thr3ads.net - Shorewall users - [Shorewall-users] DNAT Problem [Apr 2003]

If this information is useful, please help other people find it:
Share via:

John Petrusa

2003-Apr-15 07:43 UTC

[Shorewall-users] DNAT Problem

I have my server with 2 ips, external and internal interfaces

eth0	10.2.50.2	netmask	255.0.0.0
eth1	200.x.x.x	netmask	255.255.255.248

My /etc/shorewall/interfaces is:

net     eth1    detect
loc     eth0    detect

(i try too with zone eth ip)

I have too, a webserve, listen in 10.2.50.2, and i want fordward all my
web trafic from my external server, to my internal webserver.

So, i put this in /etc/shorewall/rules:

DNAT-   net     loc:10.2.50.2           tcp     80      -       200.x.x.x
ACCEPT  net     $FW     tcp     80
ACCEPT  $FW     loc     tcp     80

on my shorewall.conf:

NAT_ENABLED=Yes
MANGLE_ENABLED=Yes
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=Yes
NAT_BEFORE_RULES=Yes
DETECT_DNAT_IPADDRS=Yes

and my /etc/shorewall/policy:

#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
loc             net             ACCEPT
loc             loc             ACCEPT
loc             $FW             ACCEPT
$FW             loc             ACCEPT
net             all             DROP            info
all             all             ACCEPT          info

and do a shorewall restart. When i do shorewall show nat i see:
>> shorewall show natShorewall-1.4.0 NAT at fwprincipal - Tue Apr 15 08:12:50 ART 2003

Counters reset Tue Apr 15 06:28:37 ART 2003

Chain PREROUTING (policy ACCEPT 1 packets, 229 bytes)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 net_dnat   all  --  eth1   *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 eth1_masq  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination

Chain eth1_masq (1 references)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 MASQUERADE  all  --  *      *       10.0.0.0/8          
0.0.0.0/0

Chain net_dnat (1 references)
 pkts bytes target     prot opt in     out     source              
destination
    2    36 DNAT       tcp  --  *      *       0.0.0.0/0           
200.x.x.x       tcp dpt:80 to:10.2.50.2
[root@fwprincipal /]#

But DNAT is not working .. i can''t browse my webserver...

If i comment the DNAT line, and run a ?redir? program:

redir --laddr=200.x.x.x --lport=80 --caddr=10.2.50.2 --cport=80

it work fine.

I have iptables v1.2.5 and shorewall 1.4.0 on a Redhat 7.3 with
2.4.18-3ipsec kernel.

someone can tell me what im doing wrong???

Tom Eastep

2003-Apr-15 07:48 UTC

head link

[Shorewall-users] DNAT Problem

On Tue, 15 Apr 2003, John Petrusa wrote:
> 
> I have my server with 2 ips, external and internal interfaces
> 
> eth0	10.2.50.2	netmask	255.0.0.0
> eth1	200.x.x.x	netmask	255.255.255.248
> 
> My /etc/shorewall/interfaces is:
> 
> net     eth1    detect
> loc     eth0    detect
> 
> (i try too with zone eth ip)
> 
> I have too, a webserve, listen in 10.2.50.2, and i want fordward all my
> web trafic from my external server, to my internal webserver.
> 
> So, i put this in /etc/shorewall/rules:
> 
> DNAT-   net     loc:10.2.50.2           tcp     80      -       200.x.x.x
> ACCEPT  net     $FW     tcp     80
> ACCEPT  $FW     loc     tcp     80
> 
>From both the QuickStart guides and from FAQ #1, you can learn that the correct way to do port forwarding is:

DNAT	NET	LOC:10.2.50.2	tcp	80	-	200.x.x.x

AND THAT''S ALL YOU NEED!!!! If that''s not working for you, see
FAQs #1a
and #1b.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Shorewall users - Apr 2003 - DNAT Problem

[Shorewall-users] DNAT Problem

[Shorewall-users] DNAT Problem