For some reason, I''m can''t seem to get a forward that I need to work. I''ve done it on previous shorewall versions before the DNAT thing was introduced.>From my logs:Jul 17 15:19:42 wireless-gateway kernel: Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth1 SRC=63.167.48.249 DST=10.100.1.19 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=31993 DF PROTO=TCP SPT=1065 DPT=161 WINDOW=5840 RES=0x00 SYN URGP=0 I don''t see why it''s not making it. The FORWARD chain should pass on to eth0_fwd and that chain to the net2loc chain where rule is to accept. I''ve configured pretty close to the PPTP example Tom gives. Main differences are some rules in my rules file and IP addresses. I''m not explicitly denying anything special in my rules file. I just have a few accepts in there and the following two dnat rules. Here are the relevant rules I''m using from my rules file: DNAT net loc:10.100.1.20 tcp snmp DNAT net loc:10.100.1.20 udp snmp Shorewall-1.3.4 Chain FORWARD at wireless-gateway - Fri Jul 19 09:58:54 PDT 2002 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 ppp_fwd all -- ppp+ * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [root@wireless-gateway shorewall]# shorewall show eth0_fwd Shorewall-1.3.4 Chain eth0_fwd at wireless-gateway - Fri Jul 19 09:59:11 PDT 2002 Chain eth0_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 net2loc all -- * eth1 0.0.0.0/0 10.100.100.0/24 0 0 net2loc all -- * ppp+ 0.0.0.0/0 63.167.49.0/24 [root@wireless-gateway shorewall]# shorewall show net2loc Shorewall-1.3.4 Chain net2loc at wireless-gateway - Fri Jul 19 09:59:24 PDT 2002 Chain net2loc (2 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.100.1.20 state NEW tcp dpt:161 0 0 ACCEPT udp -- * * 0.0.0.0/0 10.100.1.20 state NEW udp dpt:161 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Thanks for any insight, Charlie
My bad. ... I copied and pasted from two different times when I was trying things. That excerpt from the logs was from when I tried a different host just to see if it was an issue with the host. I have two hosts that are running snmp services. I''ve tried forwards to each of them .. That''s why you see the discrepancy. I''m not doing any static NAT. Here''s the correct log entry that matches my configuration files. Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth1 SRC=63.167.48.249 DST=10.100.1.20 LEN=74 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=UDP SPT=1495 DPT=161 LEN=54 Thank for the reply Tom ... I know you''re busy. -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Friday, July 19, 2002 10:21 AM To: Charles J. Boening Subject: Re: [Shorewall-users] DNAT/FORWARD problems On Fri, 19 Jul 2002, Charles J. Boening wrote:> For some reason, I''m can''t seem to get a forward that I need to work. > I''ve done it on previous shorewall versions before the DNAT thing was > introduced. > > From my logs: > Jul 17 15:19:42 wireless-gateway kernel: > Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth1 SRC=63.167.48.249 > DST=10.100.1.19 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=31993 DF PROTO=TCP> SPT=1065 DPT=161 WINDOW=5840 RES=0x00 SYN URGP=0 >Notice that in this message, the destination IP is 10.100.1.19...> I don''t see why it''s not making it. The FORWARD chain should pass on > to eth0_fwd and that chain to the net2loc chain where rule is to > accept. I''ve configured pretty close to the PPTP example Tom gives. > Main differences are some rules in my rules file and IP addresses. > I''m not explicitly denying anything special in my rules file. I just > have a few accepts in there and the following two dnat rules. > > Here are the relevant rules I''m using from my rules file: > > DNAT net loc:10.100.1.20 tcp snmp > DNAT net loc:10.100.1.20 udp snmp > >Whereas in your rules, the destination IP is 10.100.1.20. Do you have any static NAT defined that is overriding the DNAT part of your rules? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Fri, 19 Jul 2002, Charles J. Boening wrote:> My bad. ... I copied and pasted from two different times when I was > trying things. That excerpt from the logs was from when I tried a > different host just to see if it was an issue with the host. I have two > hosts that are running snmp services. > > I''ve tried forwards to each of them .. That''s why you see the > discrepancy. > > I''m not doing any static NAT. > > Here''s the correct log entry that matches my configuration files. > > > Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth1 SRC=63.167.48.249 > DST=10.100.1.20 LEN=74 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=UDP > SPT=1495 DPT=161 LEN=54 >After you have reproduced the problem again, please capture the output from "shorewall status" and send it to me privately. Thanks, -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
When you see packets being rejected in the INPUT or FORWARD chain, it almost always means that your zones are screwed up. Remember that if you have ANY entry for a zone in /etc/shorewall/hosts then the ENTIRE zone must be defined there. In Shorewall 2.0, I plan to change that but between major releases, I don''t like to introduce incompatible changes. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net