Dear sir, I have installed shorewall 1.3 on a Redhat 8.0 machine. I''m trying to DNAT a telnet session on the external IP 194.158.169.205 on port 5000 to my internal server on 192.252.85.240:23 but it doesn''t seem to work. I''ve used te sample shorewall rules and added the DNAT. I also opened port 5000 and port 23. I''ve tried to DNAT port 23 on 194.158.169.205 to thet internal ip adres port 23 but that also doesn''t work. Can you please help me in finding out what I''m doing wrong? Kind regards M. Bakker M. Bakker Keppel Verolme Afd. Automatisering Prof. Gerbrandyweg 25 3197 KK Botlek-RT Tel: +31(0)181-234462 mbakker @keppelverolme.nl <mailto:mbakker@keppelverolme.nl> www.keppelverolme.nl <http://www.keppelverolme.nl> Neither the confidentiality nor the integrity of this message can be guaranteed following transmission on the internet, nor does Keppel Verolme B.V. accept liability for statements, which are those of the author and not clearly made on behalf of Keppel Verolme B.V.??? -------------- next part -------------- A non-text attachment was scrubbed... Name: rules Type: application/octet-stream Size: 8276 bytes Desc: not available Url : http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030319/172fd776/rules.obj
This is my first trial to give an answer so please do not blame on me (no risk, no fun)... It seems that the ''loc'' zone cannot be reached from the ''net'' zone, at least from the rules you have given ACCEPT net fw tcp 22 ACCEPT net fw tcp 23 ACCEPT net fw tcp 5000 rules are not enough: to my opinion you have at least to add ACCEPT fw loc tcp 22 ### ssh ACCEPT fw loc tcp 23 ### telnet ACCEPT fw loc tcp 5000 ### redundant because of DNAT ? Should that correct the problem? Hope so, Andrea ----- Original Message ----- From: "M. Bakker" <mbakker@keppelverolme.nl> To: <shorewall-users@lists.shorewall.net> Sent: Wednesday, March 19, 2003 9:58 AM Subject: [Shorewall-users] Shorewall DNAT Dear sir, I have installed shorewall 1.3 on a Redhat 8.0 machine. I''m trying to DNAT a telnet session on the external IP 194.158.169.205 on port 5000 to my internal server on 192.252.85.240:23 but it doesn''t seem to work. I''ve used te sample shorewall rules and added the DNAT. I also opened port 5000 and port 23. I''ve tried to DNAT port 23 on 194.158.169.205 to thet internal ip adres port 23 but that also doesn''t work. Can you please help me in finding out what I''m doing wrong? Kind regards M. Bakker M. Bakker Keppel Verolme Afd. Automatisering Prof. Gerbrandyweg 25 3197 KK Botlek-RT Tel: +31(0)181-234462 mbakker @keppelverolme.nl <mailto:mbakker@keppelverolme.nl> www.keppelverolme.nl <http://www.keppelverolme.nl> Neither the confidentiality nor the integrity of this message can be guaranteed following transmission on the internet, nor does Keppel Verolme B.V. accept liability for statements, which are those of the author and not clearly made on behalf of Keppel Verolme B.V. ---------------------------------------------------------------------------- ----> _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:http://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
On Wed, 19 Mar 2003, M. Bakker wrote:> I have installed shorewall 1.3 on a Redhat 8.0 machine. I''m trying to DNAT a > telnet session on the external IP 194.158.169.205 on port 5000 to my > internal server on 192.252.85.240:23 but it doesn''t seem to work. > I''ve used te sample shorewall rules and added the DNAT. I also opened port > 5000 and port 23. I''ve tried to DNAT port 23 on 194.158.169.205 to thet > internal ip adres port 23 but that also doesn''t work. Can you please help me > in finding out what I''m doing wrong? >Your net->fw rules for ports 5000 and 23 are superfluous. The DNAT rule appears correct. Please follow the port forwarding debugging recommendations found at http://www.shorewall.net/FAQ.htm#faq1b and #faq1c. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
On Wed, 19 Mar 2003, Andrea Galmacci - awd* wrote:> This is my first trial to give an answer so please do not blame on me (no > risk, no fun)... > > It seems that the ''loc'' zone cannot be reached from the ''net'' zone, at least > from the rules you have given > > ACCEPT net fw tcp 22 > ACCEPT net fw tcp 23 > ACCEPT net fw tcp 5000 > > rules are not enough: to my opinion you have at least to add > > ACCEPT fw loc tcp 22 ### ssh > ACCEPT fw loc tcp 23 ### telnet > ACCEPT fw loc tcp 5000 ### redundant because of DNAT ? >Andrea, For what the original poster wants to do, you don''t need any of the rules listed above. The single DNAT rule is sufficient. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net