Shorewall users - Oct 2002 - Can shorewall be configured to let Citrix g o thru

I''m currently working on a project at the moment, in which I have a
 problem.. (see http://www.club-nihil.net/mub/viewtopic.php?t=6032)

 I did a search within your website for 1494 and found exactly what I
 wanted, however, I too have the same problem as Luke Chong, TCP1494 will
 not route to my internal server after I enter:

 DNAT net loc:172.16.1.17  udp 1604 - 203.42.148.124
 DNAT net loc:172.16.1.17  tcp 1494 - 203.42.148.124

 ETH0 is my lan interface (172.16.1.37) STATIC
 ETH1 is my NET interface (203.42.148.124) STATIC

 These were my steps :

 Install Mandrake 9 (Higher Security;squid;shorewall;KDE;)
 Configure 2 nics
 ETH0 172.16.1.37/24
 ETH1 203.42.148.124/29
 Gateway 203.42.148.121/ETH1
 KATE rules and add
 DNAT net loc:172.16.1.37 udp 1604 - 203.42.148.124
 DNAT net loc:172.16.1.37 tcp 1494 - 203.42.148.124

 I have thoroughly read the documentention and performed multipul changes
 without success.

 I truely hope you can resolved this issue

 Much appreciated
 Shannon Kimber
 ssk1@bigpond.com


----------------
Powered by telstra.com

ssk1 wrote:
> I''m currently working on a project at the moment, in which I have
a
>  problem.. (see http://www.club-nihil.net/mub/viewtopic.php?t=6032)
> 
>  I did a search within your website for 1494 and found exactly what I
>  wanted, however, I too have the same problem as Luke Chong, TCP1494 will
>  not route to my internal server after I enter:
> 
>  DNAT net loc:172.16.1.17  udp 1604 - 203.42.148.124
>  DNAT net loc:172.16.1.17  tcp 1494 - 203.42.148.124
> 
>  ETH0 is my lan interface (172.16.1.37) STATIC
>  ETH1 is my NET interface (203.42.148.124) STATIC
> 
>  These were my steps :
> 
>  Install Mandrake 9 (Higher Security;squid;shorewall;KDE;)
>  Configure 2 nics
>  ETH0 172.16.1.37/24
>  ETH1 203.42.148.124/29
>  Gateway 203.42.148.121/ETH1
>  KATE rules and add
>  DNAT net loc:172.16.1.37 udp 1604 - 203.42.148.124
>  DNAT net loc:172.16.1.37 tcp 1494 - 203.42.148.124
> 
>  I have thoroughly read the documentention and performed multipul changes
>  without success.
> 
>  I truely hope you can resolved this issue
> 
First of all, with the rules you have in place TCP port 1494 to address 
203.42.148.124 WILL BE FORWARDED to 172.16.1.37 unless:

a) The client is not in the net zone.
b) There is an an earlier rule that is sending connections to that port 
somewhere else.
c) 203.42.148.124 appears in the /etc/shorewall/nat file and you have 
NAT_BEFORE_RULES=Yes
d) The client isn''t trying to send to 203.42.148.124 but is instead
trying
to send directly to 172.16.1.37 (e.g., Citrix doesn''t do NAT
correctly).

You can eliminate a) and d) by

1) "shorewall reset"
2) try to connect
3) look at the output of "shorewall show nat"
4) find the entry for TCP 1494. If the packet count is non-zero, the 
connection request has reached the firewall and the destination address 
was rewritten to 172.16.1.37.

b) and c) can be eliminated by inspecting your configuration.

By far the most common problem I see when people complain that DNAT 
doesn''t work is that the server (172.16.1.37 in your case) has its
routing
mis-configured (see the recent long thread on PPTP DNAT). Can 172.16.1.37 
access the internet successfully (web browse, ping, etc.)?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net