 12:17 PM
> To: ''Cowles, Steve''; shorewall-users@shorewall.net
> Subject: [Shorewall-users] RE:Basic Port Forwarding?
> 
> 
> Thanks Steve,
> 
> Tried it but still no joy.  Seems like homenet1 does not get 
> the port 85
> specified in the chain.
> 
> I used:   
> ACCEPT  net  loc:192.168.168.2:85  tcp  85  -  all
> 
> Here is the resulting chain.
> 
> Chain net2loc (1 references)
> target     prot opt source               destination         
> ACCEPT     all  --  anywhere             anywhere           state
> RELATED,ESTABLISHED 
> ACCEPT     tcp  --  anywhere             homenet1           state NEW
> tcp dpt:85 
> net2all    all  --  anywhere             anywhere
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>

You may have a more basic problem like an incorrect default gateway
configured at 192.168.168.2.

-Tom
> -----Original Message-----
> From: shorewall-users-admin@shorewall.net 
> [mailto:shorewall-users-admin@shorewall.net] On Behalf Of Mike Petro
> Sent: Saturday, February 09, 2002 12:17 PM
> To: ''Cowles, Steve''; shorewall-users@shorewall.net
> Subject: [Shorewall-users] RE:Basic Port Forwarding?
> 
> 
> Thanks Steve,
> 
> Tried it but still no joy.  Seems like homenet1 does not get 
> the port 85
> specified in the chain.
> 
> I used:   
> ACCEPT  net  loc:192.168.168.2:85  tcp  85  -  all
> 
> Here is the resulting chain.
> 
> Chain net2loc (1 references)
> target     prot opt source               destination         
> ACCEPT     all  --  anywhere             anywhere           state
> RELATED,ESTABLISHED 
> ACCEPT     tcp  --  anywhere             homenet1           state NEW
> tcp dpt:85 
> net2all    all  --  anywhere             anywhere
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>